Migrating data between Amazon S3 buckets across AWS accounts and Regions can be a common requirement during cloud restructuring, account isolation, or data archiving strategies.<\/p>\n\n\n\n
We\u2019ll copy data from a source bucket in one AWS account to a destination bucket in another account, potentially in a different Region. This process ensures that the destination account becomes the new owner of the objects, and we\u2019ll achieve this through AWS S3 data transfer using AWS CLI.<\/p>\n\n\n\n
Create a policy with the following permissions, replacing bucket names with your actual bucket names:<\/p>\n\n\n\n
{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:ListBucket\",\n \"s3:GetObject\",\n \"s3:GetObjectTagging\",\n \"s3:GetObjectVersion\",\n \"s3:GetObjectVersionTagging\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::amazon-s3-source-bucket\",\n \"arn:aws:s3:::amazon-s3-source-bucket\/*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:ListBucket\",\n \"s3:PutObject\",\n \"s3:PutObjectAcl\",\n \"s3:PutObjectTagging\",\n \"s3:GetObjectTagging\",\n \"s3:GetObjectVersion\",\n \"s3:GetObjectVersionTagging\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::amazon-s3-destination-bucket\",\n \"arn:aws:s3:::amazon-s3-destination-bucket\/*\"\n ]\n }\n ]\n}<\/code><\/pre>\n\n\n\nCreate IAM Role (S3MigrationRole)<\/strong><\/h2>\n\n\n\nCreate a role that can be assumed by the destination account IAM user:<\/p>\n\n\n\n
{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {<\/code><\/pre>\n\n\n\n \"AWS\": \"arn:aws:iam::<destination_account>:user\/<user_name>\"\n },\n \"Action\": \"sts:AssumeRole\",\n \"Condition\": {}\n }\n ]\n}<\/code><\/pre>\n\n\n\nChange the Amazon Resource Name (ARN) of the destination IAM user name according to your use case.<\/p>\n\n\n\n
Attach the S3MigrationPolicy to this role S3MigrationRole.<\/p>\n\n\n\n
Configure Bucket Policy in the Source Account<\/strong><\/h3>\n\n\n\nIn the source S3 bucket<\/strong>, attach a bucket policy to allow access to the IAM role in the destination account:<\/p>\n\n\n\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"DelegateS3Access\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::<destination-account-id>:role\/S3MigrationRole\"\n },\n \"Action\": [\n \"s3:ListBucket\",\n \"s3:GetObject\",\n \"s3:GetObjectTagging\",\n \"s3:GetObjectVersion\",\n \"s3:GetObjectVersionTagging\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::source-bucket-name\/*\",\n \"arn:aws:s3:::source-bucket-name\"\n ]\n }<\/code><\/pre>\n\n\n\nReplace <destination-account-id> with your actual AWS account ID and S3MigrationRole with the name of the IAM role you created in your destination account.<\/p>\n\n\n\n
Create the Destination S3 Bucket<\/strong><\/h2>\n\n\n\nIf you haven’t already:<\/p>\n\n\n\n
\n- Go to S3 console in the destination account<\/strong><\/li>\n\n\n\n
- Create a bucket in the desired Region<\/li>\n<\/ul>\n\n\n\n
Configure AWS CLI & Assume Role<\/strong><\/h3>\n\n\n\nInstall the AWS CLI and configure it with the IAM user credentials. See the following link to configure AWS CLI & Assume Role:- https:\/\/www.skynats.com\/blog\/how-do-i-assume-an-iam-role-using-the-aws-cli\/<\/a><\/p>\n\n\n\nCopy or Sync the Data<\/strong><\/h3>\n\n\n\nUse one of the following commands to migrate data:<\/p>\n\n\n\n
Copy all objects:<\/strong><\/h3>\n\n\n\naws s3 cp s3:\/\/amazon-s3-source-bucket\/ \\\n s3:\/\/amazon-s3-destination-bucket\/ \\\n --recursive --source-region source-region-name --region destination-region-name<\/code><\/pre>\n\n\n\nSynchronize objects:<\/strong><\/h3>\n\n\n\naws s3 sync s3:\/\/amazon-s3-source-bucket\/ \\\n s3:\/\/amazon-s3-destination-bucket\/ \\\n --source-region source-region-name --region destination-region-name<\/code><\/pre>\n\n\n\nReplace the bucket and region names according to your setup in the above command.<\/p>\n\n\n\n
Conclusion<\/strong><\/h3>\n\n\n\nThis guide showed you how to perform a secure, one-time migration of S3 data across AWS accounts and Regions using the AWS CLI.<\/p>\n\n\n\n