aws/s3
Create object replication rule with AWS S3 batch job which is located in cross account environment
gepp
2022. 12. 5. 14:38
Firstly, Create IAM Role with below permission for replication job.
Trust relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com",
"batchoperations.s3.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::source-bucket-A",
"arn:aws:s3:::source-bucket-A/*",
"arn:aws:s3:::destination-bucket-B",
"arn:aws:s3:::destination-bucket-B/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::source-bucket-A/*",
"arn:aws:s3:::destination-bucket-B/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:InitiateReplication",
"s3:GetReplicationConfiguration",
"s3:PutInventoryConfiguration"
],
"Resource": [
"arn:aws:s3:::source-bucket-A",
"arn:aws:s3:::source-bucket-B/*"
]
},
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket-A/*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:ap-northeast-2:[Source A Account ID]:key/[keystrings]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": [
"arn:aws:kms:ap-northeast-2:[Destination B Account ID]:key/[keystrings]"
]
}
]
}The action of KMS will depend on the encryption setting of the S3 bucket.
Due to the requirement of the setting, a replication rule of S3 bucket management in source account A has been created with below.
Object ownership: Transfer to destination bucket owner
AWS KMS key for encrypting destination objects: The KMS arn of destination acccount B was put in place.
The batch job will be completed if the role was properly matched with enough permission.
To receive replicated objects in B Account, the S3 bucket should have relevant permission inside of bucket policy.
{
"Sid": "S3PolicyStmt-DO-NOT-MODIFY-1670218832531",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Source A Account ID]:root"
},
"Action": [
"s3:GetBucketVersioning",
"s3:PutBucketVersioning",
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": [
"arn:aws:s3:::destination-bucket-B",
"arn:aws:s3:::destination-bucket-B/*"
]
}Below is an included version of above permission to change object ownership to destination bucket owner.
{
"Sid": "S3PolicyStmt-DO-NOT-MODIFY-1670219041656",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Source Account A]:root"
},
"Action": [
"s3:GetBucketVersioning",
"s3:PutBucketVersioning",
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Resource": [
"arn:aws:s3:::destination-bucket-B",
"arn:aws:s3:::destination-bucket-B/*"
]
}The KMS Policy also needs to allow source account as below.
{
"Sid": "Enable cross account encrypt access for S3 Cross Region Replication",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Source Account A]:root"
},
"Action": [
"kms:Encrypt"
],
"Resource": "*"
}