I have landing zone architecture .
A account has source bucket which is encrypted by KMS CMK
B account has desination bueckt which is also encrypted by KMS CMK (different key with A account)
KMS CMK was created in C account.
I tried to configure s3 bucket replication from source bucket to destination bucket, but it keeps failing.
Configuration information is like below:
<p>1. IAM policy
(1) A-account
( create by s3 replication configuration)
(trust relationships with s3)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::source-bucket-name",
"arn:aws:s3:::source-bucket-name/*",
"arn:aws:s3:::destination-bucket-name",
"arn:aws:s3:::destination-bucket-name/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::source-bucket-name/*",
"arn:aws:s3:::destination-bucket-name/*"
]
},
{
"Action": [
"kms:Decrypt"
],
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::source-bucket-name/*"
],
"kms:ViaService": "s3.ap-northeast-2.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:kms:ap-northeast-2:A-account-id:key/source-bucket-encryption-key"
]
},
{
"Action": [
"kms:Encrypt"
],
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::destination-bucket-name/*"
],
"kms:ViaService": [
"s3.ap-northeast-2.amazonaws.com"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:kms:ap-northeast-2:B-account-id:key/destination-bucket-encryption-key"
]
}
]
}
(2) B-account
NO IAM ROLE
2. S3 bucket policy
(1)A-account
No bucket policy
(2)B-account
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Set permissions for objects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": "arn:aws:s3:::shbw-an2-sop-log-s3-repl-test/*"
},
{
"Sid": "Set permissions on bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name"
},
"Action": [
"s3:List*",
"s3:GetBucketVersioning",
"s3:PutBucketVersioning"
],
"Resource": "arn:aws:s3:::destination-bucket-name"
},
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::A-account-id:root"
},
"Action": "s3:ObjectOwnerOverrideToBucketOwner",
"Resource": "arn:aws:s3:::destination-bucket-name/*"
}
]
}
3. KMS Key policy
(1) A-account , B-account
{
"Version": "2012-10-17",
"Id": "Key-Policy",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::C-account-id:root", > key owner
"arn:aws:iam::A-account-id:root",
"arn:aws:iam::B-account-id:root"
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
Please help me to complete bucket replicatoin!