Network Programming in .NET

Transferring S3 bucket from one AWS account to another is a pretty common action, and the AWS documentation on this seems to be quite lacking.

At a high level, you need to give destination account READ access to the source account’s bucket, and give the source account WRITE access to the destination account’s bucket. In this way the destination does the reading, and the source does the writing. This means the whole operation can be performed by AWS S3 internally, without the data flowing to an intermediary service.

The approach below is not exactly “least privilige”, so I’m assuming you trust the source and destination accounts.

So, here I’m going to go from SOURCE-BUCKET to DESTINATION-BUCKET and the AWS Account ID of the source is 1111111 and the AWS account ID on the destination is 2222222 – You will obviously need to replace these placeholders with your own values.

So, under the source bucket – click permissions, then Edit under bucket policy then paste this JSON;

{
    "Version": "2012-10-17",
    "Id": "CrossAccountRead",
    "Statement": [
        {
            "Sid": "AllowCrossAccountRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::2222222:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::SOURCE-BUCKET/*"
        }
    ]
}

Then on the destination bucket, do the same in reverse;

{
    "Version": "2012-10-17",
    "Id": "CrossAccountWrite",
    "Statement": [
        {
            "Sid": "AllowCrossAccountWrite",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111111:root"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::DESTINATION-BUCKET/*",
                "arn:aws:s3:::DESTINATION-BUCKET"
            ]
        }
    ]
}

Then, back on the source account again, run the following command in the AWS CLI;

aws s3 sync s3://SOURCE-BUCKET s3://DESTINATION-BUCKET