Copy or Move S3 Data Cross account
AWS does not have any ways to change the ownsership of any bucket. However, it allows us to move/copy objects from one bucket to another (even if both buckets are owned by two distinct users).
The concept is pretty simple. Create a new IAM user. This user account will be used to access buckets and move/copy objects around.
Create a new Policy for the above IAM user. This policy grants necessary
permissions. Name this polict something like:
s3ObjectReadWritePermissionsManagement.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::SRC_BUCKET",
"arn:aws:s3:::SRC_BUCKET/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::DEST_BUCKET",
"arn:aws:s3:::DEST_BUCKET/*"
]
}
]
}
Once created, attach this policy to the IAM user that you are intending to use for the operation.
Now, in the source bucket, the IAM user mentioned above should have the permissions to manage objects. If not, grant the user thise permissions.
In Destination bucket, we have to add a bucket policy, so that the above-mentioned IAM user can access the destination bucket. Just copy and paste the following bucket policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::IAM_USER_ARN"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::DEST_BUCKET/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::IAM_USER_ARN"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::DEST_BUCKET"
}
]
}
We are done. Now you should be able to move objects from one bucket to another.