Step 1: Get the 12 digit number of the Destination AWS Account
- Sign in to the AWS Management Console for the destination AWS account.
- In the navigation bar, click Support, and then click Support Center. The account number (for example,
222222222222
) is displayed in the upper-right corner of the Support Center.
Step 2: Attach the policy to Source S3 Bucket
The Bucket policy set up in the source AWS account. Do NOT forget to change the account number and bucket name in the below policy, otherwise, it will not work
check here
For help on setting the ACL
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {"AWS": "057682336657"},
"Action": ["s3:ListBucket","s3:GetObject"],
"Resource": [
"arn:aws:s3:::cdn.example.in/*",
"arn:aws:s3:::cdn.example.in"
]
}
]
}
Step 3: Attach a policy to a IAM User
in the destination AWS account
Setup an IAM User in the destination account and attach this user policy to to delegate access to the bucket in the source AWS account.
In simple words. We have to paste this policy by replacing the source bucket name and destination bucket name to IAM - > Policies (from Left Side) then click on Create Policy then choose "JSON" formate and past this policy.
Now go to Users and create a user and attach this policy to this user by search from policies. Once we attach then download the creditionals. Now login to your desitnation account and setup aws configure setting as follow
[ec2-user@ip-172-31-33-118 ~]$ aws s3 ls s3://cdn.example.in
Unable to locate credentials. You can configure credentials by running "aws configure".
[ec2-user@ip-172-31-33-118 ~]$ aws configure
AWS Access Key ID [None]: AKIAQ23RKWSDFHQ5FR73V72
AWS Secret Access Key [None]: zQ3YThtA9TYo32vVSDFEBfTsCCevydScUbfQQUN
Default region name [None]:
Default output format [None]:
[ec2-user@ip-172-31-33-118 ~]$ aws s3 ls s3://cdn.example.in
[ec2-user@ip-172-31-33-118 ~]$ aws s3 sync s3://cdn.example.in s3://cdn.example2.in
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::YOUR-SOURCE-BUCKET-NAME-HERE",
"arn:aws:s3:::YOUR-SOURCE-BUCKET-NAME-HERE/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::YOUR-DESTINATION-BUCKET-NAME-HERE",
"arn:aws:s3:::YOUR-DESTINATION-BUCKET-NAME-HERE/*"
]
}
]
}
In simple words. We have to paste this policy by replacing the source bucket name and destination bucket name to IAM - > Policies (from Left Side) then click on Create Policy then choose "JSON" formate and past this policy.
Now go to Users and create a user and attach this policy to this user by search from policies. Once we attach then download the creditionals. Now login to your desitnation account and setup aws configure setting as follow
[ec2-user@ip-172-31-33-118 ~]$ aws s3 ls s3://cdn.example.in
Unable to locate credentials. You can configure credentials by running "aws configure".
[ec2-user@ip-172-31-33-118 ~]$ aws configure
AWS Access Key ID [None]: AKIAQ23RKWSDFHQ5FR73V72
AWS Secret Access Key [None]: zQ3YThtA9TYo32vVSDFEBfTsCCevydScUbfQQUN
Default region name [None]:
Default output format [None]:
[ec2-user@ip-172-31-33-118 ~]$ aws s3 ls s3://cdn.example.in
[ec2-user@ip-172-31-33-118 ~]$ aws s3 sync s3://cdn.example.in s3://cdn.example2.in
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::YOUR-SOURCE-BUCKET-NAME-HERE",
"arn:aws:s3:::YOUR-SOURCE-BUCKET-NAME-HERE/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::YOUR-DESTINATION-BUCKET-NAME-HERE",
"arn:aws:s3:::YOUR-DESTINATION-BUCKET-NAME-HERE/*"
]
}
]
}
Step 4: Sync S3 Objects To Destination
When the abovee steps are completed, the "destination" account can copy objects by using the AWS Command Line Interface (CLI) commands cp
or sync
. Note: Successful execution of the following command assumes that the AWS CLI has been correctly configured for the IAM user
(in step 3) in the destination AWS account.
aws s3 sync s3://YOUR-SOURCE-BUCKET-NAME-HERE s3://YOUR-DESTINATION-BUCKET-NAME-HERE --source-region SOURCE-REGION-NAME --region DESTINATION-REGION-NAME
# For Example,
aws s3 sync s3://my-us-west-2-bucket s3://my-us-east-1-bucket --source-region us-west-2 --region us-east-1
Reference Sites :cp
or sync
. Note: Successful execution of the following command assumes that the AWS CLI has been correctly configured for the IAM user
(in step 3) in the destination AWS account.aws s3 sync s3://YOUR-SOURCE-BUCKET-NAME-HERE s3://YOUR-DESTINATION-BUCKET-NAME-HERE --source-region SOURCE-REGION-NAME --region DESTINATION-REGION-NAME
# For Example,
aws s3 sync s3://my-us-west-2-bucket s3://my-us-east-1-bucket --source-region us-west-2 --region us-east-1
https://aws.amazon.com/premiumsupport/knowledge-center/account-transfer-s3/
Video Reference - https://www.youtube.com/watch?v=YOhFXGfqiUw#action=share
I have read this post for about three times and I still can not understand the actions in the fourth step. Can anybody, who knows, explain me?
ReplyDelete