2
votes

I'm trying to copy S3 bucket objects from one AWS to another AWS account. I have followed this link here it works with one account A but gives Access Denied error when i used it with another account B. What could be the possible reason for that? Is it related to some firewalls or security issues, even the source account B bucket has been made public. This is the policy applied to source bucket B

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "DelegateS3Access",

      "Effect": "Allow",

      "Principal": {

        "AWS": "arn:aws:iam::12345678910:user/abc"

      },

      "Action": [

        "s3:ListBucket",

        "s3:GetObject"

      ],

      "Resource": [

        "arn:aws:s3:::sourceBucketB/*",

        "arn:aws:s3:::sourceBucketB"

      ]

    }

  ]

}

This is policy applied to destination account

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::sourcebucket",
                "arn:aws:s3:::sourcebucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::destinationbucket",
                "arn:aws:s3:::destinationbucket/*"
            ]
        }
    ] }

[here are the configurations of bucket from account B]enter image description here[1\

I'm using the following command to copy from bucket B to destination account (using destination account profile)

aws s3 sync s3://sourceBucket s3://destinationBucket

Here is the error

fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

2
Most likely this is a permissions issue. Have you configured security groups?nstanard
The source account B gave us just credentials. Don’t know exactly there security infrastructure. I have attached there configurations. Does it have to do with ‘requester pay’ thing?Aneela Saleem Ramzan
I have tried it. It's working with every test account except the one which actually needs to be connected. I think the issue is because of 'Requester Pays' option enabled with this account or may be some firewall. Because it doesn't allow anonymous access.Aneela Saleem Ramzan

2 Answers

2
votes

This documentation contains the exact policy you require and the necessary steps.

According to that documentation, the policy should look like this:

{
  "Version": "2012-10-17",
  "Statement": [
     {
        "Sid": "Example permissions",
        "Effect": "Allow",
        "Principal": {
           "AWS": "arn:aws:iam::AccountB-ID:root"
        },
        "Action": [
           "s3:GetBucketLocation",
           "s3:ListBucket"
        ],
        "Resource": [
           "arn:aws:s3:::sourcebucket"
        ]
     }
  ]
}
-2
votes

The easy way (grant all):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "*",
      "Principal": "*"
    }
  ]
}

Also this seems unnecessary and could complicate things (in your second policy):

{
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::sourcebucket",
                "arn:aws:s3:::sourcebucket/*"
            ]
        },