My Saved Presets
You must be logged in to view saved presets
Security Controls
Service Control PoliciesConfig RulesCloudWatch Alarms and Event RulesCloudFormation Guard RulesLogging & Monitoring ConfigurationsBackups & DRAuto Remediation RulesConformance PacksBilling and Cost ManagementS3 Bucket PoliciesSecurity Groups & NACLsIAM PoliciesVPC Endpoint Policies
AWS Services
VPC Security ControlsEC2 Security ControlsIAM Security ControlsS3 Security ControlsRDS Security ControlsOpenSearch/Elasticsearch Security ControlsEFS Security ControlsRoute53 Security ControlsAmazon DynamoDB & DAXECR Security ControlsEMR SecurityLambda SecurityCloudFormation SecurityCodeX Security ControlsCloudFront SecurityAWS Certificate Manager (ACM) SecurityAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieAWS WAF & ShieldAWS Secrets ManagerAWS Systems ManagerAWS KMSAWS SSOLoad Balancers & Auto ScalingRDS Event SubscriptionsAWS Resource Access Manager (RAM)Amazon ECSAmazon EKSAmazon API GatewayAWS AppConfigAmazon AppFlowAWS App MeshAWS App RunnerAWS AppSyncApplication Auto ScalingAmazon AthenaAWS BatchAWS Billing ConductorAWS Clean RoomsAWS SNSAWS SQSAWS Service DiscoveryAWS Step FunctionsAWS CloudTrailAWS ConfigAmazon EventBridgeAWS CloudWatchAWS CognitoAmazon ConnectAWS GlueAWS Data Pipeline & Data SyncAmazon DetectiveAWS DevOps GuruAmazon DocumentDBAmazon ElastiCacheAWS Elastic BeanstalkAmazon FSxAmazon MQAmazon PrometheusAmazon CassandraAmazon FinSpaceAWS Fault Injection SimulatorAmazon GameLiftAWS Global AcceleratorAmazon GrafanaAWS IoT GreenGrassAWS IoT ServicesAWS Ground StationAmazon IVS (Interactive Live Streams)Amazon KinesisAWS LakeFormationAmazon LookoutAmazon Managed BlockchainAWS Media ServicesAWS Managed Apache AirflowAWS OpsWorksAWS OrganizationsAmazon PersonalizeAmazon QLDBAmazon RedshiftAmazon RekognitionAWS Resource ExplorerAWS Resource GroupsAmazon Lex & AlexaAWS RoboMakerAmazon SageMakerAWS Service CatalogAmazon SESAWS SimSpace WeaverAWS Support AppAWS TransferAWS X-RayAWS AmplifyAWS AppstreamAWS Audit ManagerAmazon BedrockAWS Cloud9AWS CloudHSMAmazon NeptuneAmazon Quicksight
Reference Guides
AWS Account Setup GuideEC2 Security StrategyS3 Security StrategyLogging & Monitoring Strategy Guide
Configuration Packages
Guided Walkthroughs

S3 Bucket Replication Configuration

Configures replication for AWS S3 buckets including IAM roles and policies for replication permissions.

replication

aws_iam_policy






depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



replication

aws_iam_role



inline_policy



managed_policy_arns





depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



replication

aws_iam_role_policy_attachment



depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



destination

aws_s3_bucket


grant

permissions


cors_rule

allowed_headers

allowed_methods

allowed_origins

expose_headers

lifecycle_rule


expiration

transition


noncurrent_version_expiration
noncurrent_version_transition

logging


object_lock_configuration

rule
apply_server_side_encryption_by_default


replication_configuration

rules
destination



access_control_translation


replication_time
metrics
filter



source_selection_criteria
sse_kms_encrypted_objects
server_side_encryption_configuration
rule
apply_server_side_encryption_by_default

versioning
website



routing_rules

depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



source

aws_s3_bucket


grant

permissions


cors_rule

allowed_headers

allowed_methods

allowed_origins

expose_headers

lifecycle_rule


expiration

transition


noncurrent_version_expiration
noncurrent_version_transition

logging


object_lock_configuration

rule
apply_server_side_encryption_by_default


replication_configuration

rules
destination



access_control_translation


replication_time
metrics
filter



source_selection_criteria
sse_kms_encrypted_objects
server_side_encryption_configuration
rule
apply_server_side_encryption_by_default

versioning
website



routing_rules

depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



source_bucket_acl

aws_s3_bucket_acl


access_control_policy
grant
grantee




owner





depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



replication

aws_s3_bucket_replication_configuration



rule
delete_marker_replication

destination
access_control_translation



encryption_configuration


metrics
event_threshold

replication_time

time


existing_object_replication

filter
and



tag





source_selection_criteria
replica_modifications

sse_kms_encrypted_objects


depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



destination

aws_s3_bucket_versioning


versioning_configuration



depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



source

aws_s3_bucket_versioning


versioning_configuration



depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



assume_role

aws_iam_policy_document

override_policy_documents


source_policy_documents

statement

actions

condition


values


not_actions

not_principals

identifiers

not_resources

principals

identifiers

resources


depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



replication

aws_iam_policy_document

override_policy_documents


source_policy_documents

statement

actions

condition


values


not_actions

not_principals

identifiers

not_resources

principals

identifiers

resources


actions

condition


values


not_actions

not_principals

identifiers

not_resources

principals

identifiers

resources


actions

condition


values


not_actions

not_principals

identifiers

not_resources

principals

identifiers

resources


depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



Terraform Template

data "aws_iam_policy_document" "assume_role" {

  statement {
    actions = ["sts:AssumeRole"]
    effect = "Allow"

    principals {
      identifiers = ["s3.amazonaws.com"]
      type = "Service"
    }
  }
}

data "aws_iam_policy_document" "replication" {

  statement {
    actions = ["s3:GetReplicationConfiguration", "s3:ListBucket"]
    effect = "Allow"
    resources = [aws_s3_bucket.source.arn]
  }

  statement {
    actions = ["s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging"]
    effect = "Allow"
    resources = ["${aws_s3_bucket.source.arn}/*"]
  }

  statement {
    actions = ["s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags"]
    effect = "Allow"
    resources = ["${aws_s3_bucket.destination.arn}/*"]
  }
}

resource "aws_iam_policy" "replication" {
  name = "tf-iam-role-policy-replication-12345"
  policy = data.aws_iam_policy_document.replication.json
}

resource "aws_iam_role" "replication" {
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
  name = "tf-iam-role-replication-12345"
}

resource "aws_iam_role_policy_attachment" "replication" {
  policy_arn = aws_iam_policy.replication.arn
  role = aws_iam_role.replication.name
}

resource "aws_s3_bucket" "destination" {
  bucket = "tf-test-bucket-destination-12345"
}

resource "aws_s3_bucket" "source" {
  bucket = "tf-test-bucket-source-12345"
  provider = "aws.central"
}

resource "aws_s3_bucket_acl" "source_bucket_acl" {
  acl = "private"
  bucket = aws_s3_bucket.source.id
  provider = "aws.central"
}

resource "aws_s3_bucket_replication_configuration" "replication" {
  bucket = aws_s3_bucket.source.id
  depends_on = ["aws_s3_bucket_versioning.source"]
  provider = "aws.central"
  role = aws_iam_role.replication.arn

  rule {

    destination {
      bucket = aws_s3_bucket.destination.arn
      storage_class = "STANDARD"
    }

    filter {
      prefix = "foo"
    }
    id = "foobar"
    status = "Enabled"
  }
}

resource "aws_s3_bucket_versioning" "destination" {
  bucket = aws_s3_bucket.destination.id

  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_versioning" "source" {
  bucket = aws_s3_bucket.source.id
  provider = "aws.central"

  versioning_configuration {
    status = "Enabled"
  }
}

© 2024 asecurecloud. All rights reserved.