Firstly, I need to introduce the difference between Identity-based policy(IBP) and Resource-based policy(RBP):

As its name described, IBP is attached with roles. That means this policy is bounded with an explicit role and irrelevant with resources. For example, If we attach a EC2 full access policy with a role, then the users has this role can access any EC2 instances.

But for RBP, it is usually created when we create a specific resource, such as a s3 bucket. Authorized users can only access current bucket instead of all the s3 buckets of current account. In a word, RBP is bounded by an explicit resource.

I will show a  Resource-based policy demo, using the example above.

1.Create a s3 bucket and a new RBP in this trusting account  for accessing this bucket from another trusted account.

s3->Buckets->create bucket

make sure you know which region you create this bucket in. click the bucket you created upload a picture to test this policy. choose the permission block. Find out Bucket policy and edit it.

As you can see from the screenshot, AWS provides a policy generator. We can use it to generate our policy. Then attach the json to the bucket and click save policy.

I' ll add permission for all the users of trusted account.

This is the policy json I generated.

You need to add the ARN of your bucket to Resource. Here action "GetObject" is used for downloading resource from bucket and "ListBucket" is used for selecting resources. If you remove "GetObject", "Download" will be disabled.

{    "Version": "2012-10-17",    "Id": "Policy1637984873180",    "Statement": [        {            "Sid": "Stmt1637984827508",            "Effect": "Allow",            "Principal": {                "AWS": "arn:aws:iam::797599445992:root"            },            "Action": [                "s3:GetObject",                "s3:ListBucket"            ],            "Resource": [                "arn:aws:s3:::weiwei.bucket.one",                "arn:aws:s3:::weiwei.bucket.one/*"            ]        }    ]

2.Then login anyone of IAM users of the trusted account to access this bucket.

You will find no buckets if you go straight to s3->Buckets because the bucket is not the resource of trusted account. You need to access the s3 buckets of another account by configuring CLI or use a direct URL.

No buckets.

Enter URL "https://s3.console.aws.amazon.com/s3/buckets/weiwei.bucket.one".

3.The root user of trusted account can also create its policy to deny permission for designated user.

Attach this policy to the user group then the users of this group won't be able to access the bucket.