Receiving replication failure events with Amazon S3 Event Notifications - Amazon Simple Storage Service

Receiving replication failure events with Amazon S3 Event Notifications

If you've enabled S3 Replication metrics on your replication configuration, you can set up Amazon S3 Event Notifications to notify you when objects don't replicate to their destination AWS Region. If you've enabled S3 Replication Time Control (S3 RTC) on your replication configuration, you can also be notified when objects don't replicate within the 15-minute S3 RTC threshold for replication.

By using the following Replication event types, you can monitor the minute-by-minute progress of replication events by tracking bytes pending, operations pending, and replication latency. For more information about S3 Replication metrics, see Using S3 Replication metrics.

  • The s3:Replication:OperationFailedReplication event type notifies you when an object that was eligible for replication failed to replicate.

  • The s3:Replication:OperationMissedThreshold event type notifies you when an object that was eligible for replication that uses S3 RTC exceeds the 15-minute threshold for replication.

  • The s3:Replication:OperationReplicatedAfterThreshold event type notifies you when an object that was eligible for replication that uses S3 RTC replicates after the 15-minute threshold.

  • The s3:Replication:OperationNotTracked event type notifies you when an object that was eligible for live replication (either Same-Region Replication [SRR] or Cross-Region Replication [CRR]) is no longer being tracked by replication metrics.

For full descriptions of all the supported replication event types, see Supported event types for SQS, SNS, and Lambda.

For a list of the failure codes captured by S3 Event Notifications, see Amazon S3 replication failure reasons.

You can receive S3 Event Notifications through Amazon Simple Queue Service (Amazon SQS), Amazon Simple Notification Service (Amazon SNS), or AWS Lambda. For more information, see Amazon S3 Event Notifications.

For instructions on how to configure Amazon S3 Event Notifications, see Enabling event notifications.

Note

In addition to enabling event notifications, make sure that you also enable S3 Replication metrics. For more information, see Enabling S3 Replication metrics.

The following is an example of a message that Amazon S3 sends to publish an s3:Replication:OperationFailedReplication event. For more information, see Event message structure.

{ "Records": [ { "eventVersion": "2.2", "eventSource": "aws:s3", "awsRegion": "us-east-1", "eventTime": "2024-09-05T21:04:32.527Z", "eventName": "Replication:OperationFailedReplication", "userIdentity": { "principalId": "s3.amazonaws.com" }, "requestParameters": { "sourceIPAddress": "s3.amazonaws.com" }, "responseElements": { "x-amz-request-id": "123bf045-2b4b-4ca8-a211-c34a63c59426", "x-amz-id-2": "12VAWNDIHnwJsRhTccqQTeAPoXQmRt22KkewMV8G3XZihAuf9CLDdmkApgZzudaIe2KlLfDqGS0=" }, "s3": { "s3SchemaVersion": "1.0", "configurationId": "ReplicationEventName", "bucket": { "name": "amzn-s3-demo-bucket1", "ownerIdentity": { "principalId": "111122223333" }, "arn": "arn:aws:s3:::amzn-s3-demo-bucket1" }, "object": { "key": "replication-object-put-test.png", "size": 520080, "eTag": "e12345ca7e88a38428305d3ff7fcb99f", "versionId": "abcdeH0Xp66ep__QDjR76LK7Gc9X4wKO", "sequencer": "0066DA1CBF104C0D51" } }, "replicationEventData": { "replicationRuleId": "notification-test-replication-rule", "destinationBucket": "arn:aws:s3:::amzn-s3-demo-bucket2", "s3Operation": "OBJECT_PUT", "requestTime": "2024-09-05T21:03:59.168Z", "failureReason": "AssumeRoleNotPermitted" } } ] }

Amazon S3 replication failure reasons

The following table lists Amazon S3 Replication failure reasons. You can view these reasons by receiving the s3:Replication:OperationFailedReplication event with Amazon S3 Event Notifications and then looking at the failureReason value.

You can also view these failure reasons in an S3 Batch Replication completion report. For more information, see Batch Replication completion report.

Replication failure reason Description
AssumeRoleNotPermitted Amazon S3 can't assume the AWS Identity and Access Management (IAM) role that's specified in the replication configuration or in the Batch Operations job.
DstBucketInvalidRegion The destination bucket is not in the same AWS Region as specified by the Batch Operations job. This error is specific to Batch Replication.
DstBucketNotFound Amazon S3 is unable to find the destination bucket that's specified in the replication configuration.
DstBucketObjectLockConfigMissing To replicate objects from a source bucket with Object Lock enabled, the destination bucket must also have Object Lock enabled. This error indicates that Object Lock might not be enabled in the destination bucket. For more information, see Object Lock considerations.
DstBucketUnversioned Versioning is not enabled for the S3 destination bucket. To replicate objects with S3 Replication, enable versioning for the destination bucket.
DstDelObjNotPermitted Amazon S3 is unable to replicate delete markers to the destination bucket. The s3:ReplicateDelete permission might be missing for the destination bucket.
DstKmsKeyInvalidState The AWS Key Management Service (AWS KMS) key for the destination bucket isn't in a valid state. Review and enable the required AWS KMS key. For more information about managing AWS KMS keys, see Key states of AWS KMS keys in the AWS Key Management Service Developer Guide.
DstKmsKeyNotFound The AWS KMS key that's configured for the destination bucket in the replication configuration doesn't exist.
DstMultipartCompleteNotPermitted Amazon S3 is unable to complete multipart uploads of objects in the destination bucket. The s3:ReplicateObject permission might be missing for the destination bucket.
DstMultipartInitNotPermitted Amazon S3 is unable to initiate multipart uploads of objects to the destination bucket. The s3:ReplicateObject permission might be missing for the destination bucket.
DstMultipartPartUploadNotPermitted Amazon S3 is unable to upload multipart upload objects to the destination bucket. The s3:ReplicateObject permission might be missing for the destination bucket.
DstObjectHardDeleted S3 Batch Replication does not support re-replicating objects deleted with the version ID of the object from the destination bucket. This error is specific to Batch Replication.
DstPutAclNotPermitted Amazon S3 is unable to replicate object access control lists (ACLs) to the destination bucket. The s3:ReplicateObject permission might be missing for the destination bucket.
DstPutLegalHoldNotPermitted Amazon S3 is unable to put an Object Lock legal hold on the destination objects when it is replicating immutable objects. The s3:PutObjectLegalHold permission might be missing for the destination bucket. For more information, see Legal holds.
DstPutObjectNotPermitted Amazon S3 is unable to replicate objects to the destination bucket. The s3:ReplicateObject or s3:ObjectOwnerOverrideToBucketOwner permissions might be missing for the destination bucket.
DstPutTaggingNotPermitted Amazon S3 is unable to replicate object tags to the destination bucket. The s3:ReplicateObject permission might be missing for the destination bucket.
DstVersionNotFound Amazon S3 is unable to find the required object version in the destination bucket for which metadata needs to be replicated.
InitiateReplicationNotPermitted Amazon S3 is unable to initiate replication on objects. The s3:InitiateReplication permission might be missing for the Batch Operations job. This error is specific to Batch Replication.
SrcBucketInvalidRegion The source bucket is not in the same AWS Region as specified by the Batch Operations job. This error is specific to Batch Replication.
SrcBucketNotFound Amazon S3 is unable to find the source bucket.
SrcBucketReplicationConfigMissing Amazon S3 couldn't find a replication configuration for the source bucket.
SrcGetAclNotPermitted

Amazon S3 is unable to access the object in the source bucket for replication. The s3:GetObjectVersionAcl permission might be missing for the source bucket object.

The objects in the source bucket must be owned by the bucket owner. If ACLs are enabled, then verify if Object Ownership is set to Bucket owner preferred or Object writer. If Object Ownership is set to Bucket owner preferred, then the source bucket objects must have the bucket-owner-full-control ACL for the bucket owner to become the object owner. The source account can take ownership of all objects in their bucket by setting Object Ownership to Bucket owner enforced and disabling ACLs.

SrcGetLegalHoldNotPermitted Amazon S3 is unable to access the S3 Object Lock legal hold information.
SrcGetObjectNotPermitted Amazon S3 is unable to access the object in the source bucket for replication. The s3:GetObjectVersionForReplication permission might be missing for the source bucket.
SrcGetRetentionNotPermitted Amazon S3 is unable to access the S3 Object Lock retention period information.
SrcGetTaggingNotPermitted Amazon S3 is unable to access object tag information from the source bucket. The s3:GetObjectVersionTagging permission might be missing for the source bucket.
SrcHeadObjectNotPermitted Amazon S3 is unable to retrieve object metadata from the source bucket. The s3:GetObjectVersionForReplication permission might be missing for the source bucket.
SrcKeyNotFound Amazon S3 is unable to find the source object key to replicate. Source object may have been deleted before replication was complete.
SrcKmsKeyInvalidState The AWS KMS key for the source bucket isn't in a valid state. Review and enable the required AWS KMS key. For more information about managing AWS KMS keys, see Key states of AWS KMS keys in the AWS Key Management Service Developer Guide.
SrcObjectNotEligible Some objects aren't eligible for replication. This may be due to the object's storage class or the object tags don't match the replication configuration.
SrcObjectNotFound Source object does not exist.
SrcReplicationNotPending Amazon S3 has already replicated this object. This object is no longer pending replication.
SrcVersionNotFound Amazon S3 is unable to find the source object version to replicate. Source object version may have been deleted before replication was complete.

Setting up permissions for live replication

Troubleshooting replication