- 最新
- 投票最多
- 评论最多
Hello Andre. In my opinion you can do two other things: Tagging Objects: Tag all the objects in the source bucket with metadata indicating whether they should be replicated or not. For example, you can tag CloudTrail logs with a tag like "Replicate: Yes" and Config logs with "Replicate: No."
IAM Policy for Replication: Create an IAM policy for the IAM role used by S3 replication that allows replicating objects based on their tags. This policy should use the s3:ReplicateTags condition key. Example IAM Policy for Replication Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ReplicateObject",
"Resource": "arn:aws:s3:::destination-bucket/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/Replicate": "Yes"
}
}
}
]
}
Best regards, Andrii
I took Andrii's comment as input to search for tagging automation solution and we found some good starting point (if you are interested, search for "greg heywood tagging automation"). We adjusted his Lambda script to tag the config objects only and exclude the cloud trail logs. With tagged config logs we can now use s3 replication based on tags.
An out of the box solution to exclude prefixes would have been preferred, but this one is working too.
I need to withdraw my comment- it does not work after testing.
In addition I found an AWS docu mentioning that tagging objects after creation will not be a valid option for s3 replication ("you must assign the specific tag key and value at the time of creating the object for Amazon S3 to replicate the object. If you first create an object and then add the tag to the existing object, Amazon S3 does not replicate the object.")
Happy for any additional input.
Just an update on this topic: I did lots of investigation and the request is simply not possible in AWS at this time. What did we do? We disabled default CloudTrail from AWS Control Tower and configured our own Organizational Trail.
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
Hi Andrii, As this would help for a one time replication, I am rather looking for ongoing replication. Unfortunately I do not find an option in control tower for CloudTrail or Config to tag all created objects with specific key value pair - ongoing, also for each newly created log. So I guess it would be no out of the box solution but requires tinkering from my side. This would be fine if nothing else exists, but rather looking for „managed“ solution if existing.
Keen to understand whether I missed an option for Config or CloudTrail.
Hi Andrii, see my comment below. Thanks for your input and thumps up!