How to Sync S3 Bucket to Different AWS Account

2021/02/112 min read
bookmark this
Responsive image

Table of Contents

  1. Introduction
  2. Source Bucket Setup
  3. Destination Bucket Setup
  4. Execute the Command
  5. Conclusion

Introduction

This blog shows how to move S3 Bucket content from one AWS account to another AWS account.

The scenario is that this blog assumes moving the S3 bucket technoapple.images from AWS Account xxx to AWS Account yyy's S3 bucket ta.images. It basically provides cross-account access to S3 buckets.

Source Bucket Setup

First, you need to go to Account A's bucket. In this blog's example, it should be the technoapple.images bucket. Next, we'll need to add the Bucket policy to Account A's bucket and replace a few values so Account B can access it.

Replace ACCOUNT-B-ID with Account B's ID, replace ACCOUNT-B-USER with Account B's user who will later perform the S3 file sync, and replace ACCOUNT-A-Bucket-Name with technoapple.images.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{ACCOUNT-B-ID}:user/{ACCOUNT-B-USER}"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::{ACCOUNT-A-Bucket-NAME}/*",
                "arn:aws:s3:::{ACCOUNT-A-Bucket-NAME}"
           ]
        }
    ]
}

Destination Bucket Setup

Setup Custom Policy

For the destination bucket setup, we need to set up a user that has permission to perform the bucket sync. The following policy specifies that we'll have access to both buckets.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::technoapple.images",
                "arn:aws:s3:::technoapple.images/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::ta.images",
                "arn:aws:s3:::ta.images/*"
            ]
        }
    ]
}

Create a User and Attach the Policy

Create a new IAM user in Account B and attach the custom policy created above.

AWS Configure

Here, you'll run aws configure and use the credentials of the user who has the custom policy.

Execute the Command

At this point, both buckets should be ready and we can run the command to copy files from Account A's bucket to Account B's bucket.

aws s3 sync s3://{source bucket name} s3://{target bucket name} --source-region {source region} --region {target region}
// following is example
aws s3 sync s3://technoapple.images s3://ta.images --source-region us-west-2 --region us-west-1

Conclusion

This blog shows how to move a bucket's files from one account to another account. This will be useful if you want to retire one account and move files to another account, or move S3 content between development environments.

AWS S3

More Blogs Like This