S3 bucket replication fail in multi account architecture

0

I have landing zone architecture . A account has source bucket which is encrypted by KMS CMK B account has desination bueckt which is also encrypted by KMS CMK (different key with A account) KMS CMK was created in C account.

I tried to configure s3 bucket replication from source bucket to destination bucket, but it keeps failing.

Configuration information is like below:

<p>1. IAM policy 
(1) A-account 
( create by s3 replication configuration)
(trust relationships with s3)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket-name",
                "arn:aws:s3:::source-bucket-name/*",
                "arn:aws:s3:::destination-bucket-name",
                "arn:aws:s3:::destination-bucket-name/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket-name/*",
                "arn:aws:s3:::destination-bucket-name/*"
            ]
        },
        {
            "Action": [
                "kms:Decrypt"
            ],
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::source-bucket-name/*"
                    ],
                    "kms:ViaService": "s3.ap-northeast-2.amazonaws.com"
                }
            },
            "Effect": "Allow",
            "Resource": [
                "arn:aws:kms:ap-northeast-2:A-account-id:key/source-bucket-encryption-key"
            ]
        },
        {
            "Action": [
                "kms:Encrypt"
            ],
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::destination-bucket-name/*"
                    ],
                    "kms:ViaService": [
                        "s3.ap-northeast-2.amazonaws.com"
                    ]
                }
            },
            "Effect": "Allow",
            "Resource": [
                "arn:aws:kms:ap-northeast-2:B-account-id:key/destination-bucket-encryption-key"
            ]
        }
    ]
}

(2) B-account 
NO IAM ROLE

2. S3 bucket policy

(1)A-account 
No bucket policy 


(2)B-account 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Set permissions for objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name"
            },
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete"
            ],
            "Resource": "arn:aws:s3:::shbw-an2-sop-log-s3-repl-test/*"
        },
        {
            "Sid": "Set permissions on bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name"
            },
            "Action": [
			    "s3:List*",
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::destination-bucket-name"
        },
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::A-account-id:root"
            },
            "Action": "s3:ObjectOwnerOverrideToBucketOwner",
            "Resource": "arn:aws:s3:::destination-bucket-name/*"
        }
    ]
}

3. KMS Key policy 
(1) A-account ,  B-account
{
    "Version": "2012-10-17",
    "Id": "Key-Policy",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::C-account-id:root",  > key owner
                    "arn:aws:iam::A-account-id:root", 
                    "arn:aws:iam::B-account-id:root"   
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        }
	]
}

Please help me to complete bucket replicatoin!

No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions