I copied or moved an object from an S3 bucket owned by one AWS account to a bucket owned by another AWS account. Now the owner of the destination bucket cannot access the object. How can I make sure the bucket owner has access to resources that are copied or moved between S3 buckets owned by different AWS accounts?

This issue happens when the correct permissions are not applied to objects when they are copied or moved between buckets. It's a best practice to apply permissions during the copy or move operation, but permissions can also be granted after the operation is finished.

Apply permissions to objects during the copy or move operation

There are two ways to be sure that the appropriate permissions are applied to any objects that are copied or moved to the destination bucket during the copy or move operation:

1.    Attach a role to the owner of the destination bucket that can be assumed by the owner of the source bucket. This role should grant the owner of the source bucket full control of the destination bucket. This role should also require that the owner of the destination bucket maintains all permissions for objects moved or copied to the destination bucket. For more information, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles.

Or

2.    Apply a policy to the destination bucket to be sure the bucket owner maintains full control of objects copied or moved to the bucket. This policy prevents a specified account from copying or moving objects to the destination bucket unless the bucket owner is granted full control of the objects. For example policies, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control. The following example uses a Canned ACL to grant the bucket owner full control of any objects copied or moved to the bucket:

{
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{"AWS":"111111111111"},
      "Action":"s3:PutObject",
      "Resource":["arn:aws:s3:::examplebucket/*"]
    },
    {
      "Effect":"Deny",
      "Principal":{"AWS":"111111111111"},
      "Action":"s3:PutObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition": {
        "StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
      }
    }
  ]
}

When using the AWS Command Line Interface (AWS CLI), set up a profile in the account that assumes the role of the destination account. This removes the need to export tokens for each request when Assuming a Role. For more information about the keys available for specifying conditions in Amazon Simple Storage Service (Amazon S3) access policies, see Available Condition Keys. For more information about PUT operations, see PUT Object.

Grant permissions after the operation is complete

If permissions are not applied during the copy or move operation, the owner of the source bucket can run the following commands to grant the owner of the destination bucket full control of these objects:

aws s3api put-object-acl --bucket src-acct_bucket --key myobject --grant-full-control emailaddress=xyz@example.com

Note: Use the email address of the destination bucket owner to update the ACLs for objects copied or moved to the bucket.

aws s3api put-object-acl --bucket src-acct_bucket --key myobject --grant-full-control id="mycanonicalid"

Note: Use the canonical ID of the destination bucket owner to update the ACLs for objects copied or moved to the bucket.  


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-02-26

Updated: 2018-01-19