I have copied or moved an object from an S3 bucket owned by one AWS account to a bucket owned by another AWS account and the owner of the destination bucket cannot access the object.

This issue occurs when the proper permissions are not applied to objects when they are copied or moved between buckets.

The recommended resolution is to proactively prevent this issue from occurring. This section includes both proactive and retroactive resolutions for this issue.

The owner of the source bucket should ensure that appropriate permissions are applied to any objects copied or moved to the destination bucket during the copy/move operation:

1.    The recommended resolution for this issue is to attach a role to the owner of the destination bucket that can be assumed by the owner of the source bucket. This role should grant the owner of the source bucket full control of the destination bucket and ensure that the owner of the destination bucket maintains all permissions for objects moved or copied to the destination bucket. For more information, see Walkthrough: Delegating Access Across AWS Accounts For Accounts You Own Using IAM Roles.

2.    Alternatively, a policy can be applied to the destination bucket to ensure the bucket owner maintains full control of objects copied or moved to the bucket. Such a policy will prevent a specified account from copying or moving objects to the destination bucket unless the bucket owner is granted full control of the objects.

{
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{"AWS":"111111111111"},
      "Action":"s3:PutObject",
      "Resource":["arn:aws:s3:::examplebucket/*","arn:aws:s3:::examplebucket"]
    },
    {
      "Effect":"Deny",
      "Principal":{"AWS":"111111111111"},
      "Action":"s3:PutObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition": {
        "StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
      }
    }
  ]
}

See PUT Object for more information about using access control related headers for PUT operations.

3.    See Available Condition Keys for information describing the predefined keys available for specifying conditions in an Amazon S3 access policy. When using the AWS Command Line Interface (CLI) it is recommended that you set up a profile in the account that assumes the role of the destination account. This will eliminate the need to export tokens for each request as described in Assuming a Role.

If proactive measures were not followed and the owner of the destination bucket does not have permissions to objects moved or copied to the bucket, the owner of the source bucket can run these AWS CLI commands to grant the owner of the destination bucket full control of these objects:

  • Use the email address of the destination bucket owner to update ACLs for objects copied or moved to the bucket:
aws s3api put-object-acl --bucket src-acct_bucket --key myobject --grant-full-control emailaddress=xyz@example.com
  • Use the canonical ID of the destination bucket owner to update ACLs for objects copied or moved to the bucket:
aws s3api put-bucket --bucket src-acct_bucket --grant-full-control id="mycanonicalid" --region us-east-1aws s3api put-bucket --bucket src-acct_bucket --grant-full-control id="mycanonicalid" --region us-east-1

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-02-26

Updated: 2017-08-02