Questions tagged with AWS Key Management Service

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

S3 bucket replication fail in multi account architecture

I have landing zone architecture . A account has source bucket which is encrypted by KMS CMK B account has desination bueckt which is also encrypted by KMS CMK (different key with A account) KMS CMK was created in C account. I tried to configure s3 bucket replication from source bucket to destination bucket, but it keeps failing. Configuration information is like below: ``` <p>1. IAM policy (1) A-account ( create by s3 replication configuration) (trust relationships with s3) { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetReplicationConfiguration", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging", "s3:GetObjectRetention", "s3:GetObjectLegalHold" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::source-bucket-name", "arn:aws:s3:::source-bucket-name/*", "arn:aws:s3:::destination-bucket-name", "arn:aws:s3:::destination-bucket-name/*" ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags", "s3:ObjectOwnerOverrideToBucketOwner" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::source-bucket-name/*", "arn:aws:s3:::destination-bucket-name/*" ] }, { "Action": [ "kms:Decrypt" ], "Condition": { "StringLike": { "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::source-bucket-name/*" ], "kms:ViaService": "s3.ap-northeast-2.amazonaws.com" } }, "Effect": "Allow", "Resource": [ "arn:aws:kms:ap-northeast-2:A-account-id:key/source-bucket-encryption-key" ] }, { "Action": [ "kms:Encrypt" ], "Condition": { "StringLike": { "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::destination-bucket-name/*" ], "kms:ViaService": [ "s3.ap-northeast-2.amazonaws.com" ] } }, "Effect": "Allow", "Resource": [ "arn:aws:kms:ap-northeast-2:B-account-id:key/destination-bucket-encryption-key" ] } ] } (2) B-account NO IAM ROLE 2. S3 bucket policy (1)A-account No bucket policy (2)B-account { "Version": "2012-10-17", "Statement": [ { "Sid": "Set permissions for objects", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name" }, "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Resource": "arn:aws:s3:::shbw-an2-sop-log-s3-repl-test/*" }, { "Sid": "Set permissions on bucket", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name" }, "Action": [ "s3:List*", "s3:GetBucketVersioning", "s3:PutBucketVersioning" ], "Resource": "arn:aws:s3:::destination-bucket-name" }, { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::A-account-id:root" }, "Action": "s3:ObjectOwnerOverrideToBucketOwner", "Resource": "arn:aws:s3:::destination-bucket-name/*" } ] } 3. KMS Key policy (1) A-account , B-account { "Version": "2012-10-17", "Id": "Key-Policy", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::C-account-id:root", > key owner "arn:aws:iam::A-account-id:root", "arn:aws:iam::B-account-id:root" ] }, "Action": "kms:*", "Resource": "*" } ] } ``` Please help me to complete bucket replicatoin!
0
answers
0
votes
25
views
asked 3 months ago