Adding S3 Bucket Policy Cause S3 Replication Failed

0

Hello, Can anyone help me below case? I wanted my bucket to access from specific IPs only, otherwise deny. I set up S3 bucket policy as follow:

{
   "Version": "2012-10-17",
   "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "x.x.x.x"
                },
              "Bool":{
                  "aws:ViaAWSService":"false"
                }
            }
        }
    ]
}

For S3 replication, I configured S3 Replication Rule as per AWS Docs by setting policies and attaching to IAM role as follow:

{
   "Version":"2012-10-17",
 "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"s3.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetReplicationConfiguration",
            "s3:ListBucket"
         ],
         "Resource":[
            "arn:aws:s3:::SourceBucket"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetObjectVersionForReplication",
            "s3:GetObjectVersionAcl",
            "s3:GetObjectVersionTagging"
         ],
         "Resource":[
            "arn:aws:s3:::SourceBucket/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ReplicateObject",
            "s3:ReplicateDelete",
            "s3:ReplicateTags"
         ],
         "Resource":"arn:aws:s3:::DestinationBucket/*"
      }
   ]
}

Without bucket policy, objects are replicated smoothly. Once I add the bucket policy, replication is failed every time. I have no idea.

Regards, Ohnmar

Ohnmar
asked 2 years ago389 views
1 Answer
0
Accepted Answer

Have you tried specifically allowing the role being used for replication in the bucket policy? Like this:

"Condition": {
    "NotIpAddress": {
        "aws:SourceIp": "x.x.x.x"
    },
    "Bool": {
        "aws:ViaAWSService":"false"
    },
    "ArnNotEquals": {
        "aws:PrincipalArn": "arn:aws:iam::<account id>:role/service-role/<role name>"
    }
}
Ed
answered 2 years ago
  • Thanks Ed, it did worked.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions