Select Language:
If you want to set up replication for your CloudTrail log archive bucket in the same AWS account, there’s a simple way to do it without needing to modify the bucket policies directly.
First, create a new S3 bucket with versioning enabled. Versioning is important to keep track of all object changes over time.
Next, set up an IAM role that will handle the replication process. This role needs a trust policy that allows S3 to assume it. The trust policy should look like this:
json
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Service”: “s3.amazonaws.com”
},
“Action”: “sts:AssumeRole”
}
]
}
After creating the role, attach an inline permission policy to it. This policy grants the role permission to access the source bucket, check replication configuration, and copy objects to the destination bucket. Replace <source bucket name> and <destination bucket name> with your actual bucket names:
json
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:GetReplicationConfiguration”,
“s3:ListBucket”
],
“Resource”: [
“arn:aws:s3:::
]
},
{
“Effect”: “Allow”,
“Action”: [
“s3:GetObjectVersionForReplication”,
“s3:GetObjectVersionAcl”,
“s3:GetObjectVersionTagging”
],
“Resource”: [
“arn:aws:s3:::
]
},
{
“Effect”: “Allow”,
“Action”: [
“s3:ReplicateObject”,
“s3:ReplicateDelete”,
“s3:ReplicateTags”
],
“Resource”: “arn:aws:s3:::
}
]
}
Now, set up the replication rule by following the instructions in the Amazon S3 documentation. During setup, select the IAM role you just created. This will enable automatic replication from your source to destination bucket.
If your data is encrypted with KMS, you’ll need to grant additional permissions for decryption in the KMS key policy. More details are available in the AWS documentation to ensure your replication works smoothly with encryption.
By following these steps, you can efficiently set up bucket replication without worrying about policies getting overwritten during updates.
ChatGPT
Perplexity
Gemini AI
Grok AI
