S3 Cross Region Replication



I am trying to replicate the objects of an S3 bucket cross region from source to destination bucket within the same account. The buckets are encrypted with customer managed KMS keys and the versioning is Enabled for both the buckets. I have created the S3 service role with trust relationship to s3.amazonaws.com endpoint and attached the following policy to it

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Resource":[ "arn:aws:s3:::DOC-EXAMPLE-BUCKET1" ] }, { "Effect":"Allow", "Action":[ "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging" ], "Resource":[ "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*" ] }, { "Effect":"Allow", "Action":[ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags" ], "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*" } ] }

following the documentation https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html

However it has not been mentioned if I need to update the KMS key policy either for source bucket or destination bucket. Please let me know.

  • you need to update the KMS key policy for source bucket so that source bucket will allow access for destination bucket.

1 Answer
profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions