Thursday, April 22, 2021

S3 replication cross region to another account

preparation

create the above buckets in two AWS accounts

  • source: leo-functions
  • destination: leo-functions-rep

Create IAM role in source account, role name leo-s3-rep:

Ref AWS Doc

  • a. trust policy, where you identify Amazon S3 as the service principal who can assume the role.

{

   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"s3.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}
  • b. Access policy, where you grant the role permissions to perform replication tasks on your behalf. When Amazon S3 assumes the role, it has the permissions that you specify in this policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetReplicationConfiguration",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::leo-functions"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::leo-functions/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags"
            ],
            "Resource": "arn:aws:s3:::leo-functions-rep/*"
        }
    ]
}

bucket policy on the destination bucket

This allows the owner of the source bucket to replicate objects.

AWS DOC

{
    "Version": "2012-10-17",
    "Id": "PolicyForDestinationBucket",
    "Statement": [
        {
            "Sid": "Permissions on objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::SourceBucket-AcctID:role/leo-s3-rep"
            },
            "Action": [
                "s3:ReplicateDelete",
                "s3:ReplicateObject"
            ],
            "Resource": "arn:aws:s3:::leo-functions-rep/*"
        },
        {
            "Sid": "Permissions on bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::SourceBucket-AcctID:role/leo-s3-rep"
            },
            "Action": [
                "s3:List*",
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::leo-functions-rep"
        }
    ]
}

Create replication rule

name: rep-to-leo-function-rep

Destination:

  • Account ID: DestinationBucket-AcctID
  • Bucket name: leo-functions-rep
  • Change object ownership to destination bucket owner

IAM role:
leo-s3-role

NOTE:

  • Source and Destination bucket must have versioning enabled.
  • Existing objects in the source bucket will not be replicated.
at
Labels:

S3 replication cross region to another account

preparation create the above buckets in two AWS accounts source: leo-functions destination: leo-functions-rep Create IAM role in source acco...

  • S3 replication cross region to another account
    preparation create the above buckets in two AWS accounts source: leo-functions destination: leo-functions-rep Create IAM role in source acco...
  • Implementing an NDES server
    CA requirments Two certificates templates have to be made available for enrolment at the designated CA , they will be enrolled and issued t...
  • AWS Storage Gateway
    What is AWS Storage Gateway? AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited ...