s3 replication rule - some objects staying in the destination bucket

When configuring S3 replication rules, there are several reasons why some objects might not be replicated to the destination bucket.

1. Replication Configuration Issues Replication Rule Status: Ensure the replication rule is enabled. If it's disabled, objects won't be replicated. Rule Filters: Check if there are any filters applied in the replication rule that might exclude certain objects based on prefix or tags.
2. Object Versioning Versioning Requirement: Both the source and destination buckets must have versioning enabled for replication to work. If the source bucket doesn't have versioning enabled, only the current version of the object will be replicated. Non-Versioned Objects: If the source bucket has non-versioned objects, they won't be replicated to the destination bucket if versioning isn't enabled.
3. Object Size and Type Size Limitations: S3 replication does not replicate objects that are 0 bytes. Ensure the objects being replicated have content. Unsupported Object Types: Certain object types or storage classes may not be eligible for replication. For instance, objects stored in the S3 Glacier class cannot be replicated.
4. Replication Time Replication Delay: Replication is not instantaneous. There may be a delay between when an object is created or modified in the source bucket and when it appears in the destination bucket. Eventual Consistency: S3 replication is eventually consistent, meaning there could be a short period when the destination bucket does not reflect the latest changes from the source bucket.
5. IAM Permissions Permission Issues: Ensure that the IAM roles used for replication have the necessary permissions to read from the source bucket and write to the destination bucket. Missing permissions can prevent replication from occurring.
6. Replication Metrics and Logs S3 Replication Metrics: Enable S3 replication metrics and CloudTrail logs to track replication progress and identify any issues that may have occurred during the replication process. Replication Status: Check the status of the objects in the destination bucket. Each object should have a replication status that indicates whether it was replicated successfully, failed, or is still pending. Troubleshooting Steps Verify Replication Configuration: Check the replication rules for filters, prefixes, and ensure they are enabled. Check Object Properties: Verify the versioning status of both buckets and the properties of the objects in question. Review IAM Policies: Ensure the IAM roles have the correct permissions. Monitor Replication Metrics: Use CloudWatch and S3 replication metrics to monitor the replication process and identify any issues

The rules for how replication behaves when objects are deleted are explained in this documentation section: https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-what-is-isnot-replicated.html#replication-delete-op

You described the two objects as having "expired." If you mean they were soft-deleted (marked as deleted) by a lifecycle rule with an expiration action, those deletions are not replicated. It's mentioned in the documentation section above:

However, if Amazon S3 deletes an object due to a lifecycle action, the delete marker is not replicated to the destination buckets.

Also, if you delete an object manually but specify a version ID to delete, instead of deleting the current object without specifying a version ID, the deletion is also not replicated. For example, in the S3 console, this would happen if you enabled the "Show versions" option and then selected one of the object versions and deleted it. You can delete a current object version by disabling the "Show versions" option before deleting the object.

If you specify an object version ID to delete in a DELETE request, Amazon S3 deletes that object version in the source bucket. But it doesn't replicate the deletion in the destination buckets.

If neither special case applies, then the first thing to check would be that delete marker replication is enabled, which it isn't by default: https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html