Required Information

Source Destination
Account ID Account ID
Bucket Name Bucket Name

Setup

1) Enable Versioning

Ensure versioning is enabled on the source bucket.

aws s3api put-bucket-versioning \
  --bucket <SOURCE BUCKET NAME> \
  --versioning-configuration Status=Enabled

2) Create Role & Permissions

Save the following file locally as: S3-role-trust-policy.json. This is your trust policy template.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"s3.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

Create Role and apply trust policy template.

aws iam create-role \
--role-name Source_Replication_Role \
--assume-role-policy-document file://s3-role-trust-policy.json

โš ๏ธ Grab that ARN from the newly created role. you will need it later.


The following step will create the `Source_Replication_Role` policy which you will attach to the new role you just created.

Save the following file as: `S3-role-permissions-policy.json`

This is the policy you will bind to the role:

    {
       "Version":"2012-10-17",
       "Statement":[
          {
             "Effect":"Allow",
             "Action":[
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl"
             ],
             "Resource":[
                "arn:aws:s3:::<SOURCE BUCKET NAME>/*"
             ]
          },
          {
             "Effect":"Allow",
             "Action":[
                "s3:ListBucket",
                "s3:GetReplicationConfiguration"
             ],
             "Resource":[
                "arn:aws:s3:::<SOURCE BUCKET NAME>"
             ]
          },
          {
             "Effect":"Allow",
             "Action":[
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:GetObjectVersionTagging",
                "s3:PutBucketVersioning",
                "s3:ObjectOwnerOverrideToBucketOwner"

             ],
             "Resource":"arn:aws:s3:::<SOURCE BUCKET NAME>/*"
          }
       ]
    }

Now bind the policy to the new role:

aws iam put-role-policy \
--role-name Source_Replication_Role \
--policy-document file://s3-role-permissions-policy.json \
--policy-name Source_Replication_Role_Policy

3) Add Replication to the bucket

Save the following file as: replication.json This will enable replication on the bucket as long as the roles and policies are in place:

โš ๏ธ Update the Role with the ARN of the role you created before this.

{
  "Role": "arn:aws:iam::<SOURCE ACCOUNT ID>:role/<SOURCE ACCOUNT ROLE>",
  "Rules": [
    {
      "Status": "Enabled",
      "Priority": "1",
      "DeleteMarkerReplication": { "Status": "Disabled" },
      "Filter" : {},
      "Destination": {
        "Bucket": "arn:aws:s3:::<DESTINATION BUCKET NAME>",
      },
    }
  ]
}

Run the following command to add the replication configuration to your source bucket. Be sure to provide source-bucket name.

aws s3api put-bucket-replication \
--replication-configuration file://replication.json \
--bucket <SOURCE BUCKET NAME>

Verify replication settings:

aws s3api get-bucket-replication \
--bucket <SOURCE BUCKET NAME>

There you have it, once you have verified replication is in place. PUT a file in your Source bucket, and check that it replicates to your Destination bucket.

Thank you for following my tutorial.