Error: AmazonS3Exception “Access Denied with Status Code: 403” in Amazon Athena when I query a bucket in another account

Assumptions:
1. Account A (S3 Bucket )
2. Account B (Athena query)

Let's start with Account A:

1. Locate the S3 Bucket Object Permissions Tab
2. Either edit ACL of the S3 Bucket Object or add Bucket policy
3. Under ACL add External AWS Account Canonical ID
4. Edit Bucket policy by Using Policy Generator https://awspolicygen.s3.amazonaws.com/policygen.html

{
 “Version”: “2012–10–17”,
 “Id”: “Policy1604525342797”,
 “Statement”: [
 {
 “Sid”: “Corss-Account-Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: [
 “arn:aws:iam::xaccountbxx:root”,
 “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 ]
 },
 “Action”: “s3:*”,
 “Resource”: “arn:aws:s3:::analytics-cross-account-s3access”
 },
 {
 “Sid”: “Corss-Account-Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: [
 “arn:aws:iam::xaccountbxx:root”,
 “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 ]
 },
 “Action”: “s3:GetObject”,
 “Resource”: “arn:aws:s3:::analytics-cross-account-s3access/*”
 }
 ]
}

5. If KMS is Enabled on S3 Bucket , Add Key policy to Customer managed key

{
 “Version”: “2012–10–17”,
 “Id”: “key-default-1”,
 “Statement”: [
 {
 “Sid”: “Enable IAM User Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: “arn:aws:iam::xaccountaxx:root”
 },
 “Action”: “kms:*”,
 “Resource”: “*”
 },
 {
 “Sid”: “Allow use of the key”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 },
 “Action”: [
 “kms:Encrypt”,
 “kms:Decrypt”,
 “kms:ReEncrypt*”,
 “kms:GenerateDataKey*”,
 “kms:DescribeKey”
 ],
 “Resource”: “*”
 }
 ]
}

Let’s start with Account B:

1. Attach below Policy to IAM User in Account B

{
 “Version”: “2012–10–17”,
 “Statement”: [
 {
 “Sid”: “VisualEditor0”,
 “Effect”: “Allow”,
 “Action”: [
 “s3:GetAccessPoint”,
 “s3:PutAccountPublicAccessBlock”,
 “s3:GetAccountPublicAccessBlock”,
 “s3:ListAllMyBuckets”,
 “s3:ListAccessPoints”,
 “s3:ListJobs”,
 “s3:CreateJob”
 ],
 “Resource”: “*”
 },
 {
 “Sid”: “VisualEditor1”,
 “Effect”: “Allow”,
 “Action”: “s3:*”,
 “Resource”: [
 “arn:aws:s3:::analytics-cross-account-s3access”,
 “arn:aws:s3:::analytics-cross-account-s3access/*”
 ]
 }
 ]
}

2. If KMS is enabled attach another inline policy

{
 “Version”: “2012–10–17”,
 “Statement”: [
 {
 “Sid”: “VisualEditor0”,
 “Effect”: “Allow”,
 “Action”: [
 “kms:DescribeCustomKeyStores”,
 “kms:ListKeys”,
 “kms:DeleteCustomKeyStore”,
 “kms:GenerateRandom”,
 “kms:UpdateCustomKeyStore”,
 “kms:ListAliases”,
 “kms:DisconnectCustomKeyStore”,
 “kms:CreateKey”,
 “kms:ConnectCustomKeyStore”,
 “kms:CreateCustomKeyStore”
 ],
 “Resource”: “*”
 },
 {
 “Sid”: “VisualEditor1”,
 “Effect”: “Allow”,
 “Action”: “kms:*”,
 “Resource”: “arn:aws:kms:ca-central-1:xaccountbxx:key/4bb–452e-8885”
 }
 ]
}