S3 Cross Account Continuous Replication (Using AWS Native Way)
Steps to configure replication when the source and destination buckets are owned by different accounts:
Problem Statement:
To Copy the Data from Source S3 Bucket to Destination S3 Bucket (Residing in Other Account) with Continuous replication in place.
Prerequisite:
Ensure that versioning is enabled on both the source bucket and destination bucket.
Approach:
- Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ .
- In the Buckets list, choose the name of the bucket that you want (in your case, the bucket is “aws-waf-logs-xxxxx-common-prod”).
- Choose the “Management” tab, scroll down to “Replication rules”, and then choose “Create replication rule”.
- Under “Replication rule name”, enter a name for your rule to help identify the rule later. The name is required and must be unique within the bucket.
- Under “Status”, see that “Enabled” is selected.
- In the “Source bucket” section, choose “Apply to all objects in the bucket” option as the rule scope.
- Under “Destination”, select the option — “Specify a bucket in another account” to replicate the contents of the source bucket to a cross-account bucket, and provide the destination account ID (1XXXXXXXXX) and bucket name (aes-XXXXX-1XXXXXXX-log). Select the option — “Change object ownership to destination bucket owner” to ensure that the replicas are owned by the destination bucket account.
- In the “IAM role” section, under “Choose from existing IAM roles”, choose “Create new role” to have Amazon S3 create a new IAM role for you. In your case, the ARN of the IAM replication role that got created by S3 is “arn:aws:iam::XXXXXXXX:role/service-role/s3crr_role_for_aws-waf-logs-XXX-common-prod” and it has the following policies.
- Trust policy:
{
"Version": "2012–10–17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Permission policy “s3crr_for_aws-waf-logs-xxx-common-prod_ff29a0”:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::aws-waf-logs-xxx-common-prod",
"arn:aws:s3:::aws-waf-logs-xxx-common-prod/*",
"arn:aws:s3:::aes-siem-xxxxxx-log",
"arn:aws:s3:::aes-siem-xxxxxx-log/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::aws-waf-logs-xxx-common-prod/*",
"arn:aws:s3:::aes-siem-xxxxxx-log/*"
]
}
]
}
9. There are additional options like “Replicate objects encrypted with AWS KMS”, “Change the storage class for the replicated objects”, “Delete marker replication” etc. which can be selected if required for your use case.
10. To finish, choose “Save”.
The bucket policy on the destination bucket “aes-siem-xxxxxxx-log” should contain the following statements to allow replication.
{
"Version": "2012–10–17",
"Id": "PolicyForDestinationBucket",
"Statement": [
{
"Sid": "Permissions on objects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/service-role/s3crr_role_for_aws-waf-logs-xxx-common-prod"
},
"Action": [
"s3:ReplicateDelete",
"s3:ReplicateObject",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Resource": "arn:aws:s3:::aes-siem-xxxxx-log/*"
},
{
"Sid": "Permissions on bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxx:role/service-role/s3crr_role_for_aws-waf-logs-xxx-common-prod"
},
"Action": [
"s3:List*",
"s3:GetBucketVersioning",
"s3:PutBucketVersioning"
],
"Resource": "arn:aws:s3:::aes-siem-xxxxxx-log"
}
]
}
Conclusion:
Using the AWS Native Approach, the data keeps on getting replicated to different S3 buckets residing in different AWS accounts. This is a very powerful solution to keep the data continuously replicated and it can be used for DR Solutions as well.