Open nathaniel-holder opened 6 years ago
It's possible :)
The script must run in the account having the dynamodb tables (account A in your case)
Just setting a bucket policy like this, in account B (tested for restore but may also work for backup):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::$$$$ACCOUNT_ID_A$$$$:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::$$$$BUCKET_NAME$$$$/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::$$$$ACCOUNT_ID_A$$$$:root"
},
"Action": [
"s3:GetBucketVersioning",
"s3:ListBucketVersions"],
"Resource": "arn:aws:s3:::$$$$BUCKET_NAME$$$$"
}
]
}
This is not possible at the moment because backup lambda uploads file to s3 without granting full control on the object to the bucket owner.
Merged and published. @rozhok, thank you for contribution and time taken for testing.
I would like to: 1) backup from dynamodb table in account A into S3 bucket owned by account B. 2) restore from S3 bucket owned by account B into dynamodb table in account A.
The use case for this is if an entire AWS account gets hosed, I want to restore into a new AWS account. I know that I can also cross regions, but crossing AWS accounts would really solve this use case.