AWS S3 Server side encryption Access denied error

Question

• I have A and B AWS accounts and I am syncing S3 bucket from A account SoruceS3Bucket to B account DestinationS3Bucket.
• Following is the bucket policy which is applied on Destination bucket and it is allowing Source AWS account to sync the content with DestinationS3Bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionsToAAccount",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXX:root"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::DestinationS3Bucket",
                "arn:aws:s3:::DestinationS3Bucket/*"
            ]
        }
    ]
}

• Here the sync was working perfectly since long time and it is still working but from last few days at the DestinationS3Bucket files are not accessible with the Server side encryption Access denied error.
• I have verified there no encryption(Default encryption, none) on SourceS3Bucket and DestinationS3Bucket and I am using Source AWS account secret and access key to sync the content. Thanks in advance.

Answer 1

When you copy files from one S3 bucket in account A using credentials of account A to a bucket in account B, the owner of the files in the destination bucket will be account A. (Account A is the principal that created the files in account B's bucket).

During the file copy from source to destination bucket, add the --acl bucket-owner-full-control option so that account B can control the files. Otherwise you might have files in account B's bucket that account B cannot access or control.

Another option is to use the credentials of account B to copy from the source to the destination bucket. This way the owner of the copied files is account B.