How to Copy AWS S3 Objects to Another AWS Account

Copying objects between buckets within an AWS account is a standard, simple process for S3 users. But moving objects from one AWS account to a bucket owned by another account is a different matter because a bucket can only be written by its owner.

This article discusses a method to copy AWS S3 objects from a bucket in one AWS account to a bucket in another AWS account.

The initial step in this process is to adjust the permissions associated with the account. Amazon Web Services (AWS) S3 allows for the management of object and bucket permissions through the use of Access Control Lists (ACLs) and bucket policies. However, it should be noted that the permissions set on an object do not carry over to its associated bucket. To address this, it is recommended to implement a bucket policy that allows for cross-account copying of buckets. This method will override any existing ACLs.

Architecture Diagram:

Copy AWS S3 Objects to Another AWS Account

In the 1st step, we need separate AWS accounts( “Account A” and “Account B”).

Steps:

1. Create two AWS S3 buckets in two separate accounts.

Go to your AWS “Account A” and navigate the S3 section. After that click create a S3 bucket. In my case bucket name is “test-sourcebucket1”.

1. 1. Untick block all public access. Because this policy will allow you to create a new bucket policy.

Deselect block public access

1.2. Set all the other parameters are default and click “Create bucket”.

Create bucket

1. 3. Go and open the bucket.

Open S3 bucket “test-sourcebucket1”

1. 4. Now we want to add a file to our bucket. Click “Upload” and choose a single file from your local machine by clicking “Add files,” or just drag and drop the file here.

add objects to s3 bucket “test-sourcebucket1”

1. 5. Upload the objects.

1. 6. Once the file is uploaded, log out of the source account

1.7. Now log in to the AWS management console with the second, destination account “Account B”. Create a destination bucket using the same procedure that we used to create the source bucket “test-sourcebucket1”. The bucket can either be placed in the same or a different AWS Region.

In my case, Account B bucket name is “ test-destinationbucket1”

2. Create an IAM Policy

Now that we have our two S3 buckets, we will create an IAM policy that gives read access to the source bucket “test-sourcebucket1” and write access to the destination bucket “test-destinationbucket1".

2.1. Now go to “Account B” and go to the IAM section. And under the policies section click Create policy.

2.2. In the new policy section, select the JSON file type.

2.3. In the JSON editor, enter the following JSON code (make sure to use your source and destination bucket names).

Policy:

{
“Version”: “2012–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:ListBucket”,
“s3:GetObject”
],
“Resource”: [
“arn:aws:s3:::test-sourcebucket1”,
“arn:aws:s3:::test-sourcebucket1/*”
]
},
{
“Effect”: “Allow”,
“Action”: [
“s3:ListBucket”,
“s3:PutObject”,
“s3:PutObjectAcl”
],
“Resource”: [
“arn:aws:s3:::test-destinationbucket1”,
“arn:aws:s3:::test-destinationbucket1/*”
]
}
]
}

2.4. After that click tags and review policy.

2.5. In my case policy name is “s3-copy-policy”.

3. Create an IAM user

3.1. Now we will create a new IAM user. This user will copy the objects from the source to the destination bucket. Go to the IAM section and under the user section, select add user.

3.2. Give your new IAM user a name and select programmatic access. This access is needed to access the buckets using the AWS CLI.

In my case, the IAM user name is “s3-copy-user”.

3.3. Now you can attach the policy that we created recently “s3-copy-policy”. Select Attach policies directly.

3.4. Select the policy and click Next.

3.5. View the summary dashboard and click create a user.

3.6. Once your new user is created, you’ll receive a success message that also includes your Access key ID and Secret access key. These keys are going to be needed for programmatic access later.

4. Create a Bucket Policy for “Account A”.

4.1. Go to the S3 section and click the source bucket name “ test-sourcebucket1”.

4.2. Go to the permission section.

4.3. In the Bucket policy editor enter the following policy code.

Policy code:

{ “Version”: “2012–10–17”, “Statement”: [ { “Sid”: “AllowCopy”, “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::your_arn_ID:root” }, “Action”: [ “s3:ListBucket”, “s3:GetObject” ], “Resource”: [ “arn:aws:s3:::your_source_bucket_name/*”, “arn:aws:s3:::your_source_bucket_name” ] } ]

4.4. After that click save changes.

5. Now open the command prompt in windows.

5.1. type “ aws configure” and give your Access key ID and secret key ID. Please note that put your correct aws region.

5.2. Type the below command to sync all objects in s3 and copy these objects into the destination AWS account s3.

s3 sync s3://test-sourcebucket1 s3://test-destinationbucket1

6. Go to the destination AWS account and verify.

Go to Your “Account B” S3 bucket and verify objects are moved.

objects are moved to Account B

Thanks for reading! Let’s see you in the next article.