S3 Cross Region Replication
Hi AWS,
I am trying to replicate the objects of an S3 bucket cross region from source to destination bucket within the same account. The buckets are encrypted with customer managed KMS keys and the versioning is Enabled for both the buckets. I have created the S3 service role with trust relationship to s3.amazonaws.com endpoint and attached the following policy to it
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Resource":[ "arn:aws:s3:::DOC-EXAMPLE-BUCKET1" ] }, { "Effect":"Allow", "Action":[ "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging" ], "Resource":[ "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*" ] }, { "Effect":"Allow", "Action":[ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags" ], "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*" } ] }
following the documentation https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
However it has not been mentioned if I need to update the KMS key policy either for source bucket or destination bucket. Please let me know.
you need to update the KMS key policy for source bucket so that source bucket will allow access for destination bucket.