Allow backup and restore across AWS accounts

[nathaniel-holder]

I would like to: 1) backup from dynamodb table in account A into S3 bucket owned by account B. 2) restore from S3 bucket owned by account B into dynamodb table in account A.

The use case for this is if an entire AWS account gets hosed, I want to restore into a new AWS account. I know that I can also cross regions, but crossing AWS accounts would really solve this use case.

[jerep6]

It's possible :)

The script must run in the account having the dynamodb tables (account A in your case)

Just setting a bucket policy like this, in account B (tested for restore but may also work for backup):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::$$$$ACCOUNT_ID_A$$$$:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::$$$$BUCKET_NAME$$$$/*"
        },

        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::$$$$ACCOUNT_ID_A$$$$:root"
            },
            "Action": [
                "s3:GetBucketVersioning",
                "s3:ListBucketVersions"],
            "Resource": "arn:aws:s3:::$$$$BUCKET_NAME$$$$"
        }
    ]
}

[rozhok]

This is not possible at the moment because backup lambda uploads file to s3 without granting full control on the object to the bucket owner.

[shevchenkos]

Merged and published. @rozhok, thank you for contribution and time taken for testing.