How can I set up cross-account replication across my Amazon S3 buckets with Object Lock?

5 minute read
0

I want to set up cross-account replication on an Amazon Simple Storage Service (Amazon S3) bucket where Object Lock is turned on.

Resolution

To set up cross-account replication on an Amazon S3 bucket with Object Lock, complete the following prerequisites:

  • Make sure that the destination bucket has Object Lock turned on. If Object Lock isn't turned on for the destination bucket, contact AWS Support with your request.
  • Make sure that you can access AWS Command Line Interface (AWS CLI) or AWS CloudShell.
  • Be sure that you have the Object Lock token before you start the replication.

Step 1: Create an IAM role for replication with necessary permissions

1.    Create a replication role in the AWS Identity and Access Management (IAM) console for the source account with a trust relationship for Amazon S3.

The trust relationship looks like the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

2.    Be sure to attach the following permissions to the IAM role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SourceBucketPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:GetObjectRetention",
        "s3:GetObjectVersionTagging",
        "s3:GetObjectVersionAcl",
        "s3:ListBucket",
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectLegalHold",
        "s3:GetReplicationConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::SourceBucketName/*",
        "arn:aws:s3:::SourceBucketName"
      ]
    },
    {
      "Sid": "DestinationBucketPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:ReplicateObject",
        "s3:ObjectOwnerOverrideToBucketOwner",
        "s3:GetObjectVersionTagging",
        "s3:ReplicateTags",
        "s3:ReplicateDelete"
      ],
      "Resource": [
        "arn:aws:s3:::DestBucketName/*"
      ]
    }
  ]
}

3.    If you're using the AWS Key Management Service (AWS KMS) keys, then be sure to attach the following permissions as well:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SourceBucketPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:GetObjectRetention",
        "s3:GetObjectVersionTagging",
        "s3:GetObjectVersionAcl",
        "s3:ListBucket",
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectLegalHold",
        "s3:GetReplicationConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::SourceBucketName/*",
        "arn:aws:s3:::SourceBucketName"
      ]
    },
    {
      "Sid": "DestinationBucketPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:ReplicateObject",
        "s3:ObjectOwnerOverrideToBucketOwner",
        "s3:GetObjectVersionTagging",
        "s3:ReplicateTags",
        "s3:ReplicateDelete"
      ],
      "Resource": [
        "arn:aws:s3:::DestBucketName/*"
      ]
    },
    {
      "Sid": "SourceBucketKMSKey",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Effect": "Allow",
      "Resource": "SourceBucketKMSKeyARN"
    },
    {
      "Sid": "DestinationBucketKMSKey",
      "Action": [
        "kms:Encrypt",
        "kms:GenerateDataKey"
      ],
      "Effect": "Allow",
      "Resource": "DestinationBucketKMSKeyARN"
    }
  ]
}

Step 2: Update the AWS KMS key permissions

Make sure that the AWS KMS key for the destination account allows access to the replication IAM role in the source account.

Example:

{
  "Sid": "AllowS3ReplicationSourceRoleToUseTheKey",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::123456789101:role/s3-replication-role"
  },
  "Action": [
    "kms:GenerateDataKey",
    "kms:Encrypt"
  ],
  "Resource": "*"
}

Note: You can't use the managed AWS KMS key aws/S3 for cross-account replication. However, you can use SSE-S3 encryption.

Note: If you use an asterisk (*) for Resource in the key policy, then the policy grants permission for the key to only the replication role. The policy doesn't allow the replication role to elevate its permissions.

Step 3: Add the following bucket policy to the destination account

In the Principal section, be sure to add the ARN of the replication IAM role that you created in Step 1.

{
  "Version": "2012-10-17",
  "Id": "PolicyForDestinationBucket",
  "Statement": [
    {
      "Sid": "ReplicationPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SourceBucket-account-ID:role/service-role/source-account-IAM-role"
      },
      "Action": [
        "s3:ReplicateDelete",
        "s3:ReplicateObject",
        "s3:ObjectOwnerOverrideToBucketOwner",
        "s3:GetBucketVersioning",
        "s3:PutBucketVersioning"
      ],
      "Resource": [
        "arn:aws:s3:::DestBucketName/*",
        "arn:aws:s3:::DestBucketName"
      ]
    }
  ]
}

Step 4: Create a replication.json file

Create a file called replication.json that looks similar to the following in the source account:

{
  "Role": "arn:aws:iam::123456789012:role/s3-replication-role",
  "Rules": [
    {
      "Status": "Enabled",
      "Priority": 10,
      "DeleteMarkerReplication": {
        "Status": "Disabled"
      },
      "Filter": {
        "Prefix": ""
      },
      "Destination": {
        "Bucket": "arn:aws:s3:::destination_bucket"
      }
    }
  ]
}

This file contains the parameters in JSON formation that sets up replication. These are the same parameters that you might use when setting up replication using the Amazon S3 console. You must use the AWS CLI to set up replication, because you can't use the Amazon S3 console to do so yet.

Be sure to replace s3-replication-role with the IAM role from Step 1. Also, include the ARN for destination bucket, prefix specification, and delete marker preferences, as needed.

Step 5: Set up replication

After saving the preceding configuration, pass the file using the following AWS CLI command:

aws s3api put-bucket-replication --bucket <SOURCE BUCKET> --replication-configuration file://Replication.json --token <TOKEN>

To get the Object Lock token value to be used in this command, contact AWS Support. The <TOKEN> value is the Object Lock token for the source bucket.

Step 6: Verification

When you run the preceding command, the replication rule is added to the source bucket. This rule allows the newly added objects to be replicated to the destination bucket. You can test the rule by adding new objects to the source and checking the destination.

Note: You can update the replication configuration using the Amazon S3 console after you set up replication. To replicate objects that are encrypted with AWS KMS, modify the replication configuration by selecting Replicate objects encrypted with AWS KMS under Encryption.

Related information

Configuring S3 Object Lock using the console

Turning on S3 Object Lock

Replicating objects created with server-side encryption (SSE-C, SSE-S3, SSE-KMS)

AWS OFFICIAL
AWS OFFICIALUpdated a year ago