Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I set up cross-account, cross-Region replication for my Amazon S3 bucket that's encrypted with AWS KMS?

5 minute read
4

I have an Amazon Simple Storage Service (Amazon S3) bucket with AWS Key Management Service (AWS KMS) encryption. I want to set up replication across multiple AWS Regions and AWS accounts for objects in my bucket.

Short description

To replicate objects from a source bucket that's encrypted with AWS KMS, you must use AWS KMS encryption in the destination bucket. Also, the AWS KMS key for your destination bucket must be in the same Region as the destination bucket.

Note: If your source bucket and destination bucket are in different Regions, then they must have different AWS KMS keys.

Create an S3 bucket for your destination

Create a new destination S3 bucket in the same Region as your AWS KMS key.

When you create the bucket, you must activate versioning to use Amazon S3 replication.

Note: It's a best practice to use the new AWS KMS key as your default encryption so that the bucket uses only one AWS KMS key.

To reduce encryption costs, activate S3 Bucket Keys on your bucket.

(Optional) Edit the permissions of the replication IAM role

When you create the replication rule, you can also create an AWS Identity and Access Management (IAM) role. The IAM role must allow Amazon S3 to get, replicate, encrypt, and decrypt objects. Before you move objects to another Region, you must include permissions to decrypt the objects. Then, encrypt the objects in the destination.

Complete the following steps to configure permissions for buckets that have existing replication rules:

  1. Confirm that your IAM role has the following trust relationship with Amazon S3:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  2. Confirm that the IAM role has the following permissions:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SourceBucketPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:GetObjectVersionTagging",
        "s3:GetObjectVersionAcl",
        "s3:ListBucket",
        "s3:GetObjectVersionForReplication",
        "s3:GetReplicationConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::SourceBucketName/*",
        "arn:aws:s3:::SourceBucketName"
      ]
    },
    {
      "Sid": "DestinationBucketPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:ReplicateObject",
        "s3:ObjectOwnerOverrideToBucketOwner",
        "s3:GetObjectVersionTagging",
        "s3:ReplicateTags",
        "s3:ReplicateDelete"
      ],
      "Resource": [
        "arn:aws:s3:::DestinationBucketName/*"
      ]
    },
    {
      "Sid": "SourceBucketKMSKey",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Effect": "Allow",
      "Resource": "SourceBucketKMSKeyARN"
    },
    {
      "Sid": "DestinationBucketKMSKey",
      "Action": [
        "kms:Encrypt",
        "kms:GenerateDataKey"
      ],
      "Effect": "Allow",
      "Resource": "DestinationBucketKMSKeyARN"
    }
  ]
}

Note: Replace SourceBucketName with the name of your source bucket, and DestinationBucketName with the name of your destination bucket. Also, replace SourceBucketKMSKeyARN with the Amazon Resource Name (ARN) of your source bucket's AWS KMS key and DestinationBucketKMSKeyARN with the ARN of your destination bucket's AWS KMS key. The preceding permissions allow the role to access objects in the source bucket, and replicate objects to the destination bucket. They also allow the role to decrypt and encrypt objects with the AWS KMS keys

Update the key policy to allow the IAM role to use both keys in source and destination buckets

Change the AWS KMS key policy to allow the IAM role to use both AWS KMS keys in the source and destination buckets.

Change the destination bucket's policy to allow replication to the bucket

Change the destination bucket's policy to the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DestinationBucketPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNTNUMBER:role/IAMROLE"
      },
      "Action": [
        "s3:ReplicateObject",
        "s3:ObjectOwnerOverrideToBucketOwner",
        "s3:GetObjectVersionTagging",
        "s3:ReplicateTags",
        "s3:ReplicateDelete",
        "s3:GetBucketVersioning",  
        "s3:PutBucketVersioning" 
      ],
      "Resource": [
        "arn:aws:s3:::DestinationBucketName/*",  
        "arn:aws:s3:::DestinationBucketName"
      ]
    }]
}

Note: Replace AccountNumber with your source bucket account number, IAMRole with your IAM role, and DestinationBucketName with the destination bucket name.

Set up the replication rule

Complete the following steps:

  1. Open the Amazon S3 console.
  2. Choose Buckets, and then select your source bucket.
  3. Choose the Management tab. Under Replication rules, choose Create replication rule.
  4. Enter a name for the rule. Under Source bucket, choose a rule scope to determine whether the replication applies to a specific object prefix or the bucket's entire contents.
  5. Under Destination, select Specify a bucket in another account, and then enter the name of the destination bucket and the account ID.
  6. Under IAM role, choose Choose from existing IAM roles.
  7. Under IAM role, if you have an existing IAM role with the required permissions, then choose Choose from existing IAM roles or Enter IAM role ARN.
    - or -
    Choose Create new role to create a new role with the required permissions.
  8. Under Encryption, select Replicate objects encrypted with AWS Key Management Service (AWS KMS). Then, enter your AWS KMS key's ARN.
  9. (Optional) Configure the Destination storage class and Additional replication options.
  10. Review the configuration, and then choose Save.
  11. (Optional) Replicate existing objects with a one-time S3 Batch Operations job.

Verify your replication

When you create the replication rule, you allow seamless replication of newly added objects from the source to the destination bucket. To test your replication, complete the following steps:

  1. Upload a new object to the source bucket.
  2. View the object overview, and then check the object's replication status.
  3. If replication is successful, then you see a COMPLETED status.

Related information

Replicating encrypted objects (SSE-S3, SSE-KMS, DSSE-KMS, SSE-C)

Configuring replication for buckets in different accounts

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
AWS OFFICIALUpdated 10 months ago
3 Comments

This article is absolutely fantastic! It not only provides a detailed explanation of how to set up cross-account, cross-Region AWS KMS-encrypted replication in an Amazon S3 bucket but also offers easy-to-follow steps that make this complex process seem super simple. I particularly appreciate its emphasis on best practices, such as using the new AWS KMS key as the default encryption and enabling versioning on the destination bucket. The IAM role permissions section is explained very clearly, giving me confidence that I have the right permissions. The coverage of updating the AWS KMS policy and testing methods is also very practical. I truly feel empowered to set up this replication with confidence! Many thanks to this article for being a tremendous help! 👍👏

replied 2 years ago

Helpful article

AWS

replied 2 years ago

Liked this article!

replied 2 years ago

Relevant content