Moving S3 bucket to another AWS account in another AWS region

Standard

AWS does not support moving S3 buckets, so actually we will be syncing the content from original account/bucket to a new account/bucket.

Note: the following instructions are for a simple scenario – there in an app that only reads/writes data from/to S3. So we copy data from old bucket to a new bucket without any special ACLs.

Assuming you have new account and bucket created, you will need following to start the process:

  • Old and new bucket names
  • AWS cli installed
  • (Optionally) ARN of IAM user that will be used to sync the data

Prepare SOURCE account

Login to SOURCE account management console, go to IAM / Users / particular user you would like to use for doing the transfer and set following Inline policy to ensure an user from SOURCE account can read from SOURCE bucket and write to DESTINATION bucket – change old and new bucket name:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::_old_bucket_",
                "arn:aws:s3:::_old_bucket_/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::_new_bucket_",
                "arn:aws:s3:::_new_bucket_/*"
            ]
        }
    ]
}

If you intend to transfer multiple buckets, just list them all in Resource sections above.

Now while you are in user details you can take ARN of the user if you do not have it already. It is on user details page and looks like:

"arn:aws:iam::_aws_account_id_:user/_username_"

Prepare DESTINATION account

Login to DESTINATION account management console and set a policy on DESTINATION bucket to allow user from SOURCE account write to DESTINATION bucket: 

{
	"Version": "2012-10-17",
	"Statement": [
    {
      "Sid": "AccountsTransfer",
      "Action": [
        "s3:ListBucket",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::remastermedia-files-paveltuma",
        "arn:aws:s3:::remastermedia-files-paveltuma/*"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::_aws_account_id_:user/_username_"
        ]
      }
    }
  ]
}

Set DESTINATION bucket default object ownership to be the DESTINATION account. Go to DESTINATION bucket / Permissions / Object ownership and set it to Bucket owner preferred.

Perform sync

Setup aws cli to use the user that will be used to sync data and then perform:

aws s3 sync s3://_old_bucket_  s3://_new_bucket_ --region _new_region_ --acl bucket-owner-full-control

Depending on a volume of your data it may take long, so I recommend to execute it in a terminal multiplexer such as tmux.

Unicode filenames note

You may experience errors when syncing the files with some unicode characters – not all, but emoji mostly in my case. Basically it will say copy failed:

copy failed: s3://_old_bucket_/prefix/🔥.wav to s3://_new_bucket_/prefix/🔥.wav An error occurred (InvalidRequest) when calling the CopyObject operation: Couldn't parse the specified URI.

It seems this is an issue of S3 that it does not handle these filenames when syncing between different AWS regions.

The easiest workaround in my case was to download the files from SOURCE bucket to a local filesystem and re-upload them into DESTINATION bucket. But of course this may not apply to you.

Bike trip: Prachatice – Plesovice

Standard
  • Length: ~47 km
  • Duration: ~6 hrs
  • Type: mix of everything haha … road, gravel, single trail
  • Difficulty: medium
  • Transport: train on both start/end points

Start at Prachatice train station and follow red tourist route to the top of Libin. In the forest red route becomes single trail and there are unrideable parts. Sometimes it is possible to go around steep or rocky part of the red route by going to the sides.

From the top of Libin follow blue tourist route to Chroboly. This is mostly single trail – sometimes easy sometimes pretty technical. Rock formations along the route.

Single trail Libin

From Chroboly there is a short segment on the road. Then take another red tourist road and another climb to Ktiš. This time the climb is on gravel roads mostly.

From Ktis there is another tourist route possible – green. The issue is is goes partly through military area. The area is open on weekends and it is possible to use marked routes there, but … the gravel roads there are completely unmaintained, muddy so I don’t recommend to go there. We left it very quickly, because it was not a ride anymore. So use the road to Chvalšiny and enjoy the gas station in the middle of main square there :)

Then the rest of the route are climbs and downhills while keeping somewhat the same altitude contour line around Kleť. You can end anywhere on train station there – Český Krumlov, Zlatá Koruna, Plešovice (I recommend the pub/restaurant right next to the train stop) or even go further.

Route at mapy.cz or GPX download.

Bike trip: Petříkov – Velešín

Standard

  • Length: ~35 km
  • Duration: ~3 hrs (no rush, but just one short stop on the other hand)
  • Type: mostly double track / gravel roads
  • Difficulty: easy
  • Transport: train on both start/end points

There are only two single trail segments and the only – downhill from a hill top above Olešnice down to Hrádek (this is the only one requiring a technical skill) and between Hamr and the road to Besednice.

Route at mapy.cz or GPX download.

Accidentally deleted user recovery (Active Directory & Exchange 2013)

Standard

Start with recovering user in Active Directory. Download and unzip AdRestore utility.

Run adrestore to see all deleted objects or adrestore string to filter the list by string. Find user you want to recover and run adrestore once more with /r to restore the objects – you will be propted one by one.

adrecover

Now the account will reappear in Active Directoy, but will be disabled. Use what ever way you like (GUI or command line) to change password and enable account back. Add back user to the groups you want optionally.

Now move to Exchange …

If you deleted user in Active Directory, it disappears from EAC, but its mailbox state is not changed immediately in Exchange database (it changes when regular database maintanance is preformed), so we need to update it manually. To do so, we need to find mailbox GUID first.

Open Exchange Management shell and run following command to list all mailboxes details. Find GUID of the mailbox you want to recover.

Get-MailboxDatabase | Get-MailboxStatistics | Format-List DisplayName, MailboxGuid, Database, DisconnectReason, DisconnectDate

Update mailbox state for the particular mailbox, change to your Exchange database name and GUID you found in previous step.

Update-StoreMailboxState -Database “db_name” -Identity “guid”

Then go to Exchange Admin Center to Recipients / Mailboxes and click ... in the icon line and select Connect Mailbox.

eac1

Now you should see disconnected mailbox you want to recover. So select it and click connect icon.

eac2

You’ll get the warning there is no corresponding user and you must connect it to different user. It may be whatever user which does not have connected mailbox yet. That’s alright as the account you recovered in Active Directory does not have a mailbox yet. So go ahead. In the following wizard select user mailbox and later the account you recovered.

At the end you may get notification that changes made will be taken into account when Active Directory replication occurs.

eac3

If you wnat to be sure, trigger replication manually on any domain controller. 

repadmin /syncall

Now you should be able to access the mailbox again.