Prerequisites for creating replication rules
Connecting your source and destination Outpost subnets
To have your replication traffic go from your source Outpost to your destination Outpost over your local gateway, you must add a new route to set up networking. You must connect the Classless Inter-Domain Routing (CIDR) networking ranges of your access points together. For each pair of access points, you need to set up this connection only once.
Some steps to set up the connection are different, depending on the access type of your Outposts endpoints that are associated with your access points. The access type for endpoints is either Private (direct virtual private cloud [VPC] routing for Amazon Outposts) or Customer owned IP (a customer-owned IP address pool [CoIP pool] within your on-premises network).
Step 1: Find the CIDR range of your source Outposts endpoint
To find the CIDR range of your source endpoint that's associated with your source access point
Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/
. -
In the left navigation pane, choose Outposts buckets.
-
In the Outposts buckets list, choose the source bucket that you want for replication.
-
Choose the Outposts access points tab, and choose the Outposts access point for the source bucket for your replication rule.
-
Choose the Outposts endpoint.
-
Copy the subnet ID for use in Step 5.
-
The method that you use to find the CIDR range of the source Outposts endpoint depends on the access type of your endpoint.
In the Outposts endpoint overview section, see the Access Type.
-
If the access type is Private, copy the Classless inter-domain routing (CIDR) value to use in Step 6.
-
If the access type is Customer Owned IP, do the following:
-
Copy the Customer owned IPv4 pool value to use as the ID of the address pool later on.
Open the Amazon Outposts console at https://console.amazonaws.cn/outposts/
. -
In the navigation pane, choose Local gateway route tables.
-
Choose the Local gateway route table ID value of your source Outpost.
-
In the details pane, choose the CoIP pools tab. Paste the value of your CoIP pool ID that you copied previously in the search box.
-
For the matched CoIP pool, copy the corresponding CIDRs value of your source Outposts endpoint for use in Step 6.
-
-
Step 2: Find the subnet ID and the CIDR range of your destination Outposts endpoint
To find the subnet ID and the CIDR range of your destination endpoint that's associated with your destination access point, follow the same substeps in Step 1 and change your source Outposts endpoint to your destination Outposts endpoint when you apply those substeps. Copy the subnet ID value of your destination Outposts endpoint for use in Step 6. Copy the CIDR value of your destination Outposts endpoint for use in Step 5.
Step 3: Find the local gateway ID of your source Outpost
To find the local gateway ID of your source Outpost
Open the Amazon Outposts console at https://console.amazonaws.cn/outposts/
. -
In the left navigation pane, choose Local gateways.
-
On the Local gateways page, find the Outpost ID of your source Outpost that you want to use for replication.
-
Copy the local gateway ID value of your source Outpost for use in Step 5.
For more information about local gateway, see Local gateway in the Amazon Outposts User Guide.
Step 4: Find the local gateway ID of your destination Outpost
To find the local gateway ID of your destination Outpost, follow the same substeps in Step 3, except look for the Outpost ID for your destination Outpost. Copy the local gateway ID value of your destination Outpost for use in Step 6.
Step 5: Set up the connection from your source Outpost subnet to your destination Outpost subnet
To connect from your source Outpost subnet to your destination Outpost subnet
Sign in to the Amazon Web Services Management Console and open the VPC console at https://console.amazonaws.cn/vpc/
. -
In the left navigation pane, choose Subnets.
-
In the search box, enter the subnet ID for your source Outposts endpoint that you found in Step 1. Choose the subnet with the matched subnet ID.
-
For the matched subnet item, choose the Route table value of this subnet.
-
On the page with a selected route table, choose Actions, and then choose Edit routes.
-
On the Edit routes page, choose Add route.
-
Under Destination, enter the CIDR range of your destination Outposts endpoint that you found in Step 2.
-
Under Target, choose Outpost Local Gateway, and enter the local gateway ID of your source Outpost that you found in Step 3.
-
Choose Save changes.
-
Make sure the Status for the route is Active.
Step 6: Set up the connection from your destination Outpost subnet to your source Outpost subnet
Sign in to the Amazon Web Services Management Console and open the VPC console at https://console.amazonaws.cn/vpc/
. -
In the left navigation pane, choose Subnets.
-
In the search box, enter the subnet ID for your destination Outposts endpoint that you found in Step 2. Choose the subnet with the matched subnet ID.
-
For the matched subnet item, choose the Route table value of this subnet.
-
On the page with a selected route table, choose Actions, and then choose Edit routes.
-
On the Edit routes page, choose Add route.
-
Under Destination, enter the CIDR range of your source Outposts endpoint that you found in Step 1.
-
Under Target, choose Outpost Local Gateway, and enter the local gateway ID of your destination Outpost that you found in Step 4.
-
Choose Save changes.
-
Make sure the Status for the route is Active.
After you connect the CIDR networking ranges of your source and destination access points, you must create an Amazon Identity and Access Management (IAM) role.
Creating an IAM role
By default, all S3 on Outposts resources—buckets, objects, and related subresources—are private, and only the resource owner can access the resource. S3 on Outposts needs permissions to read and replicate objects from the source Outposts bucket. You grant these permissions by creating an IAM service role and specifying that role in your replication configuration.
This section explains the trust policy and minimum required permissions policy. The example walkthroughs provide step-by-step instructions to create an IAM role. For more information, see Creating replication rules on Outposts. For more information about IAM roles, see IAM roles in the IAM User Guide.
-
The following example shows a trust policy, where you identify S3 on Outposts as the service principal that can assume the role.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"s3-outposts.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }
-
The following example shows an access policy, where you grant the role permissions to perform replication tasks on your behalf. When S3 on Outposts assumes the role, it has the permissions that you specify in this policy. To use this policy, replace the
with your own information. Make sure to replace them with the Outpost IDs of your source and destination Outposts and the bucket names and access point names of your source and destination Outposts buckets.user input placeholders
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3-outposts:GetObjectVersionForReplication", "s3-outposts:GetObjectVersionTagging" ], "Resource":[ "arn:aws-cn:s3-outposts:
region
:123456789012
:outpost/SOURCE-OUTPOST-ID
/bucket/SOURCE-OUTPOSTS-BUCKET
/object/*", "arn:aws-cn:s3-outposts:region
:123456789012
:outpost/SOURCE-OUTPOST-ID
/accesspoint/SOURCE-OUTPOSTS-BUCKET-ACCESS-POINT
/object/*" ] }, { "Effect":"Allow", "Action":[ "s3-outposts:ReplicateObject", "s3-outposts:ReplicateDelete" ], "Resource":[ "arn:aws-cn:s3-outposts:region
:123456789012
:outpost/DESTINATION-OUTPOST-ID
/bucket/DESTINATION-OUTPOSTS-BUCKET
/object/*", "arn:aws-cn:s3-outposts:region
:123456789012
:outpost/DESTINATION-OUTPOST-ID
/accesspoint/DESTINATION-OUTPOSTS-BUCKET-ACCESS-POINT
/object/*" ] } ] }The access policy grants permissions for the following actions:
-
s3-outposts:GetObjectVersionForReplication
– Permission for this action is granted on all objects to allow S3 on Outposts to get a specific object version that's associated with each object. -
s3-outposts:GetObjectVersionTagging
– Permission for this action on objects in the
bucket (the source bucket) allows S3 on Outposts to read object tags for replication. For more information, see Adding tags for S3 on Outposts buckets. If S3 on Outposts doesn't have this permission, it replicates the objects, but not the object tags.SOURCE-OUTPOSTS-BUCKET
-
s3-outposts:ReplicateObject
ands3-outposts:ReplicateDelete
– Permissions for these actions on all objects in the
bucket (the destination bucket) allow S3 on Outposts to replicate objects or delete markers to the destination Outposts bucket. For information about delete markers, see How delete operations affect replication.DESTINATION-OUTPOSTS-BUCKET
Note
Permission for the
s3-outposts:ReplicateObject
action on the
bucket (the destination bucket) also allows replication of object tags. Therefore, you don't need to explicitly grant permission for theDESTINATION-OUTPOSTS-BUCKET
s3-outposts:ReplicateTags
action.-
For cross-account replication, the owner of the destination Outposts bucket must update its bucket policy to grant permission for the
s3-outposts:ReplicateObject
action on the
. TheDESTINATION-OUTPOSTS-BUCKET
s3-outposts:ReplicateObject
action allows S3 on Outposts to replicate objects and object tags to the destination Outposts bucket.
For a list of S3 on Outposts actions, see Actions defined by S3 on Outposts.
Important
The Amazon Web Services account that owns the IAM role must have permissions for the actions that it grants to the IAM role.
For example, suppose that the source Outposts bucket contains objects owned by another Amazon Web Services account. The owner of the objects must explicitly grant the Amazon Web Services account that owns the IAM role the required permissions through the bucket policy and the access point policy. Otherwise, S3 on Outposts can't access the objects, and replication of the objects fails.
The permissions described here are related to the minimum replication configuration. If you choose to add optional replication configurations, you must grant additional permissions to S3 on Outposts.
-
Granting permissions when the source and destination Outposts buckets are owned by different Amazon Web Services accounts
When the source and destination Outposts buckets aren't owned by the same
accounts, the owner of the destination Outposts bucket must update the bucket
and access point policies for the destination bucket. These policies must grant the
owner of the source Outposts bucket and the IAM service role permissions to
perform replication actions, as shown in the following policy examples, or
replication will fail. In these policy examples,
is
the destination bucket. To use these policy examples, replace the
DESTINATION-OUTPOSTS-BUCKET
with
your own information.user input placeholders
If you're creating the IAM service role manually, set the role path as
role/service-role/
, as shown in the following policy examples.
For more information, see IAM
ARNs in the IAM User Guide.
{ "Version":"2012-10-17", "Id":"PolicyForDestinationBucket", "Statement":[ { "Sid":"Permissions on objects", "Effect":"Allow", "Principal":{ "AWS":"arn:aws-cn:iam::
SourceBucket-account-ID
:role/service-role/source-account-IAM-role
" }, "Action":[ "s3-outposts:ReplicateDelete", "s3-outposts:ReplicateObject" ], "Resource":[ "arn:aws-cn:s3-outposts:region
:DestinationBucket-account-ID
:outpost/DESTINATION-OUTPOST-ID
/bucket/DESTINATION-OUTPOSTS-BUCKET
/object/*" ] } ] }
{ "Version":"2012-10-17", "Id":"PolicyForDestinationAccessPoint", "Statement":[ { "Sid":"Permissions on objects", "Effect":"Allow", "Principal":{ "AWS":"arn:aws-cn:iam::
SourceBucket-account-ID
:role/service-role/source-account-IAM-role
" }, "Action":[ "s3-outposts:ReplicateDelete", "s3-outposts:ReplicateObject" ], "Resource" :[ "arn:aws-cn:s3-outposts:region
:DestinationBucket-account-ID
:outpost/DESTINATION-OUTPOST-ID
/accesspoint/DESTINATION-OUTPOSTS-BUCKET-ACCESS-POINT
/object/*" ] } ] }
Note
If objects in the source Outposts bucket are tagged, note the following:
If the source Outposts bucket owner grants S3 on Outposts permission for
the s3-outposts:GetObjectVersionTagging
and
s3-outposts:ReplicateTags
actions to replicate object tags
(through the IAM role), Amazon S3 replicates the tags along with the objects.
For information about the IAM role, see Creating an IAM role.