diff --git a/changelog.d/23079_aws_s3_auth.md b/changelog.d/23079_aws_s3_auth.md
new file mode 100644
index 0000000000000..e57b4e15ffd80
--- /dev/null
+++ b/changelog.d/23079_aws_s3_auth.md
@@ -0,0 +1,3 @@
+added `s3_auth` option to specify AWS auth configuration for S3 when different than SQS
+
+authors: sonnens
diff --git a/src/sources/aws_s3/mod.rs b/src/sources/aws_s3/mod.rs
index f0b89d1629477..54189b5cbaa96 100644
--- a/src/sources/aws_s3/mod.rs
+++ b/src/sources/aws_s3/mod.rs
@@ -103,6 +103,15 @@ pub struct AwsS3Config {
     #[serde(default)]
     auth: AwsAuthentication,
 
+
+    /// AWS Authentication for only the S3 client.
+    ///
+    /// This is used when the S3 client needs to use different credentials than the SQS client.
+    /// This is useful when eg, the S3 bucket is in a different account than the SQS queue.
+    #[configurable(derived)]
+    #[serde(default)]
+    s3_auth: Option<AwsAuthentication>,
+
     /// Multiline aggregation configuration.
     ///
     /// If not specified, multiline aggregation is disabled.
@@ -242,11 +251,16 @@ impl AwsS3Config {
         let region = self.region.region();
         let endpoint = self.region.endpoint();
 
+        let auth = match self.s3_auth {
+            Some(ref auth) => auth,
+            None => &self.auth,
+        };
+
         let s3_client = create_client::<S3ClientBuilder>(
             &S3ClientBuilder {
                 force_path_style: Some(self.force_path_style),
             },
-            &self.auth,
+            auth,
             region.clone(),
             endpoint.clone(),
             proxy,