Harry@StartQuick Tech

Posted on Mar 30, 2023 • Originally published at startquicktech.Medium on Dec 18, 2022

How to copy S3 objects across different AWS Accounts

#s3 #aws #cloud #ami

Copying S3 files across different AWS accounts happens quite often if you manage multiple AWS accounts no matter for different teams, products or environments. It is not a complex setup but it shows how AWS perfectly design and operate cross-account permissions.

I created below video for the hands-on process. If you find it useful, please help to like and subscribe my channel for future videos

There are two main steps regarding the permission setup:

S3 Bucket policy: All root access from the destination account;

Below is the bucket policy. Destination account ID and source bucket name need to be replaced.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCopy",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[destination_account_id]:root"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::[source_bucket_name]/*",
                "arn:aws:s3:::[source_bucket_name]"
            ]
        }
    ]
}

IAM User/Role: Entity with required permissions to execute the copy/sync action.

You need to create a policy with below permissions and attach it to the IAM role or user which will execute the copy/sync action.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::[source_bucket_name]",
                "arn:aws:s3:::[source_bucket_name]/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::[destination_bucket_name]",
                "arn:aws:s3:::[destination_bucket_name]/*"
            ]
        }
    ]
}

Source bucket name and destination bucket name need to be replaced. From above policy we can see, we need to allow GetObject from the source bucket and PutObject to the destination bucket which is for the copying behaviour.

In this article, I will use AWS CLI to execute the copy/sync action.

Below are examples and the region parameter is actually optional.

# copy file from source to destination
aws s3 cp s3://source_bucket_name/filename s3://destination_bucket_name/filename --source-region [source_bucket_region]
# sync source foloder to destination folder
aws s3 sync s3://source_bucket_name s3://destination_bucket_name --source-region [source_bucket_region]

Now you should know how to do the cross-account s3 objects copying.

Thanks.

Harry

Build apps, not infrastructure.

Dealing with servers, hardware, and infrastructure can take up your valuable time. Discover the benefits of Heroku, the PaaS of choice for developers since 2007.

Visit Site

DEV Community

How to copy S3 objects across different AWS Accounts

Build apps, not infrastructure.

Top comments (0)

The Next Generation Developer Platform

Read next

Securely Connecting to Private EC2 Instances with EC2 Instance Connect Endpoint

Secure Remote Access to Private EC2 Instances with AWS SSM Session Manager

Step-by-Step Dockerization of a Node.js App Connecting to AWS CloudHSM with PKCS#11 SDK

Distribution Calculator In Svelte - Hosted on Amazon S3

Okay