All Collections
Getting Started
Amazon Web Services
Copying S3 Objects Between AWS Accounts
Copying S3 Objects Between AWS Accounts

Creating actions to backup S3 objects to another AWS account

Matt Houser avatar
Written by Matt Houser
Updated over a week ago

Using Skeddly, you can copy objects from one S3 bucket to another S3 bucket. The source and target buckets can be in the same AWS region, or they can be in different AWS regions.

In addition, you can copy S3 objects between buckets in different AWS accounts.

Push Or Pull?

When copying S3 objects between AWS accounts, the copy is executed by the owner of the source bucket, or by the owner of the target bucket.

When copying objects as the owner of the source bucket, you are "pushing" objects to the target bucket. The target bucket must have granted access to the owner of the source bucket to write new objects.

When copying objects as the owner of the target bucket, you are "pulling" objects from the source bucket. The source bucket must have granted access to the owner of the target bucket to read existing objects.

In these instructions, we will "pull" objects from the source bucket. The reason being that objects metadata is not properly copied when objects are "pushed".

Step 1: Configure the S3 Buckets

In order to read or write objects in another AWS account, you must apply a bucket policy to the bucket. In this case, you apply a bucket policy to the source bucket to allow the target AWS account to read objects from it.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DelegateS3Access",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": [
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetBucketLocation",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME",
        "arn:aws:s3:::BUCKET_NAME/*"
      ]
    }
  ]
}

Apply the above policy to your source bucket. It grants access to the target AWS account. You must change the following:

  • You must replace 123456789012 with the 12-digit account number of the target AWS account, and

  • You must replace BUCKET_NAME with the name of the source bucket, twice

Note: The use of arn:aws:iam::123456789012:root in the Principal property of the policy signifies the target AWS account as a whole. It does not mean "root credentials".

Step 2: Create AWS Credentials For Skeddly

Like any other actions, Skeddly needs access to your AWS account. For this operation, Skeddly needs access to the AWS account that owns the target bucket.

Once you have credentials registered with Skeddly, either pre-existing or newly registered, proceed to the next step.

Step 3: Create Your Action

  1. Create a new "Copy S3 Objects" action.

  2. Name the action appropriately.

  3. Choose your desired execution schedule.

  4. From the Credentials  field, select the AWS account that owns the target S3 bucket.

  5. In the Source Information  section, specify the source bucket and source prefix (if desired). If the source prefix is specified, only objects under that prefix will be copied, otherwise all objects in the bucket will be copied.

  6. In the Target Information  section, specify the target bucket along with your desired overwrite rule and target prefix.

  7. Save your action.

Step 4: Generate an IAM Policy Document

Use Skeddly's IAM Policy Document Generator to generate an IAM policy with the necessary commands to execute the copy process. Copy and paste that generated policy into your AWS credentials using the AWS Management Console.

Step 5: Execute and Copy

When your action executes (either manually or on it's schedule), the objects should be copied.

Did this answer your question?