Configuring replication when source and destination buckets are owned by different accounts - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring replication when source and destination buckets are owned by different accounts

Setting up replication when source and destination buckets are owned by different Amazon Web Services accounts is similar to setting replication when both buckets are owned by the same account. The only difference is that the destination bucket owner must grant the source bucket owner permission to replicate objects by adding a bucket policy.

For more information about configuring replication using server-side encryption with Amazon Key Management Service in cross-account scenarios, see Granting additional permissions for cross-account scenarios.

To configure replication when the source and destination buckets are owned by different Amazon Web Services accounts

  1. In this example, you create source and destination buckets in two different Amazon Web Services accounts. You need to have two credential profiles set for the Amazon CLI (in this example, we use acctA and acctB for profile names). For more information about setting credential profiles, see Named Profiles in the Amazon Command Line Interface User Guide.

  2. Follow the step-by-step instructions in Configuring for buckets in the same account with the following changes:

    • For all Amazon CLI commands related to source bucket activities (for creating the source bucket, enabling versioning, and creating the IAM role), use the acctA profile. Use the acctB profile to create the destination bucket.

    • Make sure that the permissions policy specifies the source and destination buckets that you created for this example.

  3. In the console, add the following bucket policy on the destination bucket to allow the owner of the source bucket to replicate objects. Be sure to edit the policy by providing the Amazon Web Services account ID of the source bucket owner and the destination bucket name.

    Note

    To use the following example, replace the user input placeholders with your own information. Replace DOC-EXAMPLE-BUCKET with your destination bucket name. Replace source-bucket-acct-ID:role/service-role/source-acct-IAM-role with the role you are using for this replication configuration.

    If you created the IAM service role manually, set the role path as role/service-role/, as shown in the below policy example. For more information, see IAM ARNs in the IAM User Guide. 

    {
   "Version":"2012-10-17",
   "Id":"",
   "Statement":[
      {
         "Sid":"Set-permissions-for-objects",
         "Effect":"Allow",
         "Principal":{
            "AWS":"arn:aws-cn:iam::source-bucket-acct-ID:role/service-role/source-acct-IAM-role"
         },
         "Action":["s3:ReplicateObject", "s3:ReplicateDelete"],
         "Resource":"arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET/*"
      },
      {
         "Sid":"Set permissions on bucket",
         "Effect":"Allow",
         "Principal":{
            "AWS":"arn:aws-cn:iam::source-bucket-acct-ID:role/service-role/source-acct-IAM-role"
         },
         "Action":["s3:List*", "s3:GetBucketVersioning", "s3:PutBucketVersioning"],
         "Resource":"arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET"
      }
   ]
}

Choose the bucket and add the bucket policy. For instructions, see Adding a bucket policy by using the Amazon S3 console.

In replication, the owner of the source object owns the replica by default. When source and destination buckets are owned by different Amazon Web Services accounts, you can add optional configuration settings to change replica ownership to the Amazon Web Services account that owns the destination buckets. This includes granting the ObjectOwnerOverrideToBucketOwner permission. For more information, see Changing the replica owner.