AWS S3 使用 aws lambda 跨多个账户复制并触发内部 lambda 复制到其他存储桶

Question

I have 2 AWS accounts app-dev and app-prod both have some buckets the structure is as follows

The flow is as follows:

app-prod(Account)-->bucket-prod-->copier-lambda-->app-dev(account)-->bucket-dev-->copier-lambda-->[bucket-dev1, bucket-dev2]

The copier lambda in the app-dev account works fine if I copy the file to bucket-dev from the same account manually using AWS console. But, when the copier lambda from account app-prod copies the file to bucket-dev(app-dev) the copier lambda from account app-dev gets triggered but fails with "Access Denied" error and the IAM role for lambda is same in both the cases (file copied manually which triggers copier lambda in same account and file copied by a lambda from a different account) so I am confused here.

I'm pretty sure i'm missing something very small here. Any help would be appreciated.

Answer 1

Please note that if one account puts an object into a bucket owned by another account, the object is still owned by the originator. The originator has to add an ACL to the object granting the bucket owner access to the object.

See here for more details.

By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account. To get access to the object, the object owner must explicitly grant you (the bucket owner) access.

The object owner can grant the bucket owner full control of the object by updating the access control list (ACL) of the object. The object owner can update the ACL either during a put or copy operation, or after the object is added to the bucket.