How to sync S3 buckets in two different AWS account?

Issue

I want to copy Amazon Simple Storage Service (Amazon S3) objects to a bucket in another AWS account. Then, I want to be sure that the destination account owns the copied objects. How can I do that?

Resolution

Follow these steps to enable the destination account to copy objects from the source bucket into the destination bucket:

Attach a policy to the source bucket

1.    Get the AWS account ID number of the destination account.

2.    From the source account, attach a policy to the source bucket that allows the destination account to get objects, similar to the following:
Important: For the value of Principal, be sure to enter the AWS account ID number of the destination account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {"AWS": "222222222222"},
            "Action": ["s3:ListBucket","s3:GetObject"],
            "Resource": [
                "arn:aws:s3:::sourcebucket/*",
                "arn:aws:s3:::sourcebucket"
            ]
        }
    ]
}

Attach a policy to a user or group in the destination account

Attach a policy to the destination account’s IAM user or group that allows the user to copy objects from the source bucket to the destination bucket. The policy can be similar to the following example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::sourcebucket",
                "arn:aws:s3:::sourcebucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::destinationbucket",
                "arn:aws:s3:::destinationbucket/*"
            ]
        }
    ]
}

Copy objects from the source bucket to the destination bucket

After you set up the policies on the source bucket and the destination account, the destination account can copy objects from the source bucket to the destination bucket. Then, the destination account owns the objects copied into the destination bucket.

To synchronize all content from the source bucket to the destination bucket, you can run this command:

aws s3 sync s3://source-bucket s3://destination-bucket --source-region ap-south-1 --region ap-south-1 
or (to make object public)
aws s3 sync s3://source-bucket s3://desti-bucket --source-region ap-south-1 --region ap-south-1 --acl public-read

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.