How do I set up cross-account, cross-Region, AWS KMS-encrypted replication for my Amazon S3 bucket?

5 minute read
1

I have an Amazon Simple Storage Service (Amazon S3) bucket with AWS Key Management Service (AWS KMS) encryption. I want to set up replication across multiple AWS Regions and accounts for objects in my bucket.

Short description

To replicate objects from a source bucket that's encrypted with AWS KMS, you must use AWS KMS encryption in the destination bucket. However, the two buckets can have different AWS KMS keys. If you have an AWS KMS-encrypted source bucket, then you can't use a different encryption method for the objects in the destination bucket.

Also, the AWS KMS key for your destination bucket must be in the same Region as the destination bucket.

Note: If your source bucket and destination bucket are in different Regions, then they must have different AWS KMS keys.

Create an S3 bucket for your destination

Create a new destination S3 bucket in the same Region as your AWS KMS key.

When you create the bucket, turn on versioning. This is a requirement for Amazon S3 replication.

Note: It's a best practice to use the new AWS KMS key as your default encryption so that the bucket uses only one AWS KMS key.

To reduce encryption costs, activate S3 Bucket Keys on your S3 bucket.

(Optional) Edit the permissions of the replication IAM role

When you create the replication rule, you can also create an AWS Identity and Access Management (IAM) role. The IAM role must allow Amazon S3 to get, replicate, encrypt, and decrypt objects. Before you move objects to another Region, you must include permissions to decrypt the objects. Then, encrypt the objects in the destination. Make sure that the IAM role has following trust relationship and permissions:

Note: The following permissions apply to buckets that have existing replication rules.

  1. Confirm that your role has the following trust relationship with Amazon S3:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "s3.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
  2. Confirm that the IAM role has the following permissions. This allows the role to access objects in the source bucket, and replicate objects to the destination bucket. It also allows the role to decrypt and encrypt objects with the AWS KMS keys:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "SourceBucketPermissions",
          "Effect": "Allow",
          "Action": [
            "s3:GetObjectVersionTagging",
            "s3:GetObjectVersionAcl",
            "s3:ListBucket",
            "s3:GetObjectVersionForReplication",
            "s3:GetReplicationConfiguration"
          ],
          "Resource": [
            "arn:aws:s3:::SourceBucketName/*",
            "arn:aws:s3:::SourceBucketName"
          ]
        },
        {
          "Sid": "DestinationBucketPermissions",
          "Effect": "Allow",
          "Action": [
            "s3:ReplicateObject",
            "s3:ObjectOwnerOverrideToBucketOwner",
            "s3:GetObjectVersionTagging",
            "s3:ReplicateTags",
            "s3:ReplicateDelete"
          ],
          "Resource": [
            "arn:aws:s3:::DestinationBucketName/*"
          ]
        },
        {
          "Sid": "SourceBucketKMSKey",
          "Action": [
            "kms:Decrypt",
            "kms:GenerateDataKey"
          ],
          "Effect": "Allow",
          "Resource": "SourceBucketKMSKeyARN"
        },
        {
          "Sid": "DestinationBucketKMSKey",
          "Action": [
            "kms:Encrypt",
            "kms:GenerateDataKey"
          ],
          "Effect": "Allow",
          "Resource": "DestinationBucketKMSKeyARN"
        }
      ]
    }

Note:

  • Replace SourceBucketName with the name of your source bucket.
  • Replace DestinationBucketName with the name of your destination bucket.
  • Replace SourceBucketKMSKeyARN with the ARN of your source bucket's AWS KMS key.
  • Replace DestinationBucketKMSKeyARN with the ARN of your destination bucket's AWS KMS key.

Update the AWS KMS policy to allow the IAM role to use both keys in source and destination buckets

Change the AWS KMS policy to authorize the IAM role to use both AWS KMS keys in the source and destination buckets.

For cross-account replication, both the AWS KMS key policy and IAM role policy must have encrypt and decrypt permissions.

Change the destination bucket's policy to allow replication to the bucket

Change the destination bucket's policy to the following template:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DestinationBucketPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNTNUMBER:role/IAMROLE"
      },
      "Action": [
        "s3:ReplicateObject",
        "s3:ObjectOwnerOverrideToBucketOwner",
        "s3:GetObjectVersionTagging",
        "s3:ReplicateTags",
        "s3:ReplicateDelete"
      ],
      "Resource": [
        "arn:aws:s3:::DestinationBucketName/*"
      ]
    }]
}

Note: Replace AccountNumber with your source-bucket account number. Replace IAMRole with the IAM role that you're using. Replace DestinationBucketName with the name of your destination bucket.

Set up the replication rule

  1. Open the Amazon S3 console.
  2. Choose Buckets, and then select your source bucket.
  3. Choose the Management tab. Under Replication rules, choose Create replication rule.
  4. Enter a name for the rule. Under Source bucket, choose a rule scope to determine if replication applies to a specific object prefix or the bucket's entire contents.
  5. Under Destination section, select the destination bucket for the replicated objects.
  6. Under IAM role, choose Choose from existing IAM roles.
  7. Choose Create new role.
    - or -
    To use a role that you already created, enter the IAM role's ARN. If you have existing replication rules, then use this method.
  8. Under Encryption, select Replicate objects encrypted with AWS Key Management Service (AWS KMS). Then, enter your AWS KMS key's ARN.
  9. (Optional) Configure the Destination storage class and Additional replication options.
  10. Review the configuration, and then choose Save.
  11. (Optional) Replicate existing objects with a one-time S3 batch operations job.

Verify your replication

When you create the replication rule, you allow seamless replication of newly added objects from the source to the destination bucket. To test your replication, complete the following steps:

  1. Upload a new object to the source bucket.
  2. View the object overview, and then check the object's replication status.
  3. If replication is successful, then you see a COMPLETED status.

Related information

Replicating objects created with server-side encryption (SSE-C, SSE-S3, SSE-KMS)

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago
3 Comments

This article is absolutely fantastic! It not only provides a detailed explanation of how to set up cross-account, cross-Region AWS KMS-encrypted replication in an Amazon S3 bucket but also offers easy-to-follow steps that make this complex process seem super simple. I particularly appreciate its emphasis on best practices, such as using the new AWS KMS key as the default encryption and enabling versioning on the destination bucket. The IAM role permissions section is explained very clearly, giving me confidence that I have the right permissions. The coverage of updating the AWS KMS policy and testing methods is also very practical. I truly feel empowered to set up this replication with confidence! Many thanks to this article for being a tremendous help! 👍👏

replied 3 months ago

Helpful article

AWS
replied 3 months ago

Liked this article!

Spencer
replied 3 months ago