Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to configure S3 Multi Region Access point replication and failover using cloud formation template?

0

How to configure S3 Multi Region Access point replication and failover using cloud formation template? Need to set Active bucket in region 1 and passive bucket in region 2. Using Cloud Formation template.

Able to do it from console but need to do via cloud formation template.

  • Oleksii Bebych EXPERT
    2 years ago

    please accept the answer if it was helpful

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
asked 2 years ago852 views
1 Answer
-1

To configure S3 Multi-Region Access Point (MRAP) replication and failover using a CloudFormation template, you need to set up several components:

1. S3 Buckets in Different Regions 2. Replication Configuration 3. Multi-Region Access Point

Here is a step-by-step CloudFormation template to achieve this:

Step-by-Step CloudFormation Template

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 Multi-Region Access Point with Replication and Failover

Parameters:
  PrimaryBucketName:
    Type: String
    Description: Name of the primary S3 bucket
  SecondaryBucketName:
    Type: String
    Description: Name of the secondary S3 bucket
  PrimaryRegion:
    Type: String
    Description: AWS Region for the primary bucket
    Default: us-east-1
  SecondaryRegion:
    Type: String
    Description: AWS Region for the secondary bucket
    Default: us-west-2
  RoleName:
    Type: String
    Description: Name of the IAM role for replication

Resources:
  PrimaryBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref PrimaryBucketName
      VersioningConfiguration:
        Status: Enabled

  SecondaryBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref SecondaryBucketName
      VersioningConfiguration:
        Status: Enabled
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

  ReplicationRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: s3.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: S3ReplicationPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObjectVersionForReplication
                  - s3:GetObjectVersionAcl
                  - s3:GetObjectVersionTagging
                Resource: arn:aws:s3:::!Ref PrimaryBucketName/*
              - Effect: Allow
                Action:
                  - s3:ReplicateObject
                  - s3:ReplicateDelete
                  - s3:ReplicateTags
                Resource: arn:aws:s3:::!Ref SecondaryBucketName/*

  PrimaryBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref PrimaryBucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: s3:ReplicateObject
            Principal:
              AWS: !GetAtt ReplicationRole.Arn
            Resource: arn:aws:s3:::!Ref PrimaryBucketName/*
          - Effect: Allow
            Action: s3:ReplicateObject
            Principal:
              AWS: !GetAtt ReplicationRole.Arn
            Resource: arn:aws:s3:::!Ref SecondaryBucketName/*

  ReplicationConfiguration:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref PrimaryBucketName
      ReplicationConfiguration:
        Role: !GetAtt ReplicationRole.Arn
        Rules:
          - Id: ReplicationRule
            Status: Enabled
            Prefix: ''
            Destination:
              Bucket: !GetAtt SecondaryBucket.Arn
              StorageClass: STANDARD

  MultiRegionAccessPoint:
    Type: AWS::S3::MultiRegionAccessPoint
    Properties:
      Regions:
        - Bucket: !Ref PrimaryBucket
          Region: !Ref PrimaryRegion
        - Bucket: !Ref SecondaryBucket
          Region: !Ref SecondaryRegion

Outputs:
  PrimaryBucketName:
    Description: Name of the primary S3 bucket
    Value: !Ref PrimaryBucketName

  SecondaryBucketName:
    Description: Name of the secondary S3 bucket
    Value: !Ref SecondaryBucketName

  MultiRegionAccessPointAlias:
    Description: Alias of the Multi-Region Access Point
    Value: !GetAtt MultiRegionAccessPoint.Alias

Explanation

  1. Parameters: Define the parameters for bucket names, regions, and IAM role name.
  2. Primary and Secondary Buckets: Create S3 buckets in the specified regions with versioning enabled.
  3. IAM Role for Replication: Create an IAM role with permissions required for replication.
  4. Bucket Policies: Add policies to allow the replication role to access objects in the primary and secondary buckets.
  5. Replication Configuration: Configure replication from the primary bucket to the secondary bucket.
  6. Multi-Region Access Point: Create a Multi-Region Access Point that includes the primary and secondary buckets.
  7. Outputs: Provide outputs for the bucket names and the Multi-Region Access Point alias.

Deployment

  1. Save the template as s3-multi-region-access-point.yaml.
  2. Use AWS CloudFormation to create a stack with this template.
aws cloudformation create-stack --stack-name S3MultiRegionAccessPoint --template-body file://s3-multi-region-access-point.yaml --parameters ParameterKey=PrimaryBucketName,ParameterValue=your-primary-bucket ParameterKey=SecondaryBucketName,ParameterValue=your-secondary-bucket ParameterKey=RoleName,ParameterValue=your-role-name

Replace your-primary-bucket, your-secondary-bucket, and your-role-name with your desired values.

This CloudFormation template sets up S3 Multi-Region Access Point replication and failover, with an active bucket in region 1 and a passive bucket in region 2.

EXPERT
answered 2 years ago
  • Mohd Farazuddin
    2 years ago

    Can u please explain how the buckets will be created in primary and secondary regions as there is no region related parameter for s3 bucket creation, also I need a bi directional replication between those buckets.

    There is no specific parameter in the template which defines the active and passive bucket in multi region access point. Can u please elaborate that?

  • Daniele Frasca
    a year ago

    Hello

    I have tried your YML and I had some problem

    I have created 2 stacks in 2 different regions:

    • 1 bucket as a secondary
    • 1 bucket is primary

    I try to configure the policy and access point in the primary stack, but it is impossible because it requires references that create circular dependency or the creation of a third bucket.

    The YML above is to create 2 bucket in 1 region

    Moreover

    MultiRegionAccessPoint:
    Type: AWS::S3::MultiRegionAccessPoint
    Properties:
      Regions:
        - Bucket: !Ref PrimaryBucket
          Region: !Ref PrimaryRegion
        - Bucket: !Ref SecondaryBucket
          Region: !Ref SecondaryRegion

    Region is not correct https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-multiregionaccesspoint-region.html

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content