Skip to content

Instantly share code, notes, and snippets.

@perryism

perryism/README.md

Last active February 26, 2020 22:45
Show Gist options
  • Save perryism/c6f719828c0054c21d4d50adedc03e0d to your computer and use it in GitHub Desktop.
Save perryism/c6f719828c0054c21d4d50adedc03e0d to your computer and use it in GitHub Desktop.
Download ZIP
Backup s3 bucket to a different account
Raw
README.md

How to copy a bucket from one account to the other

Ref

Prerequisites

  • Setup aws profile for both source and destination

Setup parameters

SOURCE_PROFILE=<source_profile>
DESTINATION_PROFILE=<destination_profile>
SOURCE_BUCKET=<source_bucket>
DESTINATION_BUCKET=<destination_bucket>

AWS_PROFILE=$DESTINATION_PROFILE
DESTINATION_ACCOUNT_ID=`aws sts get-caller-identity --query Account --output text`

AWS_PROFILE=$SOURCE_PROFILE
AWS_DEFAULT_REGION=`aws s3api get-bucket-location --bucket $SOURCE_BUCKET --output text`

Apply template to source account

aws cloudformation create-stack \
  --stack-name AllowBackupBucketPolicy \
  --template-body file://$(pwd)/cloudformation/source_bucket_policy.yaml \
  --capabilities CAPABILITY_IAM \
  --parameters ParameterKey=DestinationAccountId,ParameterValue=$DESTINATION_ACCOUNT_ID \
               ParameterKey=SourceBucket,ParameterValue=$SOURCE_BUCKET

Apply template to destination account

AWS_PROFILE=$DESTINATION_PROFILE

aws cloudformation create-stack \
  --stack-name AllowRestorePolicy \
  --template-body file://$(pwd)/cloudformation/destination_role.yaml \
  --capabilities CAPABILITY_IAM \
  --parameters ParameterKey=SourceBucket,ParameterValue=$SOURCE_BUCKET \
               ParameterKey=DestinationBucket,ParameterValue=$DESTINATION_BUCKET

Sync buckets

AWS_PROFILE=$DESTINATION_PROFILE
aws s3 sync s3://$SOURCE_BUCKET s3://DESTINATION_BUCKET
Raw
destination_role.yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: "Copy bucket"
Parameters:
SourceBucket:
Description: "Source bucket"
Type: String
Default: ""
DestinationBucket:
Description: "Destination bucket"
Type: String
Default: ""
Resources:
BackupBucket:
Type: "AWS::S3::Bucket"
DeletionPolicy: "Retain"
Properties:
BucketName: !Ref DestinationBucket
MyRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Policies:
- PolicyName: AllowCopy
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::${SourceBucket}",
"arn:aws:s3:::${SourceBucket}/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::${DestinationBucket}",
"arn:aws:s3:::${DestinationBucket}/*"
]
}
]
}
Raw
source_bucket_policy.yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: "Copy bucket"
Parameters:
DestinationAccountId:
Description: "Destination account id"
Type: Number
Default: ""
SourceBucket:
Description: "Source bucket"
Type: String
Default: ""
Resources:
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref SourceBucket
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {"AWS": "${DestinationAccountId}"},
"Action": ["s3:ListBucket","s3:GetObject"],
"Resource": [
"arn:aws:s3:::${SourceBucket}/*",
"arn:aws:s3:::${SourceBucket}"
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment