Copy data from an S3 bucket in one account and Region to another account and Region
Created by Appasaheb Bagali (AWS)
Environment: Production | Technologies: Cloud-native; Security, identity, compliance; Storage & backup; Migration | Workload: All other workloads |
AWS services: Amazon S3 |
Summary
This pattern describes how to copy data from an Amazon Simple Storage Service (Amazon S3) bucket in an Amazon Web Services (AWS) account and AWS Region to an S3 bucket in another account and Region.
This pattern uses a source account and a destination account in different Regions. You attach a bucket policy to your source S3 bucket that grants the destination account access through AWS Identity and Access Management (IAM). You then create an IAM policy in your destination account that allows a user to perform PutObject
and GetObject
actions on the source S3 bucket. Finally, you run copy
and sync
commands to transfer data from the source S3 bucket to the destination S3 bucket.
Accounts own the objects that they upload to S3 buckets. If you copy objects across different accounts and Regions, you grant the destination account ownership of the copied objects. You can change the ownership of an object by changing its access control list (ACL) to bucket-owner-full-control
Prerequisites and limitations
Prerequisites
Two active AWS accounts in different AWS Regions.
An existing S3 bucket in the source account.
AWS Command Line Interface (AWS CLI), installed and configured.
If your source or destination S3 bucket has default encryption enabled, you must modify the AWS Key Management Service (AWS KMS) key permissions. For more information, see Allow users to download from and upload to an S3 bucket with default encryption
in the AWS Knowledge Center. Familiarity with cross-account permissions.
Architecture

Technology stack
Amazon S3
IAM
AWS CLI
Tools
Code
Copy
aws s3 cp s3:// DOC-EXAMPLE-BUCKET-SOURCE / \ s3:// DOC-EXAMPLE-BUCKET-TARGET / \ --recursive --source-region SOURCE-REGION-NAME --region DESTINATION-REGION-NAME
Synchronize
aws s3 sync s3:// DOC-EXAMPLE-BUCKET-SOURCE / \ s3:// DOC-EXAMPLE-BUCKET-TARGET / \ --source-region SOURCE-REGION-NAME --region DESTINATION-REGION-NAME
Epics
Task | Description | Skills required |
---|---|---|
Create and attach an S3 bucket policy. | Sign in to the AWS Management Console for your source account and open the Amazon S3 console. Choose your source S3 bucket and then choose Permissions. Under Bucket policy, choose Edit and then paste the bucket policy from the Important: Make sure that you include the AWS account ID for the destination account and configure the bucket policy template according to your requirements. | Cloud administrator |
Task | Description | Skills required |
---|---|---|
Create a destination S3 bucket. | Sign in to the AWS Management Console for your destination account, open the Amazon S3 console, and then choose Create bucket. Create an S3 bucket according to your requirements. For more information, see Creating a bucket in the Amazon S3 documentation. | Cloud administrator |
Create an IAM policy for the IAM user. | Open the IAM console, choose Policies, and then choose Create policy. Choose the JSON tab and paste the Choose either Programmatic access or AWS Management Console access. We recommend that you choose Programmatic access if users require access to the API, AWS CLI, or tools for Windows PowerShell. This creates an access key for each new user. You can view or download the access keys when you are on the confirmation page. Choose Next: Permissions and then choose Attach existing policies directly. Attach the policy that you created earlier. Choose Next: Tags, and then choose Next: Review to finalize the user configuration. | Cloud administrator |
Task | Description | Skills required |
---|---|---|
Copy and synchronize data from the source S3 bucket to the destination S3 bucket. | Open AWS CLI and run the copy command from the Code section to copy the data from the source S3 bucket. Run the synchronize command from the Code section to transfer the data into your destination S3 bucket. Your data is then copied from the source S3 bucket to the destination S3 bucket. | Cloud administrator |