AWS – Copy S3 buckets from one account to another:

Steps to perform S3 buckets from one account to another is mentioned below:

1.    Attach a bucket policy to the source bucket in Account A.

2.    Attach an AWS Identity and Access Management (IAM) policy to a user or role in Account B.

3.    Use the IAM user or role in Account B to perform the cross-account copy.

 

Attach a bucket policy to the source bucket in Account A:

1.    Get the Amazon Resource Name (ARN) of the IAM identity (user or role) in Account B (destination account).

2.    From Account A, attach a bucket policy to the source bucket that allows the IAM identity in Account B to get objects, similar to the following:

Important: For the value of Principal, replace arn:aws:iam::11111111111:user/Jane with the ARN of the IAM identity in Account B.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::111111111111:user/Jane"},
            "Action": ["s3:ListBucket","s3:GetObject"],
            "Resource": [
                "arn:aws:s3:::awsexamplesourcebucket/*",
                "arn:aws:s3:::awsexamplesourcebucket"
            ]
        }
    ]
}

Attach an IAM policy to a user or role in Account B

1.    From Account B, create an IAM customer managed policy that allows an IAM user or role to copy objects from the source bucket in Account A to the destination bucket in Account B. The policy can be similar to the following example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::awssourcebucket",
                "arn:aws:s3:::awssourcebucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::awsdestinationbucket",
                "arn:aws:s3:::awsdestinationbucket/*"
            ]
        }
    ]
}

2.    Attach the customer managed policy to the IAM user or role that you want to use to copy objects between accounts.

Use the IAM user or role in Account B to perform the cross-account copy:

After you set up the bucket policy and IAM policy, the IAM user or role in Account B can perform the copy from Account A to Account B. Then, Account B owns the copied objects.

To synchronize all content from a source bucket in Account A to a destination bucket in Account B, the IAM user or role in Account B can run the sync command using the AWS Command Line Interface (AWS CLI):

aws s3 sync s3://awssourcebucket s3://awsdestinationbucket

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s