AWS S3 Replication using SSE-S3 at the Destination

Question

Hi,

I have seen this documentation which is to set-up the AWS S3 replication in multiple scenario (plain, SSE-S3, SSE-KMS, etc.).
https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html

What I still don't understand is, if the destination is using SSE-S3 encryption, do we need to do anything at the source replication configuration?

I see that we have this checkbox in the replication configuration
![Replicate objects encrypted with AWS Key Management Service (AWS KMS)](/media/postImages/original/IMDtGsADCfQlSSLzJBMtoIfg)

which only used for KMS if we wanted to specify which KMS key is used at the destination. Not for SSE-S3.

Another question is, for the IAM policy for replication, I see that we mention the key used for the KMS for decrypt/encrypt in the policy, but not for SSE-S3. Is it supported by default, so we don't need to do anything?

Riku_Kobayashi · Answer

Hello.

> What I still don't understand is, if the destination is using SSE-S3 encryption, do we need to do anything at the source replication configuration?

As far as I know, I don't think there were any additional settings for SSE-S3.

> Another question is, for the IAM policy for replication, I see that we mention the key used for the KMS for decrypt/encrypt in the policy, but not for SSE-S3. Is it supported by default, so we don't need to do anything?

My understanding is that replication was possible even without setting "kms:Decrypt".  
I think you can perform replication by setting the following IAM policy and S3 bucket policy.  
https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html

source IAM role
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket-name"
            ]
        },{
            "Action": [
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket-name/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateTags",
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::dest-bucket-name/*"
            ]
        }
    ]
}
```

dest S3 bucket Policy
```
{
    "Version": "2012-10-17",
    "Id": "PolicyForDestinationBucket",
    "Statement": [
        {
            "Sid": "Permissions on objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "source IAM role ARN"
            },
            "Action": [
                "s3:ReplicateDelete",
                "s3:ReplicateObject",
                "s3:ReplicateTags",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Resource": "arn:aws:s3:::dest-bucket-name/*"
        },
        {
            "Sid": "Permissions on bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "source IAM role ARN"
            },
            "Action": [
                "s3:List*",
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::dest-bucket-name"
        }
    ]
}
```

AWS S3 Replication using SSE-S3 at the Destination

Add your answer

Relevant content