Posted inAWS

Set Up Cross-Account S3 Bucket Replication in AWS

No Comments

AWS S3 is a widely used cloud storage service, and setting up Cross-Account Replication is an essential feature for redundancy, disaster recovery, or compliance. This blog will guide you through the process in simple steps.

What Is Cross-Account S3 Replication?

Cross-Account Replication lets you automatically copy objects from a source bucket in one AWS account to a destination bucket in another AWS account. It’s a great way to ensure your data is safely stored in another account, providing fault tolerance and additional security.

Why Use Cross-Account Replication?

  1. Data Backup: Protects data in case of accidental deletion or corruption.
  2. Compliance: Stores data in separate accounts for regulatory or legal reasons.
  3. Data Sharing: Shares data securely between different teams or organizations.

Prerequisites

Before starting, ensure the following:

  1. A source bucket in Account A and a destination bucket in Account B.
  2. Versioning is enabled for both buckets.
  3. The destination bucket has the necessary permissions.
  4. If you use Object Lock, ensure the feature is enabled on the destination bucket.

Step-by-Step Guide

Step 1: Enable Bucket Versioning

  1. Go to the AWS Management Console.
  2. Navigate to the S3 service and select your source bucket.
  3. Under the Properties tab, enable Versioning.
  4. Repeat these steps for the destination bucket.

Step 2: Set Up IAM Role in the Source Account

  1. Open the IAM Console in Account A (Source Account).
  2. Create a new role and choose S3 as the trusted service.
  3. Add the following trust policy for Amazon S3:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

4. Attach the required permissions to the role. Example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SourceBucketPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:GetObjectRetention",
        "s3:GetObjectVersionForReplication",
        "s3:ListBucket",
        "s3:GetReplicationConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::SourceBucketName/*",
        "arn:aws:s3:::SourceBucketName"
      ]
    },
    {
      "Sid": "DestinationBucketPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:ReplicateObject",
        "s3:ReplicateDelete",
        "s3:ReplicateTags"
      ],
      "Resource": [
        "arn:aws:s3:::DestinationBucketName/*"
      ]
    }
  ]
}

Step 3: Add Bucket Policy to the Destination Bucket

  1. Open the S3 Console in Account B (Destination Account).
  2. Select the destination bucket and go to the Permissions tab.
  3. Add the following bucket policy to grant the source account permission:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReplicationPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SourceAccountID:role/ReplicationRoleName"
      },
      "Action": [
        "s3:ReplicateObject",
        "s3:ReplicateDelete",
        "s3:GetBucketVersioning",
        "s3:PutBucketVersioning"
      ],
      "Resource": [
        "arn:aws:s3:::DestinationBucketName/*",
        "arn:aws:s3:::DestinationBucketName"
      ]
    }
  ]
}

Replace:

  • SourceAccountID with the source account’s ID.
  • ReplicationRoleName with the IAM role name created earlier.
  • DestinationBucketName with the name of your destination bucket.

Step 4: Set Up Replication Rule in the Source Bucket

  1. Open the S3 Console in Account A.
  2. Select the source bucket and navigate to the Management tab.
  3. Click on Replication rules > Create replication rule.
  4. Configure the rule:
    • Rule Name: Enter a meaningful name (e.g., CrossAccountReplication).
    • Destination: Choose Bucket in another account and provide the destination bucket name and account ID.
    • IAM Role: Select the IAM role created earlier.
  5. Review the settings and save the rule.

Step 5: (Optional) If Using AWS KMS Encryption

If the buckets use AWS KMS keys for encryption, ensure proper permissions:

  1. Update the KMS key policy for both accounts to allow access to the replication role. Example for the destination bucket’s KMS key:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReplicationRoleAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SourceAccountID:role/ReplicationRoleName"
      },
      "Action": [
        "kms:Encrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*"
    }
  ]
}

Step 6: Test the Setup

  1. Upload a test object to the source bucket.
  2. Check the destination bucket to ensure the object is replicated.
  3. Verify the replication status in the source bucket’s Management tab.

Common Issues and Tips

  1. Permission Errors: Double-check IAM roles, bucket policies, and KMS key policies.
  2. Replication Delays: Replication is asynchronous, so it might take a few minutes.
  3. Existing Objects Not Replicated: Replication applies only to new objects after the rule is created.

Cross-account S3 replication is a robust solution for ensuring data availability and compliance. By following these steps, you can set it up confidently and securely. If you encounter challenges, AWS documentation and support are always available to help!

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *