How to copy files from ec2 instance of Account A to s3 bucket of Account B in AWS?

Question

I have few files in an ec2 machine of Account A. I would like to copy these files to a s3 bucket in Account B with User A( belongs to Account A). Could you please guide me with the necessary IAM policy or the list of procedures to be followed to achieve this?

Answer 1

To copy files from an Amazon EC2 instance in Account-A to an S3 Bucket (Bucket-B) in Account-B, you would:

• Create an IAM Role (Role-A) and assign it to the EC2 instance in Account-A
• In Role-A, grant permission to use Bucket-B (see below)
• Add a Bucket Policy to Bucket-B that grants permission (see below) for Role-A

Since you are using aws s3 sync, you will need to grant permission to List and Put objects:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-b",
                "arn:aws:s3:::bucket-b/*"
            ]
        }
    ]
}

Note that you need two sets of permissions:

• One on the IAM Role assigned to the EC2 instance (Role-A)
• One on the Bucket Policy in Account-B (Bucket-B)

These policies are slightly different because the Bucket Policy will need the Principal to refer to the ARN of Role-A whereas the IAM policy for Role-A (shown above) does not require a Principal to be defined.