Changing the replica owner
In replication, the owner of the source object also owns the replica by default. When source and destination buckets are owned by different AWS accounts and you want to change replica ownership to the AWS account that owns the destination buckets, you can add optional configuration settings to change replica ownership to the AWS account that owns the destination buckets. You might do this, for example, to restrict access to object replicas. This is referred to as the owner override option of the replication configuration. For more information about the owner override option, see Adding the owner override option to the replication configuration. For information about setting the replication configuration, see Replicating objects overview.
To configure the owner override, you do the following:
-
Add the owner override option to the replication configuration to tell Amazon S3 to change replica ownership.
-
Grant Amazon S3 permissions to change replica ownership.
-
Add permission in the destination buckets policy to allow changing replica ownership. This allows the owner of the destination buckets to accept the ownership of object replicas.
For more information, see Adding the owner override option to the replication configuration. For a working example with step-by-step instructions, see How to change the replica owner.
Bucket owner enforced setting for Object Ownership
When you use Amazon S3 replication and the source and destination buckets are owned by
different AWS accounts, the bucket owner of the destination bucket can disable ACLs
(with the bucket owner enforced setting for Object Ownership) to change replica
ownership to the AWS account that owns the destination bucket. This setting mimics the
existing owner override behavior without the need of
s3:ObjectOwnerOverrideToBucketOwner
permission. This means that all
objects that are replicated to the destination bucket with the bucket owner enforced
setting are owned by the destination bucket owner. For more information about
Object Ownership, see Controlling ownership of objects and disabling ACLs
for your bucket.
Adding the owner override option to the replication configuration
Warning
Add the owner override option only when the source and destination buckets are
owned by different AWS accounts. Amazon S3 doesn't check if the buckets are owned by
same or different accounts. If you add the owner override when both buckets are
owned by same AWS account, Amazon S3 applies the owner override. It grants full
permissions to the owner of the destination bucket and doesn't replicate subsequent
updates to the source object access control list (ACL). The replica owner can
directly change the ACL associated with a replica with a PUT ACL
request, but not through replication.
To specify the owner override option, add the following to each
Destination
element:
-
The
AccessControlTranslation
element, which tells Amazon S3 to change replica ownership -
The
Account
element, which specifies the AWS account of the destination bucket owner
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> ... <Destination> ... <AccessControlTranslation> <Owner>Destination</Owner> </AccessControlTranslation> <Account>
destination-bucket-owner-account-id
</Account> </Destination> </Rule> </ReplicationConfiguration>
The following example replication configuration tells Amazon S3 to replicate objects that
have the Tax
key prefix to the destination bucket and change ownership of
the replicas.
<?xml version="1.0" encoding="UTF-8"?> <ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Role>arn:aws:iam::account-id:role/role-name</Role> <Rule> <ID>Rule-1</ID> <Priority>1</Priority> <Status>Enabled</Status> <DeleteMarkerReplication> <Status>Disabled</Status> </DeleteMarkerReplication> <Filter> <Prefix>Tax</Prefix> </Filter> <Destination> <Bucket>arn:aws:s3:::destination-bucket</Bucket> <Account>destination-bucket-owner-account-id</Account> <AccessControlTranslation> <Owner>Destination</Owner> </AccessControlTranslation> </Destination> </Rule> </ReplicationConfiguration>
Granting Amazon S3 permission to change replica ownership
Grant Amazon S3 permissions to change replica ownership by adding permission for the
s3:ObjectOwnerOverrideToBucketOwner
action in the permissions policy
associated with the IAM role. This is the IAM role that you specified in the
replication configuration that allows Amazon S3 to assume and replicate objects on your
behalf.
... { "Effect":"Allow", "Action":[ "s3:ObjectOwnerOverrideToBucketOwner" ], "Resource":"arn:aws:s3:::
destination-bucket
/*" } ...
Adding permission in the destination bucket policy to allow changing replica ownership
The owner of the destination bucket must grant the owner of the source bucket
permission to change replica ownership. The owner of the destination bucket grants the
owner of the source bucket permission for the
s3:ObjectOwnerOverrideToBucketOwner
action. This allows the destination
bucket owner to accept ownership of the object replicas. The following example bucket
policy statement shows how to do this.
... { "Sid":"1", "Effect":"Allow", "Principal":{"AWS":"
source-bucket-account-id
"}, "Action":["s3:ObjectOwnerOverrideToBucketOwner"], "Resource":"arn:aws:s3:::destination-bucket
/*" } ...
Additional considerations
When you configure the ownership override option, the following considerations apply:
-
By default, the owner of the source object also owns the replica. Amazon S3 replicates the object version and the ACL associated with it.
If you add the owner override, Amazon S3 replicates only the object version, not the ACL. In addition, Amazon S3 doesn't replicate subsequent changes to the source object ACL. Amazon S3 sets the ACL on the replica that grants full control to the destination bucket owner.
-
When you update a replication configuration to enable, or disable, the owner override, the following occurs.
-
If you add the owner override option to the replication configuration:
When Amazon S3 replicates an object version, it discards the ACL that is associated with the source object. Instead, it sets the ACL on the replica, giving full control to the owner of the destination bucket. It doesn't replicate subsequent changes to the source object ACL. However, this ACL change doesn't apply to object versions that were replicated before you set the owner override option. ACL updates on source objects that were replicated before the owner override was set continue to be replicated (because the object and its replicas continue to have the same owner).
-
If you remove the owner override option from the replication configuration:
Amazon S3 replicates new objects that appear in the source bucket and the associated ACLs to the destination buckets. For objects that were replicated before you removed the owner override, Amazon S3 doesn't replicate the ACLs because the object ownership change that Amazon S3 made remains in effect. That is, ACLs put on the object version that were replicated when the owner override was set continue to be not replicated.
-
How to change the replica owner
When the source
and destination
buckets in a replication configuration are owned by different AWS accounts, you can tell
Amazon S3 to change replica ownership to the AWS account that owns the
destination
bucket. This example explains how to use the Amazon S3
console and the AWS CLI to change replica ownership. For more information, see Changing the replica owner.
Note
When you use S3 replication and the source and destination buckets are owned by
different AWS accounts, the bucket owner of the destination bucket can disable ACLs
(with the bucket owner enforced setting for Object Ownership) to change replica
ownership to the AWS account that owns the destination bucket. This setting mimics the
existing owner override behavior without the need of
s3:ObjectOwnerOverrideToBucketOwner
permission. This means that all
objects that are replicated to the destination bucket with the bucket owner enforced
setting are owned by the destination bucket owner. For more information about
Object Ownership, see Controlling ownership of objects and disabling ACLs
for your bucket.
For more information about configuring replication using sever-side encryption with AWS Key Management Service in cross-account scenarios, see Granting additional permissions for cross-account scenarios.
For step-by-step instructions, see Configuring replication for source and destination buckets owned by the same account. This topic provides instructions for setting replication configuration when buckets are owned by same and different AWS accounts.
To change replica ownership using the AWS CLI, you create buckets, enable versioning on the buckets, create an IAM role that gives Amazon S3 permission to replicate objects, and add the replication configuration to the source bucket. In the replication configuration you direct Amazon S3 to change replica owner. You also test the setup.
To change replica ownership when source and destination buckets are owned by different AWS accounts (AWS CLI)
-
In this example, you create the
source
anddestination
buckets in two different AWS accounts. Configure the AWS CLI with two named profiles. This example uses profiles namedacctA
andacctB
, respectively. For more information about setting credential profiles, see Named Profiles in the AWS Command Line Interface User Guide.Important
The profiles you use for this exercise must have the necessary permissions. For example, in the replication configuration, you specify the IAM role that Amazon S3 can assume. You can do this only if the profile you use has the
iam:PassRole
permission. If you use administrator user credentials to create a named profile then you can perform all the tasks. For more information, see Granting a User Permissions to Pass a Role to an AWS Service in the IAM User Guide.You will need to make sure these profiles have necessary permissions. For example, the replication configuration includes an IAM role that Amazon S3 can assume. The named profile you use to attach such configuration to a bucket can do so only if it has the
iam:PassRole
permission. If you specify administrator user credentials when creating these named profiles, they have all the permissions. For more information, see Granting a User Permissions to Pass a Role to an AWS Service in the IAM User Guide. -
Create the
source
bucket and enable versioning. This example creates thesource
bucket in the US East (N. Virginia) (us-east-1) Region.aws s3api create-bucket \ --bucket
source
\ --region us-east-1 \ --profile acctAaws s3api put-bucket-versioning \ --bucket
source
\ --versioning-configuration Status=Enabled \ --profile acctA -
Create a
destination
bucket and enable versioning. This example creates thedestination
bucket in the US West (Oregon) (us-west-2) Region. Use an AWS account profile different from the one you used for thesource
bucket.aws s3api create-bucket \ --bucket
destination
\ --region us-west-2 \ --create-bucket-configuration LocationConstraint=us-west-2 \ --profile acctBaws s3api put-bucket-versioning \ --bucket
destination
\ --versioning-configuration Status=Enabled \ --profile acctB -
You must add permissions to your
destination
bucket policy to allow changing the replica ownership.-
Save the following policy to
.destination-bucket-policy
.json{ "Version": "2012-10-17", "Statement": [ { "Sid":
"destination_bucket_policy_sid"
, "Principal": { "AWS":"source-bucket-owner-account-id"
}, "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ObjectOwnerOverrideToBucketOwner", "s3:ReplicateTags", "s3:GetObjectVersionTagging" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::destination
/*" ] } ] } -
Put the above policy to
destination
bucket:aws s3api put-bucket-policy --region
$
{destination_region
} --bucket$
{destination
} --policy file://destination_bucket_policy
.json
-
-
Create an IAM role. You specify this role in the replication configuration that you add to the
source
bucket later. Amazon S3 assumes this role to replicate objects on your behalf. You create an IAM role in two steps:-
Create a role.
-
Attach a permissions policy to the role.
-
Create an IAM role.
-
Copy the following trust policy and save it to a file named
s3-role-trust-policy.json
in the current directory on your local computer. This policy grants Amazon S3 permissions to assume the role.{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }
-
Run the following AWS CLI command to create a role.
$
aws iam create-role \ --role-name replicationRole \ --assume-role-policy-document file://s3-role-trust-policy.json \ --profile acctA
-
-
Attach a permissions policy to the role.
-
Copy the following permissions policy and save it to a file named
s3-role-perm-pol-changeowner.json
in the current directory on your local computer. This policy grants permissions for various Amazon S3 bucket and object actions. In the following steps, you create an IAM role and attach this policy to the role.{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl" ], "Resource":[ "arn:aws:s3:::
source
/*" ] }, { "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:GetReplicationConfiguration" ], "Resource":[ "arn:aws:s3:::source
" ] }, { "Effect":"Allow", "Action":[ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ObjectOwnerOverrideToBucketOwner", "s3:ReplicateTags", "s3:GetObjectVersionTagging" ], "Resource":"arn:aws:s3:::destination
/*" } ] } -
To create a policy and attach it to the role, run the following command.
$
aws iam put-role-policy \ --role-name replicationRole \ --policy-document file://s3-role-perm-pol-changeowner.json \ --policy-name replicationRolechangeownerPolicy \ --profile acctA
-
-
-
Add a replication configuration to your source bucket.
-
The AWS CLI requires specifying the replication configuration as JSON. Save the following JSON in a file named
replication.json
in the current directory on your local computer. In the configuration, the addition ofAccessControlTranslation
to indicate change in replica ownership.{ "Role":"
IAM-role-ARN
", "Rules":[ { "Status":"Enabled", "Priority":1, "DeleteMarkerReplication":{ "Status":"Disabled" }, "Filter":{ }, "Status":"Enabled", "Destination":{ "Bucket":"arn:aws:s3:::destination
", "Account":"destination-bucket-owner-account-id
", "AccessControlTranslation":{ "Owner":"Destination" } } } ] } -
Edit the JSON by providing values for the
destination
bucket owner account ID andIAM-role-ARN
. Save the changes. -
To add the replication configuration to the source bucket, run the following command. Provide the
source
bucket name.$
aws s3api put-bucket-replication \ --replication-configuration file://replication.json \ --bucketsource
\ --profile acctA
-
-
Check replica ownership in the Amazon S3 console.
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
Add objects to the
source
bucket. Verify that thedestination
bucket contains the object replicas and that the ownership of the replicas has changed to the AWS account that owns thedestination
bucket.
For a code example to add replication configuration, see Using the AWS SDKs. You need to modify the replication configuration appropriately. For conceptual information, see Changing the replica owner.