메뉴
Amazon Simple Storage Service
개발자 안내서 (API Version 2006-03-01)

연습 2: 원본과 대상 버킷을 서로 다른 AWS 계정이 소유하는 교차 리전 복제 구성

이 연습에서는 한 계정이 소유한 원본 버킷에 교차 리전 복제를 설정해 다른 계정 소유의 대상 버킷으로 객체를 복제합니다.

이는 한 계정에서 두 버킷을 모두 소유한 경우의 교차 리전 복제와 동일한 프로세스입니다. 단, 대상 버킷 소유자가 원본 버킷 소유자에게 복제 작업 권한을 위임하는 버킷 정책 생성 단계—가 필요합니다.

이 연습에서는 IAM 역할을 생성하고 원본 버킷에 복제 구성을 설정하는 단계를 제외하고는 콘솔로 모든 단계를 수행합니다. AWS CLI 또는 Java용 AWS SDK를 사용하여 이러한 단계를 수행합니다.

  1. Create two buckets.

    1. Create a source bucket in an AWS region. For example, Oregon (us-west-2) in Account A. For instructions, go to How Do I Create an S3 Bucket? in the Amazon Simple Storage Service 콘솔 사용 설명서.

    2. Create a destination bucket in another AWS region. For example, US East (N. Virginia) region (us-east-1) in Account B.

  2. Enable versioning on both the buckets. For instructions, see How Do I Enable or Suspend Versioning for an S3 Bucket? in the Amazon Simple Storage Service 콘솔 사용 설명서.

    중요

    버전이 지정되지 않은 버킷에 객체 만료 수명 주기 정책이 있고 버전 관리를 사용할 때 같은 영구 삭제 행동을 유지하고자 하는 경우에는 비 최신 버전의 만료 정책을 추가해야 합니다. 비 최신 버전의 만료 수명 주기 정책은 버전 관리를 사용하는 버킷에서 비 최신 객체 버전의 삭제를 관리합니다. (버전 관리가 활성화된 버킷은 하나의 현재 객체 버전과 0개 이상의 최신이 아닌 객체 버전을 유지합니다.) 자세한 내용은 Amazon Simple Storage Service 콘솔 사용 설명서에서 버전 관리를 사용하는 버킷의 수명 주기 구성을 참조하십시오.

  3. Add the following bucket policy on the destination bucket to allow the source bucket owner permission for replication actions:

    Copy
    { "Version":"2008-10-17", "Id":"", "Statement":[ { "Sid":"Stmt123", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::AWS-ID-Account-A:root" }, "Action":["s3:ReplicateObject", "s3:ReplicateDelete"], "Resource":"arn:aws:s3:::destination-bucket/*" } ] }

    For instructions, see How Do I Add an S3 Bucket Policy? in the Amazon Simple Storage Service 콘솔 사용 설명서.

  4. Create an IAM role in Account A. Then, Account A specifies this role when adding replication configuration on the source bucket in the following step.

    Use the AWS CLI to create this IAM role. For instructions about how to setup the AWS CLI, see 예제 안내를 위한 도구 설정.

    1. Copy the following policy and save it to a file called S3-role-trust-policy.json. The policy grants Amazon S3 permission to assume the role.

      Copy
      { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }
    2. Copy the following policy and save it to a file called S3-role-permissions-policy.json. This access policy grants permission for various Amazon S3 bucket and object actions. In the following step, you add the policy to the IAM role you are creating.

      Copy
      { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetObjectVersion", "s3:GetObjectVersionAcl" ], "Resource":[ "arn:aws:s3:::source-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:GetReplicationConfiguration" ], "Resource":[ "arn:aws:s3:::source-bucket" ] }, { "Effect":"Allow", "Action":[ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Resource":"arn:aws:s3:::destination-bucket/*" } ] }
    3. Run the following CLI command to create a role:

      Copy
      $ aws iam create-role \ --role-name RoleForS3CrossAccountCrossRegionReplication \ --assume-role-policy-document file://S3-role-trust-policy.json
    4. Run the following CLI command to create a policy:

      Copy
      $ aws iam create-policy \ --policy-name PolicyForS3CrossAccountCrossRegionReplication \ --policy-document file://S3-role-permissions-policy.json
    5. Write down the policy ARN that is returned in the output by the preceding command.

    6. Run the following CLI command to attach the policy to the role:

      Copy
      $ aws iam attach-role-policy \ --role-name RoleForS3CrossAccountCrossRegionReplication \ --policy-arn policy-arn

      Now Account A has created a role that the necessary Amazon S3 actions so it can replicate objects.

  5. Enable cross-region replication on the source bucket in Account A. In the replication configuration you add one rule requesting Amazon S3 to replicate objects with the key name prefix Tax/ to the specified destination bucket. Amazon S3 saves the replication configuration as XML as shown in the following example:

    Copy
    <ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Role>arn:aws:iam::AWS-ID-Account-A:role/role-name</Role> <Rule> <Status>Enabled</Status> <Prefix>Tax</Prefix> <Destination><Bucket>arn:aws:s3:::destination-bucket</Bucket></Destination> </Rule> </ReplicationConfiguration>

    You can add the replication configuration to your source bucket using either the AWS CLI or AWS SDK.

    • Using AWS CLI.

      The AWS CLI requires you to specify the configuration as JSON. Save the following JSON in a file (replication.json). You need to provide your bucket name and IAM role ARN.

      Copy
      { "Role": "arn:aws:iam::AWS-ID-Account-A:role/role-name", "Rules": [ { "Prefix": "Tax", "Status": "Enabled", "Destination": { "Bucket": "arn:aws:s3:::destination-bucket" } } ] }

      Then, run the CLI command to add replication configuration to your source bucket:

      Copy
      $ aws s3api put-bucket-replication \ --bucket source-bucket \ --replication-configuration file://replication.json

      For instructions on how to set up the AWS CLI, see 예제 안내를 위한 도구 설정.

      Account A can use the get-bucket-replication command to retrieve the replication configuration:

      Copy
      $ aws s3api get-bucket-replication \ --bucket source-bucket
    • Using the AWS SDK for Java.

      For a code example, see Java용 AWS SDK로 교차 리전 복제 설정 방법.

  6. Test the setup as follows:

    • Using Account A credentials, create objects in the source bucket and verify that Amazon S3 replicated the objects in the destination bucket owned by Account B. Time it takes for Amazon S3 to replicate an object depends on the object size. For information about finding replication status, see 객체의 복제 상태를 확인하는 방법.

      참고

      When you upload objects in the source bucket the object key name must have a Tax prefix (for example, Tax/document.pdf). Accordingly to the replication configuration Account A added to the source bucket, Amazon S3 will only replicate objects with the Tax prefix.

    • Update an object's ACL in the source bucket and verify that changes appear in the destination bucket.

      For instructions, see How Do I Set Permissions on an Object? in the Amazon Simple Storage Service 콘솔 사용 설명서.

    • Update the object's metadata and verify that the changes appear in the destination bucket.

      For instructions, see How Do I Add Metadata to an S3 Object? in the Amazon Simple Storage Service 콘솔 사용 설명서.

    Remember, the replicas are exact copies of the objects in the source bucket.

리전 간 복제

복제 가능한 객체와 복제 불가능한 객체

객체의 복제 상태를 확인하는 방법

연습 1: 원본과 대상 버킷을 동일한 AWS 계정이 소유한 교차 리전 복제 구성

이 페이지에서: