Skip to main content

Cross Account AWS S3 Bucket Replication

The AWS S3 bucket replication is an essential feature that enables the automated copying of objects between different S3 buckets within the same AWS account or across different AWS accounts. This capability enhances data redundancy, ensures compliance, and strengthens disaster recovery strategies.

This guide outlines the steps necessary for setting up cross-account S3 replication between two AWS accounts. By carefully implementing specific IAM roles, policies, and configurations in both the destination and source accounts, users can securely and efficiently automate the replication of objects across different S3 buckets. Whether running a multi-account AWS environment or collaborating with partners, understanding and utilizing cross-account S3 replication ensures that your data is consistently available and adequately protected.

Dive into the detailed instructions below to configure cross-account replication between your source and destination buckets effectively, and leverage AWS's powerful capabilities to maintain control over your distributed cloud infrastructure.

1. DESTINATION ACCOUNT CONFIGURATIONS

Go to destination-bucket and add the following S3 bucket policy.

    "Version": "2012-10-17",
    "Id": "",
    "Statement": [
        {
            "Sid": "Set permissions for objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::624165964329:role/s3-replication-source-bucket-role"
            },
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Resource": "arn:aws:s3:::destination-bucket/*"
        },
        {
            "Sid": "Set permissions on bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::624165964329:role/s3-replication-source-bucket-role"
            },
            "Action": [
                "s3:List*",
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::destination-bucket"
        }
    ]
}

2. SOURCE ACCOUNT CONFIGURATIONS

Go to IAM policies and create the s3-replication-source-bucket-policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket",
                "arn:aws:s3:::source-bucket/*",
                "arn:aws:s3:::destination-bucket",
                "arn:aws:s3:::destination-bucket/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket/*",
                "arn:aws:s3:::destination-bucket/*"
            ]
        }
    ]
}

Go to IAM roles and create the s3-replication-source-bucket-role

  • Type of Trusted Entity: AWS Service
  • Use Case: S3
  • Policy Name: s3-replication-source-bucket-policy
  • Role Name: s3-replication-source-bucket-role

Go to IAM policies and create the batch-operation-source-bucket-policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:InitiateReplication"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket/*"
            ]
        },
        {
            "Action": [
                "s3:GetReplicationConfiguration",
                "s3:PutInventoryConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket"
            ]
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::source-bucket/*"
            ]
        }
    ]
}

Go to IAM roles and create the batch-operation-source-bucket-role

  • Type of Trusted Entity: AWS Service
  • Use Case: S3
  • Policy Name: batch-operation-source-bucket-policy
  • Role Name: batch-operation-source-bucket-role

Go to source-bucket and select Management > Replication Rules > Create Replication Rule

1. Replication Rule Name: source-bucket-to-destination-bucket-replication

2. Status: Enable

3. Source Bucket: source-bucket

  • Choose a rule scope as "Prefix" and add the prefix (example: production/ae/responses/)

4. Destination:

  • Choose 'specify a bucket in another account'
  • Account ID: <destination-bucket-account-id>
  • Bucket Name: destination-bucket
  • Change object ownership to destination bucket owner: true

5. IAM Role: s3-replication-source-bucket-role

6. Encryption: Unchecked

7. Destination Storage Class: Unchecked

8. Additional Replication Options

  • Delete marker replication: true

After saving, you will be asked if you want to replicate current items. Make sure to choose YES, as this action will initiate a Batch Operations task.

In the batch operation job select the following.  - IAM Role: batch-operation-source-bucket-role  - Manifest source bucket: s3://source-bucket/replication-report

This task will require some time to finish. Upon completion, you will observe objects in the destination bucket.

S3 Replication Configurations

Last updated on by Yasitha Bogamuwa