This guide explains how to set up Quilt across multiple AWS accounts, enabling you to separate your control plane (Quilt infrastructure) from your data plane (S3 buckets) for enhanced security, compliance, and organizational structure.
Common Use Cases:
- 🏢 Organizational Separation: Different teams/departments own different accounts
- 🔒 Security Isolation: Separate sensitive data from application infrastructure
- 📊 Compliance Requirements: Regulatory requirements for data segregation
- 💰 Cost Management: Separate billing and resource management
- 🛡️ Blast Radius Reduction: Limit impact of security incidents
In this guide, we'll configure two accounts:
┌─────────────────────────────────────┐
│ Control Account │
│ ┌─────────────────────────────────┐│
│ │ Quilt Infrastructure ││
│ │ • CloudFormation Stack ││
│ │ • Lambda Functions ││
│ │ • Elasticsearch/OpenSearch ││
│ │ • API Gateway ││
│ │ • Web Application ││
│ └─────────────────────────────────┘│
└─────────────────────────────────────┘
│
│ Cross-Account
│ Access
▼
┌─────────────────────────────────────┐
│ Data Account │
│ ┌─────────────────────────────────┐│
│ │ S3 Buckets ││
│ │ • Raw Data Bucket ││
│ │ • Processed Data Bucket ││
│ │ • Archive Bucket ││
│ └─────────────────────────────────┘│
└─────────────────────────────────────┘
Account Definitions:
- Control Account: Contains the Quilt CloudFormation stack and infrastructure
- Data Account: Contains the S3 buckets with your actual data
Before starting, ensure you have:
- ✅ Administrative access to both AWS accounts
- ✅ Quilt already deployed in the Control Account
- ✅ S3 buckets created in the Data Account
- ✅ AWS CLI configured with appropriate profiles
Why This Matters: When Quilt (running in Control Account) writes objects to buckets in Data Account, you want the Data Account to own those objects for proper access control.
Implementation:
- Navigate to S3 Console in Data Account
- Select your bucket → Permissions → Object Ownership
- Edit Object Ownership and select "Bucket owner enforced"
Using AWS CLI:
# Set object ownership to bucket owner enforced
aws s3api put-bucket-ownership-controls \
--bucket your-data-bucket \
--ownership-controls Rules='[{ObjectOwnership=BucketOwnerEnforced}]' \
--profile data-accountWhy "Bucket owner enforced"?
- ✅ Data Account automatically owns all objects
- ✅ Simplifies access control management
- ✅ Prevents ACL-based access complications
- ✅ Required for cross-account Quilt operations
Purpose: Grant Quilt infrastructure in Control Account the necessary permissions to manage buckets in Data Account.
Create the Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QuiltCrossAccountAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::CONTROL-ACCOUNT-ID:root"
},
"Action": [
"s3:GetObject",
"s3:GetObjectAttributes",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:GetObjectVersionAttributes",
"s3:GetObjectVersionTagging",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:GetBucketNotification",
"s3:PutBucketNotification"
],
"Resource": [
"arn:aws:s3:::your-data-bucket",
"arn:aws:s3:::your-data-bucket/*"
]
}
]
}Apply the Policy:
Console Method:
- Go to S3 Console → Your Bucket → Permissions → Bucket Policy
- Paste the JSON above (replace
CONTROL-ACCOUNT-IDandyour-data-bucket) - Click Save changes
CLI Method:
# Save policy to file
cat > bucket-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QuiltCrossAccountAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"s3:GetObject",
"s3:GetObjectAttributes",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:GetObjectVersionAttributes",
"s3:GetObjectVersionTagging",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:GetBucketNotification",
"s3:PutBucketNotification"
],
"Resource": [
"arn:aws:s3:::your-data-bucket",
"arn:aws:s3:::your-data-bucket/*"
]
}
]
}
EOF
# Apply the policy
aws s3api put-bucket-policy \
--bucket your-data-bucket \
--policy file://bucket-policy.json \
--profile data-account🔒 Security Note:
Quilt admins can still control user access to this bucket through the Quilt Admin Panel's Roles and Policies. The bucket policy only grants access to Quilt infrastructure, not end users.
When You Need This: If you're using EventBridge integration or have existing SNS topics in the Data Account that Quilt should use for notifications.
Create SNS Topic Policy:
Add this statement to your SNS topic's resource policy in the Data Account:
{
"Sid": "QuiltCrossAccountSNSAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::CONTROL-ACCOUNT-ID:root"
},
"Action": [
"sns:GetTopicAttributes",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "arn:aws:sns:region:DATA-ACCOUNT-ID:your-topic-name"
}Apply SNS Policy:
# Get current policy
aws sns get-topic-attributes \
--topic-arn arn:aws:sns:region:DATA-ACCOUNT-ID:your-topic-name \
--attribute-names Policy \
--profile data-account
# Update policy (merge with existing statements)
aws sns set-topic-attributes \
--topic-arn arn:aws:sns:region:DATA-ACCOUNT-ID:your-topic-name \
--attribute-name Policy \
--attribute-value file://sns-policy.json \
--profile data-accountConfigure in Quilt:
- Open Quilt Admin Panel → Buckets
- Add or edit your cross-account bucket
- Under "Indexing and notifications", set the SNS Topic ARN
- Save the configuration
Why CloudTrail is Required:
- 🔍 Security & Auditing: Track all S3 API calls
- 📊 User Analytics: Quilt uses CloudTrail data for user-facing analytics
- 🚨 Compliance: Many regulatory frameworks require audit trails
Implementation Options:
If Quilt manages CloudTrail in the Control Account:
- Check CloudFormation Stack in Control Account
- Go to CloudFormation → Your Quilt Stack → Resources
- Look for a CloudTrail resource (Quilt will auto-add your buckets)
If you have existing CloudTrail in either account:
-
Identify the Trail:
# List trails in Data Account aws cloudtrail describe-trails --profile data-account # List trails in Control Account aws cloudtrail describe-trails --profile control-account
-
Add S3 Data Events:
# Add data events for your bucket aws cloudtrail put-event-selectors \ --trail-name your-trail-name \ --event-selectors '[ { "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [ { "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::your-data-bucket/*"] }, { "Type": "AWS::S3::Bucket", "Values": ["arn:aws:s3:::your-data-bucket"] } ] } ]' \ --profile data-account
-
Update Quilt Configuration:
- Go to CloudFormation → Your Quilt Stack → Parameters
- Update the CloudTrail bucket parameter with your existing trail's S3 bucket
If CloudTrail is in Data Account but Quilt needs access:
CloudTrail Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QuiltCloudTrailAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::CONTROL-ACCOUNT-ID:root"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::your-cloudtrail-bucket",
"arn:aws:s3:::your-cloudtrail-bucket/*"
]
}
]
}Final Configuration:
-
Open Quilt Admin Panel in Control Account
-
Navigate to Buckets → Add Bucket
-
Configure the bucket:
- Bucket Name:
your-data-bucket - Region: Same as the bucket
- SNS Topic ARN: (If using cross-account SNS)
- Event Notifications: Leave disabled if using EventBridge
- Bucket Name:
-
Save and Test:
- Click Save
- Upload a test file to verify indexing works
- Check Quilt catalog for the new file
# From Control Account, test bucket access
aws s3 ls s3://your-data-bucket --profile control-account
# Upload a test file
echo "Cross-account test" > test.txt
aws s3 cp test.txt s3://your-data-bucket/ --profile control-account- Upload a file to your cross-account bucket
- Wait 2-3 minutes for processing
- Check Quilt catalog to see if the file appears
- Test search functionality in Quilt
# Verify CloudTrail is capturing events
aws logs filter-log-events \
--log-group-name CloudTrail/YourLogGroup \
--filter-pattern "{ $.eventSource = s3.amazonaws.com }" \
--profile data-accountSymptoms:
- Quilt can't access the bucket
- "Access Denied" in Quilt logs
Solutions:
- Verify bucket policy is correctly applied
- Check object ownership is set to "Bucket owner enforced"
- Confirm account IDs in policies are correct
- Test with AWS CLI from Control Account
Symptoms:
- Files upload successfully but don't appear in Quilt catalog
Solutions:
- Check CloudTrail is logging S3 data events
- Verify SNS configuration if using custom topics
- Review Quilt logs for processing errors
- Manual re-index the bucket in Quilt Admin Panel
Symptoms:
- Can't add bucket in Quilt Admin Panel
- IAM permission errors
Solutions:
- Check Quilt IAM roles have cross-account assume permissions
- Verify bucket policy allows required actions
- Review CloudFormation stack permissions
Bucket Policy Refinements: Instead of granting access to the entire Control Account root, consider restricting to specific Quilt roles:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QuiltSpecificRoleAccess",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::CONTROL-ACCOUNT-ID:role/QuiltLambdaRole",
"arn:aws:iam::CONTROL-ACCOUNT-ID:role/QuiltIndexerRole"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::your-data-bucket",
"arn:aws:s3:::your-data-bucket/*"
]
}
]
}VPC Considerations:
- ✅ VPC Endpoints: Use S3 VPC endpoints to keep traffic within AWS network
- ✅ Security Groups: Restrict Lambda function network access
- ✅ NACLs: Additional network-level controls if required
Example VPC Endpoint Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::your-data-bucket",
"arn:aws:s3:::your-data-bucket/*"
],
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": ["CONTROL-ACCOUNT-ID"]
}
}
}
]
}CloudWatch Alarms: Set up monitoring for cross-account access:
# Create alarm for failed S3 access attempts
aws cloudwatch put-metric-alarm \
--alarm-name "CrossAccountS3AccessFailures" \
--alarm-description "Monitor failed cross-account S3 access" \
--metric-name ErrorCount \
--namespace AWS/S3 \
--statistic Sum \
--period 300 \
--threshold 5 \
--comparison-operator GreaterThanThreshold \
--profile control-accountCloudTrail Monitoring: Monitor specific cross-account activities:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:sts::CONTROL-ACCOUNT-ID:assumed-role/QuiltRole/QuiltLambda",
"accountId": "CONTROL-ACCOUNT-ID"
},
"eventTime": "2024-08-26T10:30:00Z",
"eventSource": "s3.amazonaws.com",
"eventName": "GetObject",
"resources": [
{
"ARN": "arn:aws:s3:::your-data-bucket/file.csv",
"accountId": "DATA-ACCOUNT-ID"
}
]
}Data Residency:
- 🌍 Regional Compliance: Ensure both accounts are in compliant regions
- 📋 Data Classification: Tag buckets with appropriate data classification
- 🔒 Encryption: Enable S3 encryption with appropriate KMS keys
Audit Requirements:
- 📊 Access Logging: Enable S3 access logging for detailed audit trails
- 🔍 Regular Reviews: Periodically review cross-account permissions
- 📝 Documentation: Maintain documentation of cross-account relationships
For multi-region deployments:
# Replicate bucket policy across regions
for region in us-east-1 us-west-2 eu-west-1; do
aws s3api put-bucket-policy \
--bucket "your-data-bucket-${region}" \
--policy file://bucket-policy.json \
--region $region \
--profile data-account
doneCloudFormation Template for Bucket Policies:
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Cross-account bucket policies for Quilt'
Parameters:
ControlAccountId:
Type: String
Description: 'Control account ID where Quilt is deployed'
DataBucketName:
Type: String
Description: 'Name of the data bucket'
Resources:
CrossAccountBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref DataBucketName
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: QuiltCrossAccountAccess
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${ControlAccountId}:root'
Action:
- 's3:GetObject'
- 's3:GetObjectAttributes'
- 's3:ListBucket'
- 's3:PutObject'
- 's3:DeleteObject'
Resource:
- !Sub 'arn:aws:s3:::${DataBucketName}'
- !Sub 'arn:aws:s3:::${DataBucketName}/*'- Cross-Account Access - AWS IAM cross-account access patterns
- S3 Bucket Policies - Comprehensive S3 policy guide
- CloudTrail Cross-Account - CloudTrail log sharing
- Quilt Admin API - Programmatic bucket management
- EventBridge Integration - Alternative event routing
- Security Best Practices - General Quilt security guidance
- AWS CLI Reference - S3 API commands
- Policy Generator - AWS Policy Generator tool
- IAM Policy Simulator - Test policies before applying
Need Help with Cross-Account Setup?
- 📧 Email: [email protected]
- 💬 Slack: Quilt Community
- 📖 Documentation: Quilt Docs
- 🐛 Issues: GitHub Issues
Success! You now have a secure, compliant cross-account Quilt deployment that separates your control plane from your data plane while maintaining full functionality.