Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I copy Amazon S3 objects from another AWS account?

5 minute read

I want to copy Amazon Simple Storage Service (Amazon S3) objects across AWS accounts, and make sure that the destination account owns the copied objects.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

The AWS account that uploads the objects doesn't automatically own the objects in Amazon S3. When you change the S3 Object Ownership setting, it's a best practice to use the Bucket owner enforced setting. The Bucket owner enforced setting simplifies access management for data that's stored in Amazon S3. However, this option turns off all bucket access control lists (ACLs) and ACLs on any objects in your bucket.

When you use the Bucket owner enforced setting in S3 Object Ownership, the same bucket owner automatically owns all objects in an Amazon S3 bucket. For existing buckets, the account that uploads the S3 object owns the object unless you explicitly turn off the ACLs.

If your existing method relies on ACLs to share objects, then identify the principals that use ACLs to access objects. For more information, see Prerequisites to turn off ACLs.

If you can't turn off your ACLs, then complete the following steps to take ownership of objects until you can adjust your bucket policy:

In the source account, create an AWS Identity and Access Management (IAM) customer managed policy that grants an IAM identity cross-account access. The IAM user must have access to retrieve objects from the source bucket and put objects into the destination bucket.
Example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::source-DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::source-DOC-EXAMPLE-BUCKET/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}

Note: The preceding example IAM policy includes only the minimum required permissions to list objects and copy objects to buckets across accounts. Customize the allowed S3 actions based on your use case. For example, if the user must copy objects that have object tags, then you must also grant permissions for s3:GetObjectTagging. If you experience permissions errors, then isolate IAM related issues as an admin user.

In the source account, attach the customer managed policy to the IAM identity.
In the destination account, set S3 Object Ownership on the destination bucket to Bucket owner preferred. The destination account now automatically owns the new objects that you upload with the ACL set to bucket-owner-full-control.

In the destination account, modify the destination's bucket policy to grant the source account permission to upload objects. Also, include a condition in the bucket policy that requires object uploads to set the ACL to bucket-owner-full-control.
Example policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1611277539797",
    "Statement": [
        {
            "Sid": "Stmt1611277535086",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::222222222222:user/Jane"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "Stmt1611277877767",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::222222222222:user/Jane"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET"
        }
    ]
}

Note: Replace destination-DOC-EXAMPLE-BUCKET with the name of the destination bucket and arn:aws:iam::222222222222:user/Jane with the ARN of the IAM identity from the source account.
The preceding example bucket policy includes only the minimum required permissions to upload an object with the required ACL. Customize the allowed S3 actions based on your use case.

Make sure that the ACL is set to bucket-owner-full-control so that the source account's IAM identity can upload objects to the destination bucket. For example, the source IAM identity must run the cp AWS CLI command with the —acl option:

aws s3 cp s3://source-DOC-EXAMPLE-BUCKET/object.txt s3://destination-DOC-EXAMPLE-BUCKET/object.txt --acl bucket-owner-full-control

In the preceding example, the command copies the file object.txt. To copy an entire folder, run the following command:

aws s3 cp directory/ s3://bucketname/directory --recursive --acl bucket-owner-full-control

Note: If you get an AccessDenied error, then see Troubleshoot access denied (403 Forbidden) errors in Amazon S3.

Important: If your S3 bucket has default encryption with AWS Key Management Service (AWS KMS) activated, then you must also modify the AWS KMS key permissions. For instructions, see My Amazon S3 bucket has default encryption using a custom AWS KMS key. How can I allow users to download from and upload to the bucket?

To copy large amounts of data between S3 buckets, see What's the best way to transfer large amounts of data from one Amazon S3 bucket to another? Also, see How can I optimize performance when I upload large amounts of data to Amazon S3?

Related information

Examples of Amazon S3 bucket policies

Example 2: Bucket owner granting cross-account bucket permissions

How do I change object ownership for an Amazon S3 bucket when the objects are uploaded by other AWS accounts?

Using a resource-based policy to delegate access to an Amazon S3 bucket in another account

Topics

Storage

Relevant content

Help with copying s3 bucket to another location missing objects
AWS-User-1139934
asked 3 years ago
Creating automatic copies from one S3 bucket to another
Accepted Answer
PaideiaStudio
asked 7 months ago
How do I copy files from my S3 bucket hosted in Europe to my S3 bucket hosted in the United States?
MODERATOR
StephenM@aws
asked 4 years ago
Unable to copy S3 object that have AMI from Seoul to Beijing? They are different account. And Seoul account don't have Beijing, and Beijing account don't have Seoul.
rePost-User-6963735
asked 2 years ago
Does AWS S3 API copy-object copies the retentions and tagging also to another bucket?
Saurav
asked a year ago
How do I copy all objects from one Amazon S3 bucket to another bucket?
AWS OFFICIALUpdated 7 months ago
Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?
AWS OFFICIALUpdated 9 months ago
Why can't I copy an object between two Amazon S3 buckets?
AWS OFFICIALUpdated 2 years ago
How do I transfer the ownership of an Amazon S3 bucket to a different AWS account?
AWS OFFICIALUpdated a year ago
How to setup cross-account Redshift auto copy
EXPERT
RiteshKSinha
published 2 years ago

How do I copy Amazon S3 objects from another AWS account?

Resolution

Related information

Related videos

Relevant content