By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

To copy data from Partner AWS account S3 bucket to Customer AWS account S3 bucket using AWS CLI

0

Hi AWS, is it possible to copy data from Partner's account (Organization account) S3 bucket to Customer AWS's account (third-party) S3 bucket via AWS CLI? I have implemented the same using DataSync but that is not an approved pattern in my organization I am working and the Architect wants the data to be copied from source bucket (organization account) to destination bucket (third party account).

If that is possible via CLI, can you please quote the steps required for the same? I have gone through this Stackoverflow link https://stackoverflow.com/questions/22263369/is-it-possible-to-copy-between-aws-accounts-using-aws-cli but that doesn't work in my case and as I am assuming IAM role and I guess I need to have Customer's account External ID in my IAM role's trust relationship document as well.

Can you please help me with the steps along with the elaboration?

Please help

Topics
StorageManagement & Governance
Tags
Amazon Simple Storage ServiceAWS Command Line InterfaceAWS OrganizationsStorageAWS Account Management
Language
English
profile picture
Arjun Goel
asked 7 months ago323 views
1 Answer
1

There are two ways of doing it:

Source Account: Account A Target Account: Account B

1: Role chaining: Account A role would assume Account B role through sts:sassumerole and as long as - Account A has access to assume Account B role and it has access to s3 bucket from where data needs to be copied - Account B role trust relationship allows Account A role and has write access to the s3 bucket to where data would be copied

  • Account A role permissions:

    {
   "Version": "2012-10-17",
   "Statement": {
   "Effect": "Allow",
   "Action": "sts:AssumeRole",
  "Resource": "arn:aws:iam::AccountB:role/AccountBRole"
    }

    }

  • AccountA role should have AccountA s3 bucket read access

  • AccountB Role trust relationship:

     {
     "Version": "2012-10-17",
     "Statement": [
     {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::AccountA:role/AccountARole"
        },
       "Action": "sts:AssumeRole"
    }
  ]

    }

  • AccountB tole should have AccountB s3 bucket write access

Since you mentioned external id, so I believe you are looking more towards assumerole mechanism and if so, then just be informed that external id is just an additional layer of security, which ensures that only those can assume target account role, who know the external id.

No better document can explain than this AWS Document. Similar re:Post thread also talks about role assumption.

  1. Cross account s3 access:

      - Account B bucket policy allows Account A role for write access

  - Account A role has access to account B bucket in one of the attached policy to this role

Hope this helps.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 7 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • Arjun Goel
    7 months ago

    Hi secondabhi_aws, considering the destination account is not the part of the Organizations but a Customer AWS account, do I need to add the External ID in the trust relationship document. Please confirm.

  • secondabhi_aws EXPERT
    7 months ago

    Hi Arjun External id can be used with any account, within org or outside org. It just adds an additional layer of security.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content