Changing the replica owner - Amazon Simple Storage Service

Changing the replica owner

In replication, the owner of the source object also owns the replica by default. When source and destination buckets are owned by different AWS accounts and you want to change replica ownership to the AWS account that owns the destination buckets, you can add optional configuration settings to change replica ownership to the AWS account that owns the destination buckets. You might do this, for example, to restrict access to object replicas. This is referred to as the owner override option of the replication configuration. For more information about the owner override option, see Adding the owner override option to the replication configuration. For information about setting the replication configuration, see Replicating objects.

To configure the owner override, you do the following:

  • Add the owner override option to the replication configuration to tell Amazon S3 to change replica ownership.

  • Grant Amazon S3 permissions to change replica ownership.

  • Add permission in the destination buckets policy to allow changing replica ownership. This allows the owner of the destination buckets to accept the ownership of object replicas.

For more information, see Adding the owner override option to the replication configuration. For a working example with step-by-step instructions, see Changing the replica owner when source and destination buckets are owned by different accounts.

Bucket owner enforced setting for Object Ownership

When you use Amazon S3 replication and the source and destination buckets are owned by different AWS accounts, the bucket owner of the destination bucket can disable ACLs (with the bucket owner enforced setting for Object Ownership) to change replica ownership to the AWS account that owns the destination bucket. This setting mimics the existing owner override behavior without the need of s3:ObjectOwnerOverrideToBucketOwner permission. This means that all objects that are replicated to the destination bucket with the bucket owner enforced setting are owned by the destination bucket owner. For more information about Object Ownership, see Controlling ownership of objects and disabling ACLs for your bucket.

Adding the owner override option to the replication configuration

Warning

Add the owner override option only when the source and destination buckets are owned by different AWS accounts. Amazon S3 doesn't check if the buckets are owned by same or different accounts. If you add the owner override when both buckets are owned by same AWS account, Amazon S3 applies the owner override. It grants full permissions to the owner of the destination bucket and doesn't replicate subsequent updates to the source object access control list (ACL). The replica owner can directly change the ACL associated with a replica with a PUT ACL request, but not through replication.

To specify the owner override option, add the following to each Destination element:

  • The AccessControlTranslation element, which tells Amazon S3 to change replica ownership

  • The Account element, which specifies the AWS account of the destination bucket owner

<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> ... <Destination> ... <AccessControlTranslation> <Owner>Destination</Owner> </AccessControlTranslation> <Account>destination-bucket-owner-account-id</Account> </Destination> </Rule> </ReplicationConfiguration>

The following example replication configuration tells Amazon S3 to replicate objects that have the Tax key prefix to the destination bucket and change ownership of the replicas.

<?xml version="1.0" encoding="UTF-8"?> <ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Role>arn:aws:iam::account-id:role/role-name</Role> <Rule> <ID>Rule-1</ID> <Priority>1</Priority> <Status>Enabled</Status> <DeleteMarkerReplication> <Status>Disabled</Status> </DeleteMarkerReplication> <Filter> <Prefix>Tax</Prefix> </Filter> <Destination> <Bucket>arn:aws:s3:::destination-bucket</Bucket> <Account>destination-bucket-owner-account-id</Account> <AccessControlTranslation> <Owner>Destination</Owner> </AccessControlTranslation> </Destination> </Rule> </ReplicationConfiguration>

Granting Amazon S3 permission to change replica ownership

Grant Amazon S3 permissions to change replica ownership by adding permission for the s3:ObjectOwnerOverrideToBucketOwner action in the permissions policy associated with the IAM role. This is the IAM role that you specified in the replication configuration that allows Amazon S3 to assume and replicate objects on your behalf.

... { "Effect":"Allow", "Action":[ "s3:ObjectOwnerOverrideToBucketOwner" ], "Resource":"arn:aws:s3:::destination-bucket/*" } ...

Adding permission in the destination bucket policy to allow changing replica ownership

The owner of the destination bucket must grant the owner of the source bucket permission to change replica ownership. The owner of the destination bucket grants the owner of the source bucket permission for the s3:ObjectOwnerOverrideToBucketOwner action. This allows the destination bucket owner to accept ownership of the object replicas. The following example bucket policy statement shows how to do this.

... { "Sid":"1", "Effect":"Allow", "Principal":{"AWS":"source-bucket-account-id"}, "Action":["s3:ObjectOwnerOverrideToBucketOwner"], "Resource":"arn:aws:s3:::destination-bucket/*" } ...

Additional considerations

When you configure the ownership override option, the following considerations apply:

  • By default, the owner of the source object also owns the replica. Amazon S3 replicates the object version and the ACL associated with it.

    If you add the owner override, Amazon S3 replicates only the object version, not the ACL. In addition, Amazon S3 doesn't replicate subsequent changes to the source object ACL. Amazon S3 sets the ACL on the replica that grants full control to the destination bucket owner.

  • When you update a replication configuration to enable, or disable, the owner override, the following occurs.

     

    • If you add the owner override option to the replication configuration:

      When Amazon S3 replicates an object version, it discards the ACL that is associated with the source object. Instead, it sets the ACL on the replica, giving full control to the owner of the destination bucket. It doesn't replicate subsequent changes to the source object ACL. However, this ACL change doesn't apply to object versions that were replicated before you set the owner override option. ACL updates on source objects that were replicated before the owner override was set continue to be replicated (because the object and its replicas continue to have the same owner).

    • If you remove the owner override option from the replication configuration:

      Amazon S3 replicates new objects that appear in the source bucket and the associated ACLs to the destination buckets. For objects that were replicated before you removed the owner override, Amazon S3 doesn't replicate the ACLs because the object ownership change that Amazon S3 made remains in effect. That is, ACLs put on the object version that were replicated when the owner override was set continue to be not replicated.