- Newest
- Most votes
- Most comments
Update: I was able to fix it myself.
Root cause: The Replication Destination was misconfigured. Using Terraform the destination bucket was set up as if in the same account. Changing the Replication Destination to "specify a bucket in another account" fixed the issue. This is still strange, because object were replicated using the "choose bucket in this account" using a bucket name from a different account. However, it is fixed. Thanks for your help!
Additional note: You can simply keep the Amazon Managed Key setting for encryption. Using the option "change object ownership to destination bucket owner" uses the destination Amazon Managed Key. No need to use Customer Managed Key in this case.
To replicate S3 Server Access Logs from Account D to Account C with encryption requirements, follow these steps:
-
In Account D:
- Enable S3 Server Access Logging to a specific bucket.
- Set a bucket policy allowing cross-account access from Account C for
s3:GetObject
ands3:ReplicateObject
.
-
In Account C:
- Create a Customer Managed Key (CMK) in KMS for encryption.
- Configure S3 replication to copy logs from Account D to C, encrypting with the CMK in Account C.
- Create an IAM role with permissions for replication and encryption (
s3:ReplicateObject
,s3:ReplicateDelete
,kms:Encrypt
), accessible by Account D.
-
Troubleshooting:
- Ensure roles/users in both accounts have the necessary permissions (
s3:GetObject
,kms:Decrypt
,s3:GetEncryptionConfiguration
).
- Ensure roles/users in both accounts have the necessary permissions (
Relevant content
- Accepted Answerasked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 3 months ago
Hi Osvaldo,
If I understand you correct, you want to set up replication INSIDE the central Account C, which is technically not possible from what I see. You can set up a replication rule only from inside an S3 bucket. This S3 bucket is always the source of the replication.
It is only possible to initiate the replication from the decentral Account D.
Summarizing my situation in other words following your schema:
In Account D:
In Account C:
Error Message (when opening a replicated object, under "server-side encryption settings": "You don’t have permission to get the server-side encryption settings After you or your AWS administrator has updated your permissions to allow the s3:GetObject action, refresh the page. " Error Message (opening the object): "Access Denied"