[AWS] How To Transfer S3 To Another Account S3 Bucket

#aws #s3 #transfer #datasync

Situation

Need Transfer S3 Object To Another Account's S3 Bucket

How To

Part Account A (Source Account) Step 1

In IAM Service Create New Role For DataSync

After Created Role, Add Custom Policy, Change `"arn:aws:s3:::<destination-bucket-name>` & `"arn:aws:s3:::<destination-bucket-name>/*"`

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<destination-bucket-name>"
    },
    {
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject",
        "s3:GetObjectTagging",
        "s3:PutObjectTagging"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<destination-bucket-name>/*"
    }
  ]
}

Part Of Account B (Destination Account) Step 2

Create S3 Bucket For Destination, And Add Bucket Policy Source Account Role Name

Bucket Policy

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "DataSyncCreateS3LocationAndTaskAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::120340392319:role/gw-demo-datasync"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:GetObjectTagging",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::gw-demo-des-bucket",
                "arn:aws:s3:::gw-demo-des-bucket/*"
            ]
        },
        {
            "Sid": "DataSyncCreateS3Location",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:role/role-name"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::gw-demo-des-bucket"
        }
    ]
}

Part Account A (Source Account) Step 3

Change Custom Policy And Create DataSync Location

Source Account Location

Create Destination Location

aws datasync create-location-s3 \
  --s3-bucket-arn arn:aws:s3:::<destination-bucket> \
  --region <destination-bucket-region> \
  --s3-config '{
    "BucketAccessRoleArn":"arn:aws:iam::<source-account-id>:role/<source-datasync-role>"
  }'