How do I use DataSync to transfer data to or from a cross-account Amazon S3 location?
I want to use AWS DataSync to transfer data in one AWS account to an Amazon Simple Storage Service (Amazon S3) bucket in another account.
Resolution
Prerequisites:
-
Your source account must have AWS Identity and Access Management (IAM) roles for users and for DataSync with the required permissions.
-
You must add the following trust relationship to the DataSync IAM role:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "datasync.amazonaws.com" }, "Action": "sts:AssumeRole" }] } -
If your bucket is encrypted and your customer-managed key uses server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS), then you require additional configuration.
To use DataSync to transfer data across accounts, complete the following steps:
- For the IAM role in the source account to access the bucket in the destination account, update the S3 bucket policy in the destination account.
- Deactivate the access control lists (ACLs) for your destination bucket.
- Create the DataSync source location for the S3 bucket that owns the data.
Note: You can also use DataSync to transfer data from an Amazon Elastic File System (Amazon EFS) file system or an Amazon FSx file system. - From the source account, use AWS CloudShell to create the DataSync destination location.
Note: You can't create cross-account locations in the DataSync console. - Create and run the DataSync task.
Note: For transfers between one AWS Region and another, create the task in the source account in the same Region as the destination bucket.
To monitor your tasks, check the DataSync console.
Related information
How to use AWS DataSync to migrate data between Amazon S3 buckets
- Tags
- AWS DataSync
- Language
- English
Cross account S3 bucket is now supported : https://docs.aws.amazon.com/datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.html
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I think this post needs to be updated to match the documentation provided in https://docs.aws.amazon.com/datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.html Otherwise it is a bit misleading.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Source S3 location: Source Account, Source Region, Source account IAM role Destination S3 location: Source Account, Destination Region, Source account IAM role (this role must be updated in destination bucket policy as well). Task location: Source Account, Destination Region
OR
Source S3 location: Destination Account, Source Region, Destination account IAM role (this role must be updated in source bucket policy as well). Destination S3 location: Destination Account, Destination Region, Destination account IAM role . Task location: Destination Account, Source Region
Just done a test: cross-account + cross-region S3-to-S3 DataSync replication also works with the DataSync task in the destination account, destination bucket region (in addition to the task running in source account's bucket destination region, as described in the AWS documentation tutorial).
The corrected article was updated on 19 May 2025. Please disregard above comments regarding inaccuracy.
