diff --git a/.gitignore b/.gitignore
index b797071..59d0464 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
.DS_Store
.idea/
venv
+.venv
diff --git a/docs/home/clouds/aws.md b/docs/home/clouds/aws.md
index af32370..d56a256 100644
--- a/docs/home/clouds/aws.md
+++ b/docs/home/clouds/aws.md
@@ -133,6 +133,24 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
- in the `Key policy` of the KMS key that is used to encrypt data in the S3 bucket
+## Cross-account S3 access by assuming an IAM role in target account
+
+The approach is based on the [official documentation](https://repost.aws/knowledge-center/cross-account-access-iam).
+
+If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally grant access to the KMS key in the items below:
+
+- in the `IAM policy` that is attached to the IAM role
+
+- in the `Key policy` of the KMS key that is used to encrypt data in the S3 bucket
+
+Choose the appropriate `Trust Policy` based on how the ODM accesses AWS resources:
+
+- You can find the recommended `Trust Relationships` for EKS IRSA here [IRSA Trust Relationships](#configuration-examples).
+
+- You can find the recommended `Trust Relationships` for EKS Pod Identity here [Pod Identity Trust Relationships](#configuration-examples).
+
+This is how the `Trust Relationships` for the IAM role in the target account should appear - [IAM role in target account Trust Relationships](#configuration-examples)
+
## Cross-account ECR access
⚠️ **Mandatory in case of processors-controller usage**
@@ -151,51 +169,6 @@ If the ECR repository uses `KMS encryption` with a customer-managed key, then it
## Configuration examples
-IAM policy for ECR access
-
-```json
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "ECRRepositoryAccess",
- "Effect": "Allow",
- "Action": [
- "ecr:GetAuthorizationToken"
- ],
- "Resource": "*"
- },
- {
- "Sid": "ECRImagePull",
- "Effect": "Allow",
- "Action": [
- "ecr:GetDownloadUrlForLayer",
- "ecr:BatchGetImage",
- "ecr:BatchCheckLayerAvailability",
- "ecr:DescribeRepositories",
- "ecr:DescribeImages",
- "ecr:ListImages"
- ],
- "Resource": "*"
- },
- {
- "Sid" : "AllowUseOfTheKey",
- "Effect": "Allow",
- "Action" : [
- "kms:Encrypt",
- "kms:Decrypt",
- "kms:ReEncrypt*",
- "kms:GenerateDataKey*",
- "kms:DescribeKey"
- ],
- "Resource" : ["KMS_KEY_ARN"]
- }
- ]
-}
-```
-
-AbortIncompleteMultipartUpload rule
```json
@@ -306,6 +279,73 @@ If the ECR repository uses `KMS encryption` with a customer-managed key, then it
IAM role in target account Trust Relationships
+
+```json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "Service": "arn:aws:iam::AWS_ACCOUNT_ID:root"
+ },
+ "Action": [
+ "sts:TagSession",
+ "sts:AssumeRole"
+ ]
+ }
+ ]
+}
+```
+
+IAM policy for ECR access
+
+```json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "ECRRepositoryAccess",
+ "Effect": "Allow",
+ "Action": [
+ "ecr:GetAuthorizationToken"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Sid": "ECRImagePull",
+ "Effect": "Allow",
+ "Action": [
+ "ecr:GetDownloadUrlForLayer",
+ "ecr:BatchGetImage",
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:DescribeRepositories",
+ "ecr:DescribeImages",
+ "ecr:ListImages"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Sid" : "AllowUseOfTheKey",
+ "Effect": "Allow",
+ "Action" : [
+ "kms:Encrypt",
+ "kms:Decrypt",
+ "kms:ReEncrypt*",
+ "kms:GenerateDataKey*",
+ "kms:DescribeKey"
+ ],
+ "Resource" : ["KMS_KEY_ARN"]
+ }
+ ]
+}
+```
+
+GP3 StorageClass example
```yaml