Configuring replication when source and destination buckets are owned by different accounts
Setting up replication when source
and
destination
buckets are owned by different AWS accounts is
similar to setting replication when both buckets are owned by the same account. The only difference
is that the destination
bucket owner must grant the
source
bucket owner permission to replicate objects by adding
a bucket policy.
For more information about configuring replication using server-side encryption with AWS Key Management Service in cross-account scenarios, see Granting additional permissions for cross-account scenarios.
To configure replication when the source and destination buckets are owned by different AWS accounts
-
In this example, you create
source
anddestination
buckets in two different AWS accounts. You need to have two credential profiles set for the AWS CLI (in this example, we useacctA
andacctB
for profile names). For more information about setting credential profiles, see Named Profiles in the AWS Command Line Interface User Guide. -
Follow the step-by-step instructions in Configuring for buckets in the same account with the following changes:
-
For all AWS CLI commands related to
source
bucket activities (for creating thesource
bucket, enabling versioning, and creating the IAM role), use theacctA
profile. Use theacctB
profile to create thedestination
bucket. -
Make sure that the permissions policy specifies the
source
anddestination
buckets that you created for this example.
-
-
In the console, add the following bucket policy on the
destination
bucket to allow the owner of thesource
bucket to replicate objects. Be sure to edit the policy by providing the AWS account ID of thesource
bucket owner and thedestination
bucket name.Note
To use the following example, replace the
with your own information. Replaceuser input placeholders
DOC-EXAMPLE-BUCKET
with your destination bucket name. Replacesource-bucket-acct-ID:role/service-role/source-acct-IAM-role
with the role you are using for this replication configuration.If you created the IAM service role manually, set the role path as
role/service-role/
, as shown in the below policy example. For more information, see IAM ARNs in the IAM User Guide.{ "Version":"2012-10-17", "Id":"", "Statement":[ { "Sid":"Set-permissions-for-objects", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::
source-bucket-acct-ID:role/service-role/source-acct-IAM-role
" }, "Action":["s3:ReplicateObject", "s3:ReplicateDelete"], "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET
/*" }, { "Sid":"Set permissions on bucket", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source-bucket-acct-ID:role/service-role/source-acct-IAM-role
" }, "Action":["s3:GetBucketVersioning", "s3:PutBucketVersioning"], "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET
" } ] }
Choose the bucket and add the bucket policy. For instructions, see Adding a bucket policy by using the Amazon S3 console.
In replication, the owner of the source object owns the replica by default.
When source and destination buckets are owned by different AWS accounts, you can add
optional configuration settings to change replica ownership to the AWS account that owns
the destination buckets. This includes granting the ObjectOwnerOverrideToBucketOwner
permission. For more information, see
Changing the replica owner.