Steps to perform S3 buckets from one account to another is mentioned below:
1. Attach a bucket policy to the source bucket in Account A.
2. Attach an AWS Identity and Access Management (IAM) policy to a user or role in Account B.
3. Use the IAM user or role in Account B to perform the cross-account copy.
Attach a bucket policy to the source bucket in Account A:
1. Get the Amazon Resource Name (ARN) of the IAM identity (user or role) in Account B (destination account).
2. From Account A, attach a bucket policy to the source bucket that allows the IAM identity in Account B to get objects, similar to the following:
Important: For the value of Principal, replace arn:aws:iam::11111111111:user/Jane with the ARN of the IAM identity in Account B.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111111111111:user/Jane"},
"Action": ["s3:ListBucket","s3:GetObject"],
"Resource": [
"arn:aws:s3:::awsexamplesourcebucket/*",
"arn:aws:s3:::awsexamplesourcebucket"
]
}
]
}
Attach an IAM policy to a user or role in Account B
1. From Account B, create an IAM customer managed policy that allows an IAM user or role to copy objects from the source bucket in Account A to the destination bucket in Account B. The policy can be similar to the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::awssourcebucket",
"arn:aws:s3:::awssourcebucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::awsdestinationbucket",
"arn:aws:s3:::awsdestinationbucket/*"
]
}
]
}
2. Attach the customer managed policy to the IAM user or role that you want to use to copy objects between accounts.
Use the IAM user or role in Account B to perform the cross-account copy:
After you set up the bucket policy and IAM policy, the IAM user or role in Account B can perform the copy from Account A to Account B. Then, Account B owns the copied objects.
To synchronize all content from a source bucket in Account A to a destination bucket in Account B, the IAM user or role in Account B can run the sync command using the AWS Command Line Interface (AWS CLI):
aws s3 sync s3://awssourcebucket s3://awsdestinationbucket