What Is and Is Not Replicated
This section explains what Amazon S3 replicates and what it does not replicate after you add a replication configuration on a bucket.
What Is Replicated
Amazon S3 replicates the following:
Any new objects created after you add a replication configuration, with exceptions described in the next section.
Objects created with server-side encryption using the Amazon S3-managed encryption key. The replicated copy of the object is also encrypted using server-side encryption using the Amazon S3-managed encryption key.
Amazon S3 replicates only objects in the source bucket for which the bucket owner has permission to read objects and read ACLs. For more information about resource ownership, see About the Resource Owner.
Any object ACL updates are replicated, although there can be some delay before Amazon S3 can bring the two in sync. This applies only to objects created after you add a replication configuration to the bucket.
S3 replicates object tags, if any.
Delete Operation and Cross-Region Replication
If you delete an object from the source bucket, the cross-region replication behavior is as follows:
If a DELETE request is made without specifying an object version ID, Amazon S3 adds a delete marker, which cross-region replication replicates to the destination bucket. For more information about versioning and delete markers, see Using Versioning.
If a DELETE request specifies a particular object version ID to delete, Amazon S3 deletes that object version in the source bucket, but it does not replicate the deletion in the destination bucket (in other words, it does not delete the same object version from the destination bucket). This behavior protects data from malicious deletions.
What Is Not Replicated
Amazon S3 does not replicate the following:
Amazon S3 does not retroactively replicate objects that existed before you added replication configuration.
Objects created with server-side encryption using either customer-provided (SSE-C) or AWS KMS–managed encryption (SSE-KMS) keys are not replicated. For more information about server-side encryption, see Protecting Data Using Server-Side Encryption.
Amazon S3 does not keep the encryption keys you provide after the object is created in the source bucket so it cannot decrypt the object for replication, and therefore it does not replicate the object.
Amazon S3 does not replicate objects in the source bucket for which the bucket owner does not have permissions. If the object owner is different from the bucket owner, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control.
Updates to bucket-level subresources are not replicated. This allows you to have different bucket configurations on the source and destination buckets. For more information about resources, see Amazon S3 Resources.
Only customer actions are replicated. Actions performed by lifecycle configuration are not replicated. For more information lifecycle configuration, see Object Lifecycle Management.
For example, if lifecycle configuration is enabled only on your source bucket, Amazon S3 creates delete markers for expired objects, but it does not replicate those markers. However, you can have the same lifecycle configuration on both the source and destination buckets if you want the same lifecycle actions to happen to both buckets.
Objects in the source bucket that are replicas, created by another cross-region replication, are not replicated.
Suppose you configure cross-region replication where bucket A is the source and bucket B is the destination. Now suppose you add another cross-region replication where bucket B is the source and bucket C is the destination. In this case, objects in bucket B that are replicas of objects in bucket A will not be replicated to bucket C.