Adding the owner override option to the replication configuration Granting Amazon S3 permission to change replica ownership Adding permission in the destination bucket policy to allow changing replica ownership Additional considerations How to change the replica owner

Changing the replica owner

In replication, the owner of the source object also owns the replica by default. When source and destination buckets are owned by different AWS accounts and you want to change replica ownership to the AWS account that owns the destination buckets, you can add optional configuration settings to change replica ownership to the AWS account that owns the destination buckets. You might do this, for example, to restrict access to object replicas. This is referred to as the owner override option of the replication configuration. For more information about the owner override option, see Adding the owner override option to the replication configuration. For information about setting the replication configuration, see Replicating objects overview.

To configure the owner override, you do the following:

Add the owner override option to the replication configuration to tell Amazon S3 to change replica ownership.
Grant Amazon S3 permissions to change replica ownership.
Add permission in the destination buckets policy to allow changing replica ownership. This allows the owner of the destination buckets to accept the ownership of object replicas.

For more information, see Adding the owner override option to the replication configuration. For a working example with step-by-step instructions, see How to change the replica owner.

Bucket owner enforced setting for Object Ownership

When you use Amazon S3 replication and the source and destination buckets are owned by different AWS accounts, the bucket owner of the destination bucket can disable ACLs (with the bucket owner enforced setting for Object Ownership) to change replica ownership to the AWS account that owns the destination bucket. This setting mimics the existing owner override behavior without the need of s3:ObjectOwnerOverrideToBucketOwner permission. This means that all objects that are replicated to the destination bucket with the bucket owner enforced setting are owned by the destination bucket owner. For more information about Object Ownership, see Controlling ownership of objects and disabling ACLs for your bucket.

Adding the owner override option to the replication configuration

Warning

Add the owner override option only when the source and destination buckets are owned by different AWS accounts. Amazon S3 doesn't check if the buckets are owned by same or different accounts. If you add the owner override when both buckets are owned by same AWS account, Amazon S3 applies the owner override. It grants full permissions to the owner of the destination bucket and doesn't replicate subsequent updates to the source object access control list (ACL). The replica owner can directly change the ACL associated with a replica with a PUT ACL request, but not through replication.

To specify the owner override option, add the following to each Destination element:

The AccessControlTranslation element, which tells Amazon S3 to change replica ownership
The Account element, which specifies the AWS account of the destination bucket owner


<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    ...
    <Destination>
      ...
      <AccessControlTranslation>
           <Owner>Destination</Owner>
       </AccessControlTranslation>
      <Account>destination-bucket-owner-account-id</Account>
    </Destination>
  </Rule>
</ReplicationConfiguration>

The following example replication configuration tells Amazon S3 to replicate objects that have the Tax key prefix to the destination bucket and change ownership of the replicas.


<?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Role>arn:aws:iam::account-id:role/role-name</Role>
   <Rule>
      <ID>Rule-1</ID>
      <Priority>1</Priority>
      <Status>Enabled</Status>
      <DeleteMarkerReplication>
         <Status>Disabled</Status>
      </DeleteMarkerReplication>
      <Filter>
         <Prefix>Tax</Prefix>
      </Filter>
      <Destination>
         <Bucket>arn:aws:s3:::destination-bucket</Bucket>
         <Account>destination-bucket-owner-account-id</Account>
         <AccessControlTranslation>
            <Owner>Destination</Owner>
         </AccessControlTranslation>
      </Destination>
   </Rule>
</ReplicationConfiguration>

Granting Amazon S3 permission to change replica ownership

Grant Amazon S3 permissions to change replica ownership by adding permission for the s3:ObjectOwnerOverrideToBucketOwner action in the permissions policy associated with the IAM role. This is the IAM role that you specified in the replication configuration that allows Amazon S3 to assume and replicate objects on your behalf.


...
{
    "Effect":"Allow",
         "Action":[
       "s3:ObjectOwnerOverrideToBucketOwner"
    ],
    "Resource":"arn:aws:s3:::destination-bucket/*"
}
...

Adding permission in the destination bucket policy to allow changing replica ownership

The owner of the destination bucket must grant the owner of the source bucket permission to change replica ownership. The owner of the destination bucket grants the owner of the source bucket permission for the s3:ObjectOwnerOverrideToBucketOwner action. This allows the destination bucket owner to accept ownership of the object replicas. The following example bucket policy statement shows how to do this.


...
{
    "Sid":"1",
    "Effect":"Allow",
    "Principal":{"AWS":"source-bucket-account-id"},
    "Action":["s3:ObjectOwnerOverrideToBucketOwner"],
    "Resource":"arn:aws:s3:::destination-bucket/*"
}
...

Additional considerations

When you configure the ownership override option, the following considerations apply:

By default, the owner of the source object also owns the replica. Amazon S3 replicates the object version and the ACL associated with it.

If you add the owner override, Amazon S3 replicates only the object version, not the ACL. In addition, Amazon S3 doesn't replicate subsequent changes to the source object ACL. Amazon S3 sets the ACL on the replica that grants full control to the destination bucket owner.
When you update a replication configuration to enable, or disable, the owner override, the following occurs.
- If you add the owner override option to the replication configuration:
  
  When Amazon S3 replicates an object version, it discards the ACL that is associated with the source object. Instead, it sets the ACL on the replica, giving full control to the owner of the destination bucket. It doesn't replicate subsequent changes to the source object ACL. However, this ACL change doesn't apply to object versions that were replicated before you set the owner override option. ACL updates on source objects that were replicated before the owner override was set continue to be replicated (because the object and its replicas continue to have the same owner).
- If you remove the owner override option from the replication configuration:
  
  Amazon S3 replicates new objects that appear in the source bucket and the associated ACLs to the destination buckets. For objects that were replicated before you removed the owner override, Amazon S3 doesn't replicate the ACLs because the object ownership change that Amazon S3 made remains in effect. That is, ACLs put on the object version that were replicated when the owner override was set continue to be not replicated.

How to change the replica owner

When the source and destination buckets in a replication configuration are owned by different AWS accounts, you can tell Amazon S3 to change replica ownership to the AWS account that owns the destination bucket. This example explains how to use the Amazon S3 console and the AWS CLI to change replica ownership. For more information, see Changing the replica owner.

Note

When you use S3 replication and the source and destination buckets are owned by different AWS accounts, the bucket owner of the destination bucket can disable ACLs (with the bucket owner enforced setting for Object Ownership) to change replica ownership to the AWS account that owns the destination bucket. This setting mimics the existing owner override behavior without the need of s3:ObjectOwnerOverrideToBucketOwner permission. This means that all objects that are replicated to the destination bucket with the bucket owner enforced setting are owned by the destination bucket owner. For more information about Object Ownership, see Controlling ownership of objects and disabling ACLs for your bucket.

For more information about configuring replication using sever-side encryption with AWS Key Management Service in cross-account scenarios, see Granting additional permissions for cross-account scenarios.

For step-by-step instructions, see Configuring replication for source and destination buckets owned by the same account. This topic provides instructions for setting replication configuration when buckets are owned by same and different AWS accounts.

To change replica ownership using the AWS CLI, you create buckets, enable versioning on the buckets, create an IAM role that gives Amazon S3 permission to replicate objects, and add the replication configuration to the source bucket. In the replication configuration you direct Amazon S3 to change replica owner. You also test the setup.

To change replica ownership when source and destination buckets are owned by different AWS accounts (AWS CLI)

In this example, you create the source and destination buckets in two different AWS accounts. Configure the AWS CLI with two named profiles. This example uses profiles named acctA and acctB, respectively. For more information about setting credential profiles, see Named Profiles in the AWS Command Line Interface User Guide.

Important
The profiles you use for this exercise must have the necessary permissions. For example, in the replication configuration, you specify the IAM role that Amazon S3 can assume. You can do this only if the profile you use has the iam:PassRole permission. If you use administrator user credentials to create a named profile then you can perform all the tasks. For more information, see Granting a User Permissions to Pass a Role to an AWS Service in the IAM User Guide.

You will need to make sure these profiles have necessary permissions. For example, the replication configuration includes an IAM role that Amazon S3 can assume. The named profile you use to attach such configuration to a bucket can do so only if it has the iam:PassRole permission. If you specify administrator user credentials when creating these named profiles, they have all the permissions. For more information, see Granting a User Permissions to Pass a Role to an AWS Service in the IAM User Guide.

Create the source bucket and enable versioning. This example creates the source bucket in the US East (N. Virginia) (us-east-1) Region.


aws s3api create-bucket \
--bucket source \
--region us-east-1 \
--profile acctA


aws s3api put-bucket-versioning \
--bucket source \
--versioning-configuration Status=Enabled \
--profile acctA

Create a destination bucket and enable versioning. This example creates the destination bucket in the US West (Oregon) (us-west-2) Region. Use an AWS account profile different from the one you used for the source bucket.


aws s3api create-bucket \
--bucket destination \
--region us-west-2 \
--create-bucket-configuration LocationConstraint=us-west-2 \
--profile acctB


aws s3api put-bucket-versioning \
--bucket destination \
--versioning-configuration Status=Enabled \
--profile acctB

You must add permissions to your destination bucket policy to allow changing the replica ownership.

Save the following policy to destination-bucket-policy.json.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "destination_bucket_policy_sid",
      "Principal": {
        "AWS": "source-bucket-owner-account-id"
      },
      "Action": [
        "s3:ReplicateObject",
        "s3:ReplicateDelete",
        "s3:ObjectOwnerOverrideToBucketOwner",
        "s3:ReplicateTags",
        "s3:GetObjectVersionTagging"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::destination/*"
      ]
    }
  ]
}

Put the above policy to destination bucket:


aws s3api put-bucket-policy --region $ {destination_region} --bucket $ {destination} --policy file://destination_bucket_policy.json

Create an IAM role. You specify this role in the replication configuration that you add to the source bucket later. Amazon S3 assumes this role to replicate objects on your behalf. You create an IAM role in two steps:

Create a role.
Attach a permissions policy to the role.

Create an IAM role.
1. Copy the following trust policy and save it to a file named s3-role-trust-policy.json in the current directory on your local computer. This policy grants Amazon S3 permissions to assume the role.
```
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"s3.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}
```
2. Run the following AWS CLI command to create a role.
```
$ aws iam create-role \
--role-name replicationRole \
--assume-role-policy-document file://s3-role-trust-policy.json  \
--profile acctA
```

Attach a permissions policy to the role.

Copy the following permissions policy and save it to a file named s3-role-perm-pol-changeowner.json in the current directory on your local computer. This policy grants permissions for various Amazon S3 bucket and object actions. In the following steps, you create an IAM role and attach this policy to the role.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetObjectVersionForReplication",
            "s3:GetObjectVersionAcl"
         ],
         "Resource":[
            "arn:aws:s3:::source/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetReplicationConfiguration"
         ],
         "Resource":[
            "arn:aws:s3:::source"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ReplicateObject",
            "s3:ReplicateDelete",
            "s3:ObjectOwnerOverrideToBucketOwner",
            "s3:ReplicateTags",
            "s3:GetObjectVersionTagging"
         ],
         "Resource":"arn:aws:s3:::destination/*"
      }
   ]
}

To create a policy and attach it to the role, run the following command.


$ aws iam put-role-policy \
--role-name replicationRole \
--policy-document file://s3-role-perm-pol-changeowner.json \
--policy-name replicationRolechangeownerPolicy \
--profile acctA

Add a replication configuration to your source bucket.
1. The AWS CLI requires specifying the replication configuration as JSON. Save the following JSON in a file named replication.json in the current directory on your local computer. In the configuration, the addition of AccessControlTranslation to indicate change in replica ownership.
```
{
   "Role":"IAM-role-ARN",
   "Rules":[
      {
         "Status":"Enabled",
         "Priority":1,
         "DeleteMarkerReplication":{
            "Status":"Disabled"
         },
         "Filter":{
         },
         "Status":"Enabled",
         "Destination":{
            "Bucket":"arn:aws:s3:::destination",
            "Account":"destination-bucket-owner-account-id",
            "AccessControlTranslation":{
               "Owner":"Destination"
            }
         }
      }
   ]
}
```
2. Edit the JSON by providing values for the destination bucket owner account ID and IAM-role-ARN. Save the changes.
3. To add the replication configuration to the source bucket, run the following command. Provide the source bucket name.
```
$ aws s3api put-bucket-replication \
--replication-configuration file://replication.json \
--bucket source \
--profile acctA
```
Check replica ownership in the Amazon S3 console.
1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
2. Add objects to the source bucket. Verify that the destination bucket contains the object replicas and that the ownership of the replicas has changed to the AWS account that owns the destination bucket.

For a code example to add replication configuration, see Using the AWS SDKs. You need to modify the replication configuration appropriately. For conceptual information, see Changing the replica owner.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configuring for buckets in different accounts

Using S3 Replication Time Control