Why can't I copy an object between two Amazon S3 buckets?

Last updated: 2019-06-06

I'm trying to copy an object from one Amazon Simple Storage Service (Amazon S3) bucket to another, but it's not working. How can I troubleshoot this?

Short Description

To troubleshoot issues with copying an object between buckets, check the following:

  • Bucket policies and AWS Identity and Access Management (IAM) user or role policy
  • Permission for the specific operation
  • Object access control list (ACL)
  • AWS Key Management Service (AWS KMS) encryption
  • Glacier storage class
  • Requester Pays enabled on bucket
  • AWS Organizations service control policy
  • Cross-Region request issues with Amazon Virtual Private Cloud (VPC) endpoints for Amazon S3

Resolution

Bucket policies and IAM user or role policy

Review the bucket policy on both the source and destination buckets. The source bucket must allow both s3:ListBucket and s3:GetObject by the IAM user or role that you're using. The destination bucket must allow both s3:ListBucket and s3:PutObject by your IAM user or role.

Additionally, review the policy of your IAM user or role. The policy must allow s3:ListBucket and s3:GetObject to the source bucket, as well as s3:ListBucket and s3:PutObject to the destination bucket.

For the bucket policies and the IAM policy, be sure to check that there are no explicit deny statements that conflict with the permissions that you need. An explicit deny overrides an allow statement.

Note: If you're using the AssumeRole API operation to access Amazon S3, you must also verify that the trust relationship is configured correctly.

Permission for the specific operation

Be sure that you have the permission that corresponds with the specific operation that you're trying to run. For example, if you want to run aws s3 cp, you need permission to s3:GetObject and s3:PutObject. If you want to run aws s3 sync, you need permission to s3:GetObject, s3:PutObject, and s3:ListBucket.

You also need the corresponding permission for any version-specific operation. For example, if you want to copy a specific version of an object, you need the permission for s3:GetObjectVersion in addition to s3:GetObject. For more information, see Specifying Permissions in a Policy.

Object ACL

If the bucket policy has the correct permissions, be sure to check that the object's ACL allows the same actions. The bucket policy applies only to objects owned by the bucket owner. An object that's owned by a different user might have conflicting permissions on its ACL.

Note: The object ACL issue typically occurs when you copy AWS service logs, such as AWS CloudTrail logs and Elastic Load Balancing access logs, across accounts.

AWS KMS encryption

If the object is encrypted using an AWS KMS key, verify that the key policy and your IAM policy allow these AWS KMS actions:

"Action": [
     "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
 ] 

For more information, see Using Key Policies in AWS KMS and Actions, Resources, and Condition Keys for AWS Key Management Service.

Glacier storage class

You can't copy an object from the Glacier storage class. You must first restore the object from Glacier before you can copy the object. For instructions, see How Do I Restore an S3 Object That Has Been Archived to Glacier?

Requester Pays enabled on bucket

If the source or destination bucket has Requester Pays enabled, and you're trying to access the bucket from another account, verify that your request includes the correct Requester Pays parameter:

  • For AWS Command Line Interface (AWS CLI) commands, include the --request-payer option.
  • For GET, HEAD, and POST requests, include x-amz-request-payer : requester.
  • For signed URLs, include x-amz-request-payer=requester.

AWS Organizations service control policy

If you're using AWS Organizations, check the service control policies to be sure that access to Amazon S3 is allowed.

For example, the following policy results in a 403 Forbidden error when you try to access Amazon S3 because it explicitly denies access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "S3:*",
            "Resource": "*"
        }
    ]
}

For more information on the features of AWS Organizations, see Enabling All Features in Your Organization.

Cross-Region request issues with VPC endpoints for Amazon S3

VPC endpoints for Amazon S3 currently don't support cross-Region requests. For example, if you have an Amazon Elastic Cloud Compute (Amazon EC2) instance in Region A with a VPC endpoint configured in its associated route table, the instance can't copy an object from Region B to a bucket in Region A. Instead, you receive an error message similar to the following:

An error occurred (AccessDenied) when calling the CopyObject operation: VPC endpoints do not support cross-region requests

To troubleshoot this cross-Region request issue, you can:

  • Remove the VPC endpoint from the route table. If you remove the VPC endpoint, the instance must be able to connect to the internet instead.
  • Run the copy command from another instance that's not using the VPC endpoint, or from an instance that's neither in Region A nor Region B.
  • If you must use the VPC endpoint, send a GET request to copy the object from the source bucket to the EC2 instance. Then, send a PUT request to copy the object from the EC2 instance to the destination bucket.

Did this article help you?

Anything we could improve?


Need more help?