**Approach (brief)** Create a dedicated cross-account IAM Role in our account with a narrow S3 policy (prefix + actions) and a tight trust policy requiring the vendor account + an external ID. Issue short‑lived credentials via STS AssumeRole. Audit with CloudTrail Data Events + S3 server access logs. Revoke instantly by disabling or removing the role’s trust policy (or applying an explicit Deny SCP/permission boundary).**Design details**- Create Role in our account (Account A) named VendorIntegrationRole.- Trust policy: allow sts:AssumeRole from vendor account (Account V) and require an external-id the vendor supplies.- Inline permission policy: only s3:GetObject, s3:PutObject, s3:ListBucket limited to arn:aws:s3:::my-bucket and arn:aws:s3:::my-bucket/vendors/vendor-id/*; add condition restricting aws:RequestedRegion or source IP if known.Example permission policy:json
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":["s3:GetObject","s3:PutObject","s3:ListBucket"],
"Resource":[
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/vendors/vendor-id/*"
],
"Condition": {
"StringEquals": {"s3:prefix": "vendors/vendor-id/"},
"Bool": {"aws:SecureTransport": "true"}
}
}
]
}
**Short‑lived credentials**- Vendor calls sts:AssumeRole with RoleArn and ExternalId; specify DurationSeconds (e.g., 3600s). We avoid long‑lived keys entirely.- Example AWS CLI for vendor:bash
aws sts assume-role --role-arn arn:aws:iam::A:role/VendorIntegrationRole --role-session-name vendor-session --external-id "unique-id" --duration-seconds 3600
**Auditability**- Enable CloudTrail data events for the S3 bucket (object-level) — logs every GetObject/PutObject to CloudTrail.- Enable S3 server access logging and deliver logs to a secured analytics bucket.- Route CloudTrail to CloudWatch Logs and create alerts/metric filters for unusual patterns (high error rate, high obj count).- Tag assumed-role sessions (aws:RequestTag or session tags) so logs show vendor identity and session id.**Immediate revocation**- Remove the Role's trust policy entry for the vendor (prevents new AssumeRole calls) OR attach an explicit Deny policy to that role or apply a Service Control Policy if using Organizations.- For immediate termination of active sessions, rotate the role’s permissions or change the role name; active STS tokens remain valid until expiry, so keep session TTL short (<= 1 hour) to limit window.**Monitoring & best practices**- Use external-id to prevent confused deputy attacks.- Least privilege policy and prefix conditions; require HTTPS.- Regularly review CloudTrail logs and rotate external-id monthly.- Optionally front S3 access via an API Gateway + Lambda that enforces additional business logic and gives full revocation control by invalidating API keys.