S3

You can query the ip-ranges Amazon AWS URL, and parse the results through jq as follows: Generic S3 IP Ranges Query: curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="S3")' Response: { "ip_prefix": "3.5.140.0/22", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" } { "ip_prefix": "52.219.170.0/23", "region": "eu-central-1", "service": "S3", <truncated> Region Specific S3 IP Ranges Query: curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.region=="eu-west-1") | select(.service=="S3") | .ip_prefix' Response: 18.34.32.0/20 3....

In your source account create a customer-managed policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::source-EXAMPLE-BUCKET", "arn:aws:s3:::source-EXAMPLE-BUCKET/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::destination-EXAMPLE-BUCKET", "arn:aws:s3:::destination-EXAMPLE-BUCKET/*" ] } ] } In your destination bucket, update the bucket policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::1234567890:user/Andrew" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::destination-EXAMPLE-BUCKET/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::1234567890:user/Andrew" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::destination-EXAMPLE-BUCKET" } ] } Testing the S3 copy between accounts:...