For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
How can I set up cross-account replication across my Amazon S3 buckets with Object Lock?
I want to set up cross-account replication on an Amazon Simple Storage Service (Amazon S3) bucket where Object Lock is turned on.
Resolution
Turn on Object Lock for your destination bucket
To set up replication for an Amazon S3 bucket, turn on Object Lock for the destination bucket.
Note: After you enable S3 Object Lock, you can't turn off Object Lock or suspend versioning for the bucket.
Create an IAM role for replication with necessary permissions
Create an AWS Identity and Access Management (IAM) role for replication in your IAM console for the source account with a trust relationship for Amazon S3.
Example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Attach the following permissions to the IAM role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SourceBucketPermissions", "Effect": "Allow", "Action": [ "s3:GetObjectRetention", "s3:GetObjectVersionTagging", "s3:GetObjectVersionAcl", "s3:ListBucket", "s3:GetObjectVersionForReplication", "s3:GetObjectLegalHold", "s3:GetReplicationConfiguration" ], "Resource": [ "arn:aws:s3:::SourceBucketName/*", "arn:aws:s3:::SourceBucketName" ] }, { "Sid": "DestinationBucketPermissions", "Effect": "Allow", "Action": [ "s3:ReplicateObject", "s3:ObjectOwnerOverrideToBucketOwner", "s3:GetObjectVersionTagging", "s3:ReplicateTags", "s3:ReplicateDelete" ], "Resource": [ "arn:aws:s3:::DestBucketName/*" ] } ] }
If you use AWS Key Management Service (AWS KMS) keys, then also attach the following permissions to your IAM role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SourceBucketPermissions", "Effect": "Allow", "Action": [ "s3:GetObjectRetention", "s3:GetObjectVersionTagging", "s3:GetObjectVersionAcl", "s3:ListBucket", "s3:GetObjectVersionForReplication", "s3:GetObjectLegalHold", "s3:GetReplicationConfiguration" ], "Resource": [ "arn:aws:s3:::SourceBucketName/*", "arn:aws:s3:::SourceBucketName" ] }, { "Sid": "DestinationBucketPermissions", "Effect": "Allow", "Action": [ "s3:ReplicateObject", "s3:ObjectOwnerOverrideToBucketOwner", "s3:GetObjectVersionTagging", "s3:ReplicateTags", "s3:ReplicateDelete" ], "Resource": [ "arn:aws:s3:::DestBucketName/*" ] }, { "Sid": "SourceBucketKMSKey", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "SourceBucketKMSKeyARN" }, { "Sid": "DestinationBucketKMSKey", "Action": [ "kms:Encrypt", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "DestinationBucketKMSKeyARN" } ] }
Update the AWS KMS key permissions
Configure the AWS KMS key for the destination account to allow access to the replicated IAM role in the source account. You can use SSE-S3 encryption, but you can't use the managed AWS KMS key aws/S3 for cross-account replication. For more information, see Replicating encrypted objects (SSE-S3, SSE-KMS, DSSE-KMS, SSE-C).
Example:
{ "Sid": "AllowS3ReplicationSourceRoleToUseTheKey", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789101:role/s3-replication-role" }, "Action": [ "kms:GenerateDataKey", "kms:Encrypt" ], "Resource": "*" }
Note: If you use a wildcard (*) for Resource in the key policy, then the policy grants permission only to the replicated IAM role for the AWS KMS key. The policy doesn't allow the replicated role to elevate its permissions.
Add the following bucket policy to the destination account
In the Principal section, add the Amazon Resource Name (ARN) of the replication IAM role that you created.
Example:
{ "Version": "2012-10-17", "Id": "PolicyForDestinationBucket", "Statement": [ { "Sid": "ReplicationPermissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::SourceBucket-account-ID:role/service-role/source-account-IAM-role" }, "Action": [ "s3:ReplicateDelete", "s3:ReplicateObject", "s3:ObjectOwnerOverrideToBucketOwner", "s3:GetBucketVersioning", "s3:PutBucketVersioning" ], "Resource": [ "arn:aws:s3:::DestBucketName/*", "arn:aws:s3:::DestBucketName" ] } ] }
Replicate your IAM role for your S3 bucket
Complete the following steps:
- Open the Amazon S3 console.
- Choose Buckets, and then select your source bucket.
- Choose the Management tab.
- Under Replication rules, choose Create replication rule.
- Enter a name for your rule.
- Under Source bucket, choose a rule scope to determine if replication applies to a specific object prefix or the bucket's entire contents.
- Under Destination section, select Specify a bucket in another account, and then enter the name of the destination bucket and the account ID.
- Under IAM role, choose Choose from existing IAM roles.
- Choose Create new role.
- or -
Enter the IAM role's ARN to use a role that you already created or if you have existing replication rules. - To replicate objects that are encrypted with AWS KMS:
Under Encryption, select Replicate objects encrypted with AWS Key Management Service (AWS KMS).
Enter the ARN of your AWS KMS key. - (Optional) Configure the Destination storage class and Additional replication options.
- Review the configuration, and then choose Save.
- (Optional) Replicate existing objects with a one-time Amazon S3 batch operations job.
Verify that you replicated the IAM role across accounts
To test the replication rule, add new objects to the source bucket, and then check the destination bucket for replicated objects.
Related information
- Topics
- Storage
- Language
- English
Worth noting that there is no longer a need to contact AWS support to enable S3 Object Lock on an existing bucket. ref https://aws.amazon.com/about-aws/whats-new/2023/11/amazon-s3-enabling-object-lock-buckets/
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 4 years ago
