AWShow toMiscS3

Copy S3 objects across AWS Accounts

rpillai

This will show you how to copy objects between S3 buckets across different AWS Accounts. Its not an easy drag and drop. Not sure why Amazon doesn’t provide an easy “SFTP” like feature. Here are the steps:

Prerequisites

  1. You would need access to both the AWS accounts
  2. You need IAM user access on the destination
  3. AWS account number of the destination.
  4. You need to have the AWS CLI configured on your machine with the IAM user that you created/used from earlier step.

Get AWS Account number

  1. Login to the destination AWS account
  2. Go to My Account page and copy the Account ID

Set S3 policy on source account

  1. Login to the source AWS account
  2. Go to the S3 bucket
  3. Create the following policy to the bucket

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “DelegateS3Access”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::DESTINATION_BUCKET_ACCOUNT_NUMBER:root”
},
“Action”: [
“s3:ListBucket”,
“s3:GetObject”
],
“Resource”: [
“arn:aws:s3:::SOURCE_BUCKET_NAME/*”,
“arn:aws:s3:::SOURCE_BUCKET_NAME
]
}
]
}

Replace DESTINATION_BUCKET_ACCOUNT_NUMBER with the account ID that you copied earlier. Replace the SOURCE_BUCKET_NAME with the actual bucket name.

Attach policy on the destination account

  1. Login to the destination AWS account
  2. Go to my security credentials
  3. Select policies
  4. Add the following as the new policy for the IAM user

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:ListBucket”,
“s3:GetObject”
],
“Resource”: [
“arn:aws:s3:::SOURCE_BUCKET_NAME“,
“arn:aws:s3:::SOURCE_BUCKET_NAME/
]
},
{
“Effect”: “Allow”,
“Action”: [
“s3:ListBucket”,
“s3:PutObject”,
“s3:PutObjectAcl”
],
“Resource”: [
“arn:aws:s3:::DESTINATION_BUCKET_NAME“,
“arn:aws:s3:::DESTINATION_BUCKET_NAME/
]
}
]
}

Replace DESTINATION_BUCKET_NAME with the actual bucket name of the destination. Replace the SOURCE_BUCKET_NAME with the actual source bucket name.

Sync the S3 from AWS CLI

Using AWS CLI on your computer issue the following command after replacing the BUCKET_NAME with the appropriate actual names.
Its important to use destination AWS IAM user account credentials.

aws s3 sync s3://SOURCE-BUCKET-NAME s3://DESTINATION-BUCKET-NAME –source-region SOURCE-REGION-NAME –region DESTINATION-REGION-NAME

This would sync the S3 buckets. As usual use due diligence before using this on your production system.

Related Posts

We use cookies to improve your experience on our website