DEV Community

Harry@StartQuick Tech
Harry@StartQuick Tech

Posted on • Originally published at startquicktech.Medium on

How to copy S3 objects across different AWS Accounts

Copying S3 files across different AWS accounts happens quite often if you manage multiple AWS accounts no matter for different teams, products or environments. It is not a complex setup but it shows how AWS perfectly design and operate cross-account permissions.

I created below video for the hands-on process. If you find it useful, please help to like and subscribe my channel for future videos

There are two main steps regarding the permission setup:

  1. S3 Bucket policy: All root access from the destination account;

Below is the bucket policy. Destination account ID and source bucket name need to be replaced.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCopy",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[destination_account_id]:root"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::[source_bucket_name]/*",
                "arn:aws:s3:::[source_bucket_name]"
            ]
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode
  1. IAM User/Role: Entity with required permissions to execute the copy/sync action.

You need to create a policy with below permissions and attach it to the IAM role or user which will execute the copy/sync action.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::[source_bucket_name]",
                "arn:aws:s3:::[source_bucket_name]/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::[destination_bucket_name]",
                "arn:aws:s3:::[destination_bucket_name]/*"
            ]
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Source bucket name and destination bucket name need to be replaced. From above policy we can see, we need to allow GetObject from the source bucket and PutObject to the destination bucket which is for the copying behaviour.

  1. In this article, I will use AWS CLI to execute the copy/sync action.

Below are examples and the region parameter is actually optional.

# copy file from source to destination
aws s3 cp s3://source_bucket_name/filename s3://destination_bucket_name/filename --source-region [source_bucket_region]
# sync source foloder to destination folder
aws s3 sync s3://source_bucket_name s3://destination_bucket_name --source-region [source_bucket_region]
Enter fullscreen mode Exit fullscreen mode

Now you should know how to do the cross-account s3 objects copying.

Thanks.

Harry

Top comments (0)