From 24fc330e647b6335c92bd9acebe947e6f8c76c60 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 21 Feb 2024 11:11:56 +0000
Subject: [PATCH] Add note about ACLs and ownership when copying between
 accounts

---
 .../infrastructure/cross-account-transfer.md      | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/docs/notes/infrastructure/cross-account-transfer.md b/docs/notes/infrastructure/cross-account-transfer.md
index 4ea1948..a5e0b72 100644
--- a/docs/notes/infrastructure/cross-account-transfer.md
+++ b/docs/notes/infrastructure/cross-account-transfer.md
@@ -5,11 +5,11 @@ tags:
 link: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
 ---
 
-To copy bucket contents from bucket in account A to bucket in account B:
+To copy bucket contents from a bucket in account A to a bucket in account B:
 
 1. Create new S3 bucket in account B
 2. Create IAM role / user in account B, with access to destination bucket
-3. Add IAM inline policy to user:
+3. Add IAM inline policy to the newly-created user:
 
 ```json
 {
@@ -44,3 +44,14 @@ To copy bucket contents from bucket in account A to bucket in account B:
   ]
 }
 ```
+
+Now, you can run `aws s3 sync` as the account in account B, and access both buckets.
+
+!!! warning
+     Whilst it might seem counter-intuitive, a **pull**-based transfer is significantly simpler than a **push**-based transfer. Notably, it avoids [issues](https://stackoverflow.com/a/63804619) with ownership issues and ACLs.
+
+     These can be solved by overwriting the file's ACLs to enforce the bucket owner owns the file:
+
+     ```
+     aws s3 cp --recursive 's3://<destination_bucket>` 's3://<destination_bucket>` --acl bucket-owner-full-control --metadata-directive REPLACE
+     ```