Transferring Files in S3 Between AWS Accounts | by Teri Radichel | Cloud Security | Jan, 2023

ACM.129 File migration and web site configuration earlier than transferring domains

It is a continuation of my sequence on automating cybersecurity metrics.

Earlier than I get distracted by the AWS SSO points that ended up in my final publish:

I had transferred some domains to a brand new account utilizing Route 53 instructions:

Initially, I assumed I might go forward and switch the web sites related to these domains. However then I began fascinated by how I’d switch the recordsdata and automate the setup, a few of which I’ve accomplished and a few of which I have not.

As I discussed, these web sites nonetheless work as a result of the NS information for the web sites do not must be in the identical account the place the area title is registered.

Web sites use CloudFront and S3 buckets. These websites should have some route 53 configuration in the identical account because the S3 bucket the place the positioning is hosted, so that you would wish to configure that within the new account to switch the recordsdata.

Additionally, the web site recordsdata from the outdated account should be transferred or copied to the brand new S3 buckets. I must configure buckets and transfer recordsdata earlier than transferring NS information for current websites to make sure my websites proceed to operate accurately.

There are some things to bear in mind when transferring recordsdata from an S3 bucket to a bucket on a special account:

The price of transferring the recordsdata.
What’s the best solution to switch the recordsdata?
Whether or not or not I must encrypt the recordsdata
Automation of the switch and the ensuing configuration
The place ought to I again up the recordsdata in my new construction?

File switch value.

Evidently if I switch the web sites to the brand new account in the identical area, I should not incur any charges:

Additionally, the primary 100 GB monthly transferred to the Web is free. I do not assume I’ve that a lot knowledge, however I am going to must double examine.

Information transferred to the Web apart from that which might incur a payment:

However on this case, I’m transferring to a different AWS Area, so I would wish to seek out out which Area I’m transferring to and the quantity above 100 GB. In my case, it’s not a lot so the charges ought to be minimal.

Instructions to switch recordsdata between S3 buckets

This web page has the instructions to repeat or sync the recordsdata to a different account and area:

aws s3 cp s3:// DOC-EXAMPLE-BUCKET-SOURCE / 
s3:// DOC-EXAMPLE-BUCKET-TARGET / 
--recursive --source-region SOURCE-REGION-NAME --region DESTINATION-REGION-NAME

 aws s3 sync  s3:// DOC-EXAMPLE-BUCKET-SOURCE / 
s3:// DOC-EXAMPLE-BUCKET-TARGET / 
--source-region SOURCE-REGION-NAME --region DESTINATION-REGION-NAME

On this case, I need to copy the recordsdata as a result of I’ll shut the account the place the web sites at present exist.

encryption

For web sites, the recordsdata is not going to be encrypted, as they have to be accessible from the Web. For different recordsdata, I might like to ensure I’ve a KMS encryption key set to again up the recordsdata. I can encrypt the vault with a particular key and would wish to grant cross entry to the important thing to sync the recordsdata. For now we’ll solely cope with web site recordsdata that don’t want encryption.

Automation

For automation, I might wish to automate the next, all of which can be lined in future posts:

NS information
ssl certificates
Create S3 Bucket
CloudFront configuration
file switch
S3 replication for backup functions

Backups

I would love my backups to go to a separate account with restricted permissions. I all the time inform purchasers to not use every day credentials for backups. I can create a backup account and permissions for a useful resource in that account to entry and replicate the recordsdata within the backup account. I might want to restrict who has entry to create customers or change permissions on the backup account.

The next documentation explains learn how to create cross-account replication for an S3 bucket. It’s best to in all probability set that up first in order that as recordsdata are copied, backups are generated routinely.

All of that’s much more work than I initially thought-about. As I take into consideration automation, it seems to be like my batch job code that I need to write can assist me automate and migrate a few of this knowledge. I’ll reconfigure the NS document for my new batch job authentication movement first. I can then create reusable templates for all this and proceed with the switch.

As soon as once more, I am utilizing the precept of abstraction to maneuver frequent performance right into a single code base to restrict the quantity of labor I am going to must do ultimately, and hopefully I can apply a safer and strong structure within the course of.

Comply with for updates.

teri radichel

For those who preferred this story ~ clap your arms, observe me, tip, purchase me a espresso or rent me 🙂

Medium: Teri Radichel
E mail Checklist: Teri Radichel
Twitter: @teriradichel
Twitter (firm): @2ndSightLab
Mastodon: @[email protected]
Publish: @teriradichel
Fb: 2nd Sight Lab
Slideshare: Shows by Teri Radichel 
Speakerdeck: Shows by Teri Radichel
Books: Teri Radichel on Amazon
Recognition: SANS Distinction Makers Award, AWS Hero, IANS School
Certifications: SANS
Training: BA Enterprise, Grasp of Sofware Engineering, Grasp of Infosec
How I obtained into safety: Girl in tech
Purchase me a espresso: Teri Radichel
Firm (Penetration Checks, Assessments, Coaching): 2nd Sight Lab
Request companies through LinkedIn: Teri Radichel or IANS Analysis