19

I configure AWS instances for clients, and I need to transfer everything to them at the end, so that the billing for AWS and S3 usage also goes on their accounts.

I know there is a way to "transfer" an EC2 instance via AMI sharing, but is there a way to transfer ownership or share S3 buckets as well? (Preferably avoid making a copy but transfer the original bucket itself).

Community
  • 1
  • 1
rustyx
  • 80,671
  • 25
  • 200
  • 267

3 Answers3

22

S3 Buckets cannot be transferred between accounts. At least in the simple sense of "here is my bucket, now it is your bucket". Everyone seems to use some form of copying. If you have permission to both your original bucket and their destination bucket then you can use the AWS CLI and just

aws s3 sync s3://bucket1 s3://bucket2

Have you tried adding their account as an ALL PERMISSION user to one of your buckets? http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-creatingrole-policyexamples.html

Then login as their account and see if they can then edit the policy to remove your original account? Not sure how the billing would turn out since you created the bucket.

greg_diesel
  • 2,955
  • 1
  • 15
  • 24
  • I think this would work, but I ended up simply creating a dedicated account and transferring its credentials to my client. – rustyx May 14 '15 at 19:23
  • I went through the iam cross-account roles tutorial, but still when I do `aws s3 sync s3://bucket1 s3://bucket2` I get `A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied` regardless of which accounts credentials I use. – Michael Johnston Mar 17 '16 at 05:34
  • Is there a way to copy all versions of objects as well. It looks like `s3 sync` and `cp --recursive` both do not preserve versions. – rooscous May 29 '18 at 21:42
  • I just tried an ALL PERMISSIONS user, and it does indeed grant access sufficiently well. However, it seems it's not possible to deny the original owner completely - even with `Deny` on `s3:*`, the original owner can still see the bucket and get to the policy. – Ralph Bolton Jun 22 '18 at 13:40
  • If I am not wrong this procedure will copy the content of one bucket with a name in to another bucket with a different name, but the interesting thing would be to move the bucket keeping the same name – fdm Oct 22 '19 at 08:55
  • @fdm you can't use the same name since bucket names are globally unique. You'd need a temporary bucket, remove the objects from the old bucket, delet the bucket, recreate it in the other account and move the objects from the temp bucket. – peetasan Jan 15 '21 at 14:47
4

If you are going to do this frequently then you should create a new account per customer and then transfer ownership of the whole account to the client. See Consolidated billing and Organisations.

Kristianw
  • 79
  • 3
-5

You can transfer the contents of the buckets between accounts by making the destination bucket public (There are more secure ways to do this). Then using the aws CLI from the other account you authenticated with run the s3 cp command (This does not need bandwidth):

aws s3 cp "s3://bucket-source/file.zip" "s3://bucket-you-dont-own/NewFolder/" --acl bucket-owner-full-control

If you do not add "--acl bucket-owner-full-control" to your s3 string you will get an access denied error because the destination account does not have file permissions:

A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied

DoComputing
  • 1