These instructions walk through setting up cross-account S3 replication from a source bucket to a destination bucket, and then using an S3 Batch Operations job to replicate existing objects.
- Replace
source-bucket-nameanddestination-bucket-nameeverywhere.
Create IAM role
This role is assumed by S3 to copy objects from the source bucket to the destination bucket, and by S3 Batch Operations when you run the backfill job.
- In the source account, open IAM → Roles → Create role.
- Choose Custom trust policy and paste the following.
- Custom trust policy should look like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "batchoperations.s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}On the permissions step, do not attach permissions yet. Just click Next.
Set a name for the role.
Open the role you just created and attach an inline policy with the permissions below.
- The source permissions allow listing the bucket and reading object versions for replication.
- The destination permissions allow writing replicated objects and tags.
- Make sure the
ResourceARNs match your real bucket names.
- Permissions for AWS IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SourceBucketPermissions",
"Effect": "Allow",
"Action": [
"s3:GetObjectRetention",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionAcl",
"s3:ListBucket",
"s3:GetObjectVersionForReplication",
"s3:GetObjectLegalHold",
"s3:GetReplicationConfiguration",
"s3:PutInventoryConfiguration",
"s3:InitiateReplication"
],
"Resource": [
"arn:aws:s3:::source-bucket-name/*",
"arn:aws:s3:::source-bucket-name"
]
},
{
"Sid": "DestinationBucketPermissions",
"Effect": "Allow",
"Action": [
"s3:ReplicateObject",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:GetObjectVersionTagging",
"s3:ReplicateTags",
"s3:ReplicateDelete"
],
"Resource": [
"arn:aws:s3:::destination-bucket-name/*"
]
}
]
}S3 bucket setup
You must enable versioning on the source bucket for replication to work, because replication relies on object versions.
- In the source account, open S3 → Buckets → source-bucket-name → Properties.
- Under Bucket Versioning, make sure it is Enabled.
If not, click “Edit”, then “Enable”, then “Save changes”.
Configure cross-account replication
This config tells S3 to automatically replicate new writes from the source bucket into the destination bucket using the IAM role you created.
- In the source account, open S3 → Buckets → source-bucket-name → Management → Replication rules → Create replication rule.
- Choose what to replicate:
- Entire bucket or a specific prefix
- Whether to replicate delete markers (optional)
- Set the destination bucket:
- Choose the destination bucket name and destination account ID (if prompted)
- Choose the IAM role:
- Select the role created in the previous section
- If AWS offers to create a role automatically, choose the existing role instead
- Review and save.
Create batch operation to replicate existing objects
If the source bucket already contains data, S3 replication will not automatically copy old objects. Use S3 Batch Operations to backfill.
- In the source account, open S3 → Batch Operations → Create job.
- Create or choose a manifest that lists the objects to replicate.
- If you need all objects, the easiest approach is to generate a manifest via S3 Inventory and point the Batch job at that inventory report.
- Choose the operation that replicates objects.
- If the UI offers a specific “Replicate” operation, use that.
- Otherwise, choose the copy operation that preserves metadata as required.
- Select the same IAM role created earlier.
- Review the job settings and create the job.
- Monitor progress in the Batch Operations job details.
For questions, please reach out to us at adops@podscribe.com.
Powered by