By using AWS re:Post, you agree to the Terms of Use
/S3 replicate latest version/

S3 replicate latest version

0

I have set up S3 replication from a version bucket to another (versioned) bucket on the same account (SRR). A tag is used to scope the replicated file(s). Every night, a new version of each file is uploaded to the source bucket, and this new version becomes the current version (versioned backups).

With a batch operation, I have replicated the current version of the file to the destination bucket without problems, so permissions are set correctly. I understood only current versions will be replicated, not previous versions. However, replication does not seem to take place at all when a new version is uploaded to the source bucket. The destination bucket only has the version from the batch operation, which is 4 versions behind on the source bucket. Why are the new versions not replicated?

1 Answers
0

I would start with examining the permissions assigned to the replication role. It should look something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetReplicationConfiguration",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::primary-bucket",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging"
            ],
            "Resource": "arn:aws:s3:::primary-bucket/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateTags",
                "s3:ReplicateDelete"
            ],
            "Resource": "arn:aws:s3:::secondary-bucket/*",
            "Effect": "Allow"
        }
    ]
}

And have a trust policy like this:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
EXPERT
answered a month ago
  • I checked the role against your suggestion and it contains all statements you have specified (I let AWS generate the role with permissions and trust policy and it contains a bit more, I suspect it generated a CRR version, while I only really need SRR). The role permissions do not seem to be the issue, since replication with the batch job succeeded initially. But, running a batch job again does not replicate the latest version to the destination bucket.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions