I would like to transfer ownership of Amazon S3 objects from one Amazon Web Services (AWS) account to a different AWS account. How can I do this?

AWS Support does not have access to copy Amazon S3 objects or manipulate any configuration options in AWS accounts. You can't separate an AWS account from an Amazon.com account or transfer resources between AWS accounts. It is possible to manually migrate Amazon S3 resources to a new AWS account by applying resource-based policies and delegating access to these resources across AWS accounts with IAM user (or group) policies.

You can copy Amazon S3 objects from one AWS account to another by using the S3 COPY operation. You must grant the destination AWS account access to the source AWS account's resources by using Amazon S3 Access Control Lists (ACLs) or bucket policies. For example, the following steps describe how a source AWS account can create a bucket policy to give another AWS account access to one or more Amazon S3 resources, granting the AWS account permissions to copy from the source.

Note: The following bucket policy, created in the source AWS account, grants ListBucket and GetObject permissions to the destination AWS account for each designated S3 resource. In a production environment it is considered a best practice to specify Action parameters that follow the principle of least privileged access. After setting Action parameters, add any resources that the destination AWS account should have permissions to in the Resource section. Make sure to separate each resource entry with a comma.

First, get the 12-digit account ID for the destination account. Here is one way to find the account number:

  1. Sign in to the AWS Management Console for the destination AWS account.
  2. In the navigation bar, click Support, and then click Support Center. The account number (for example, 222222222222) is displayed in the upper-right corner of the Support Center.

In the source account, attach the following policy to the bucket you want to copy. For detailed instructions, see Editing Bucket Permissions.

#Bucket policy set up in the source AWS account.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {"AWS": "222222222222"},
            "Action": ["s3:ListBucket","s3:GetObject"],
            "Resource": [
                "arn:aws:s3:::sourcebucket/*",
                "arn:aws:s3:::sourcebucket"
            ]
        }
    ]
}

Attach a policy to a user or group in the destination AWS account to delegate access to the bucket in the source AWS account. If you attach the policy to a group, make sure that the IAM user is a member of the group.

#New AWS account IAM user policy set up on destination AWS account.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::sourcebucket",
                "arn:aws:s3:::sourcebucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::destinationbucket",
                "arn:aws:s3:::destinationbucket/*"
            ]
        }
    ]
}

When these steps are completed, the "destination" account can copy objects by using the AWS Command Line Interface (CLI) commands cp or sync. For example, the following aws s3 sync command could be used to copy the contents from a bucket in the source AWS account to a bucket in the destination AWS account:

Note: Successful execution of the following command assumes that the AWS CLI has been correctly configured for the user in the destination AWS account, and that the source and destination buckets are in the same region (there is a command-line option for specifying a different region). For more information about configuring the AWS CLI, see Configuring the AWS Command Line Interface. Additionally, the user in the destination AWS account must have appropriate permissions to copy files to s3://destinationbucket.

aws s3 sync s3://sourcebucket s3://destinationbucket

For more information about delegating access to an S3 bucket in another account, see Example: Using a resource-based policy to delegate access to an Amazon S3 bucket in another account.

For information about delegating access to resources in different AWS accounts with IAM roles, see Walkthrough: Delegating Access Across AWS Accounts Using IAM Roles.

For a detailed walkthrough that describes how a bucket owner can grant cross-account bucket permissions, see Example 2: Bucket Owner Granting Cross-Account Bucket Permissions.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2015-02-26

Updated: 2017-08-07