DEV Community

ChungWei Wei
ChungWei Wei

Posted on • Originally published at kmp.tw on

[AWS] How To Transfer S3 To Another Account S3 Bucket

#aws #s3 #transfer #datasync

Situation

Need Transfer S3 Object To Another Account's S3 Bucket

How To

Part Account A (Source Account) Step 1

In IAM Service Create New Role For DataSync




After Created Role, Add Custom Policy, Change "arn:aws:s3:::<destination-bucket-name> & "arn:aws:s3:::<destination-bucket-name>/*" 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<destination-bucket-name>"
    },
    {
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject",
        "s3:GetObjectTagging",
        "s3:PutObjectTagging"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<destination-bucket-name>/*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Part Of Account B (Destination Account) Step 2

Create S3 Bucket For Destination, And Add Bucket Policy Source Account Role Name

Bucket Policy 

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "DataSyncCreateS3LocationAndTaskAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::120340392319:role/gw-demo-datasync"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:GetObjectTagging",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::gw-demo-des-bucket",
                "arn:aws:s3:::gw-demo-des-bucket/*"
            ]
        },
        {
            "Sid": "DataSyncCreateS3Location",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:role/role-name"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::gw-demo-des-bucket"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Part Account A (Source Account) Step 3

Change Custom Policy And Create DataSync Location

Source Account Location

Create Destination Location 

aws datasync create-location-s3 \
  --s3-bucket-arn arn:aws:s3:::<destination-bucket> \
  --region <destination-bucket-region> \
  --s3-config '{
    "BucketAccessRoleArn":"arn:aws:iam::<source-account-id>:role/<source-datasync-role>"
  }'
Enter fullscreen mode Exit fullscreen mode

After Create, You Can See Location Have Two Hosts

Part Account A (Source Account) Step 4

Then Create Tasks, Run That






Part Of Account B (Destination Account) Step 5

Verify Sync After Finished

Ref Doc URL

Top comments (0)

Read next

sarvar_04 profile image

🚀 Amazon Nova: AWS's New Foundation Model for GenAI🤖

Sarvar Nadaf -

javatask profile image

How to Define AI Agents with Cloudformation and SAM: A Builder's Guide

Andrii Melashchenko -

adrian_zuplo profile image

Auth Pricing Wars: Cognito vs Auth0 vs Firebase vs Supabase

Adrian Machado -

pawelpiwosz profile image

AWS Re:Invent announcement: Lambda SnapStart for .Net - let's try it!

Paweł Piwosz -