what is wrong with this iam role to able to replicate s3 bucket to a remote region's bucket

0

Hello all,

I have the following iam role:

{
	"Statement": [
		{
			"Action": [
				"s3:GetReplicationConfiguration",
				"s3:ListBucket",
				"s3:PutInventoryConfiguration"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3::: sourcebucket"
			]
		},
		{
			"Action": [
				"s3:GetObjectVersion",
				"s3:GetObjectVersionAcl",
				"s3:GetObjectVersionForReplication",
				"s3:GetObjectVersionTagging",
				"s3:PutInventoryConfiguration"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3::: sourcebucket/*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:GetObjectVersion",
				"s3:GetObjectTagging",
				"s3:GetBucketLocation"
			],
			"Resource": [
				"arn:aws:s3:::destinationbucket/*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:GetObjectVersion",
				"s3:GetBucketLocation"
			],
			"Resource": [
				"arn:aws:s3:::reportbucket/*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:PutObject",
				"s3:GetBucketLocation"
			],
			"Resource": [
				"arn:aws:s3:::reportbucket/*"
			]
		},
		{
			"Sid": "AllowS3ReplicationSourceRoleToUseTheKey",
			"Effect": "Allow",
			"Action": [
				"kms:GenerateDataKey",
				"kms:Encrypt",
				"kms:Decrypt"
			],
			"Resource": "*"
		},
		{
			"Action": [
				"s3:GetBucketVersioning",
				"s3:PutBucketVersioning",
				"s3:ReplicateObject",
				"s3:ReplicateTags",
				"s3:ReplicateDelete",
				"s3:PutObject",
				"s3:PutObjectAcl",
				"s3:PutObjectTagging",
				"s3:ObjectOwnerOverrideToBucketOwner"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::sourcebucket",
				"arn:aws:s3:::destinationbucket",
				"arn:aws:s3:::sourcebucket/*",
				"arn:aws:s3:::destinationbucket/*"
			]
		}
	],
	"Version": "2012-10-17"
}

I have velero backups in region A and I would like to replicate them to Region B. they are encrypted by a multi region kms key. Key exists on both region.

Thanks

已提問 8 個月前檢視次數 260 次
1 個回答
0

Hi Balazs,

Are you using versioning? (If NO, so skip this)

  • Configure versioning on both the source and destination buckets. This is mandatory for S3 replication.

About KMS:

  • Ensure the KMS key policy in both regions allows the necessary operations from the S3 service. The key policy should allow the IAM role and the S3 service itself to perform kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey actions.
{
    "Sid": "AllowS3AndRole",
    "Effect": "Allow",
    "Principal": {
        "Service": "s3.amazonaws.com",
        "AWS": "arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
}

In your bucket policy:

  • You might need an S3 bucket policy that grants the source bucket permission to replicate objects to the destination bucket.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StmtAllowReplication",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com",
                "AWS": "arn:aws:iam::ACCOUNT_ID:role/IAMRoleName"
            },
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionForReplication"
            ],
            "Resource": "arn:aws:s3:::destinationbucket/*"
        }
    ]
}

Extra checks:

  • Ensure there are no VPC endpoint policies or service control policies
profile picture
已回答 8 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南