@startuml

title <b>Configuration 3: EC2 in its own AWS Account</b>

package AWS-1 {
  component c2 [
    <b>Role: s3-write-role</b>
    trust: AWS-2
    policy: s3-write-policy
  ]
  frame S3 {
    [bucket]
  }
  frame Redshift {
    component c4 [
      <b>Role: role-1</b>
      trust: redshift.amazonaws.com
      policy: s3-read-policy
    ]
  }
}

package AWS-2 {
  frame EC2 {
    component c3 [
      <b>Role: role-2</b>
      trust: ec2.amazonaws.com
      inline policy:
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::AWS-1:role/s3-write-role"
    ]
  }
}

[c2] <-- [c3]

legend top
<b>S3 Write</b> = arn:aws:iam::AWS-1:role/s3-write-role
<b>Redshift AWS Account ID</b> = AWS-1
<b>Redshift IAM Role Name</b> = role-1
<b>S3 Read</b> = (empty) 
endlegend

@enduml