1 Answer
- Newest
- Most votes
- Most comments
0
Hi Balazs,
Are you using versioning? (If NO, so skip this)
- Configure versioning on both the source and destination buckets. This is mandatory for S3 replication.
About KMS:
- Ensure the KMS key policy in both regions allows the necessary operations from the S3 service. The key policy should allow the IAM role and the S3 service itself to perform kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey actions.
{
"Sid": "AllowS3AndRole",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com",
"AWS": "arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
In your bucket policy:
- You might need an S3 bucket policy that grants the source bucket permission to replicate objects to the destination bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StmtAllowReplication",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com",
"AWS": "arn:aws:iam::ACCOUNT_ID:role/IAMRoleName"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetObjectVersion",
"s3:GetObjectVersionForReplication"
],
"Resource": "arn:aws:s3:::destinationbucket/*"
}
]
}
Extra checks:
- Ensure there are no VPC endpoint policies or service control policies
answered 8 months ago
Relevant content
- Accepted Answerasked 2 months ago
- Accepted Answerasked 7 years ago
- asked 2 months ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
Any update?