S3 bucket replication (cross-region or same-region) should be enabled¶
Description¶
Cross-Region S3 replication can help with meeting compliance requirements, minimizing latency, and increasing operational efficiency. Same-Region S3 replication can help with aggregating logs and compliance with data sovereignty laws.
Remediation¶
AWS Console¶
Navigate to S3.
Select the S3 bucket.
Choose Management > Replication > Add rule.
In Set source, select the Entire bucket.
Click Next.
In Set destination, select to create a new bucket.
Enter the bucket name.
Select the either the same-region or a cross-region.
Click Next.
From the IAM role drop-down, select Create new role.
Enter a name for the role.
In Status, select Enabled.
Click Next.
Review your configuration settings and click Save.
AWS CLI¶
To enable replication for your S3 bucket:
Create a source bucket and enable versioning on it.
aws s3api create-bucket \
--bucket source \
--region us-east-1 \
--profile acctA
aws s3api put-bucket-versioning \
--bucket source \
--versioning-configuration Status=Enabled \
--profile acctA
Create the destination bucket and enable versioning on it.
aws s3api create-bucket \
--bucket destination \
--region us-west-2 \
--create-bucket-configuration LocationConstraint=us-west-2 \
--profile acctA
aws s3api put-bucket-versioning \
--bucket destination \
--versioning-configuration Status=Enabled \
--profile acctA
Create an IAM role that will be added to the source bucket in a later step.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Run the following command to create the role.
aws iam create-role \
--role-name replicationRole \
--assume-role-policy-document file://s3-role-trust-policy.json \
--profile acctA
Attach a permission policy to the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::source-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration"
],
"Resource": [
"arn:aws:s3:::source-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::destination-bucket/*"
]
}
]
}
Create the policy and attach it to the role.
aws iam put-role-policy \
--role-name replicationRole \
--policy-document file://s3-role-permissions-policy.json \
--policy-name replicationRolePolicy \
--profile acctA
Add the replication configuration to the source bucket.
{
"Role": "IAM-role-ARN",
"Rules": [
{
"Status": "Enabled",
"Priority": 1,
"DeleteMarkerReplication": { "Status": "Disabled" },
"Filter" : { "Prefix": "Tax"},
"Destination": {
"Bucket": "arn:aws:s3:::destination-bucket"
}
}
]
}
Update the JSON by providing values for the destination-bucket and IAM-role-ARN.
Save the changes.
Add the replication configuration to your source bucket.
aws s3api put-bucket-replication \
--replication-configuration file://replication.json \
--bucket source \
--profile acctA
To retrieve the replication configuration:
aws s3api get-bucket-replication \
--bucket source \
--profile acctA
Terraform¶
Ensure that the [aws_s3_bucket] has a
replication_configuration
block that specifies an IAM role for replicating objects and rules managing the replication.
Example Configuration¶
resource "aws_s3_bucket" "bucket" {
provider = "aws.central"
bucket = "valid-replication-host"
acl = "private"
versioning {
enabled = true
}
replication_configuration {
role = "${aws_iam_role.replication.arn}"
rules {
id = "ruleid"
prefix = "ruleprefix"
status = "Enabled"
destination {
bucket = "${aws_s3_bucket.destination.arn}"
storage_class = "STANDARD"
}
}
}
# other required fields here
}