Access From External Account
When running the Cloud Billing Database you may want to run it from another AWS account, on a child account for example. Due to the way Amazon saves the billing files in S3, it is not a trivial matter to share the files with another account. While this is not trivial, it is still quite doable. We'll accomplish this by copying the files to a separate bucket and making that bucket available to the other account.
We'll start by setting up the copy bucket, which is covered in our HowTo: Mirror S3 Buckets article.
Once we are finished with that and our S3 buckets mirrored, we'll allow access to the other account.
Go to the AWS Console and click on S3.
Right click on the copy bucket, in this example we're using billing-example-copy.
Click on Properties in the context menu.
Expand the Permissions section.
Click on Add bucket policy.
This will bring up the Bucket Policy Editor.
In the text box we'll put in our bucket policy. This policy will allow the account 234567890123 to read the bucket billing-example-copy; make sure to replace 234567890123 with the account id of your other account, and replace billing-example-copy with your bucket name.
Bucket Policy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
{
"Version": "2008-10-17",
"Id": "Policy1335892530063",
"Statement": [
{
"Sid": "Stmt1441136661",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::234567890123:root"
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::billing-example-copy"
},
{
"Sid": "Stmt1441136698",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::234567890123:root"
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::billing-example-copy/*"
}
]
}
Once that is in place, click the Save button.
Now your other account should be able to access the billing files.