Copying encrypted buckets between AWS accounts.
Provided that both source bucket and destination bucket have already been created and versioning has been enabled on both buckets, this guide shows the list of steps required to replicate an encrypted bucket with KMS between two AWS accounts using Cross Region Replication. We are taking a source bucket that has been encrypted using AWS KMS.
Source Account configurations.
- Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
- In the Bucket name list, choose the name of the bucket that you want.
- Choose Management, choose Replication, and then choose Add rule
3.1 Set source: Set the entire bucket or related tags or prefixes of the objects that you want to replicate. Under Replication criteria, check Replicate objects encrypted with AWS KMS and select the KMS key used to encrypt the source bucket.
3.2 Set Destination: On the Replication rule wizard Set destination page, under Destination bucket, choose Buckets in another account. Then enter the name of the destination bucket and the account ID from a different AWS account. Choose Save.
3.2.1 Provide the arn of the KMS key that would be used to decrypt the source. Please note that the KMS key should belong to Destination account and should lie on the same region as destination bucket.
3.2.2 Storage class of the objects after being copied to the destination account could be configured. If the objects are being backed up, it seems rational to change the storage class to One Zone-IA or Glacier that is cost-effective.
3.2.3 Check the Change object ownership to destination bucket owner.
To be able to view objects on the destination bucket, the object ownership should be changed to the destination bucket.
3.2.4 Replication Time Control replicates 99.99% of your new objects within 15 minutes. Additional per-GB Data Transfer fees and CloudWatch metrics fees apply and then click Next.
3.3 Configure rule options.
For the sake of simplicity we are going to allow the wizard to create a new IAM role for copying s3 objects as well as associated kms permissions on our behalf. You can always revisit the policies and roles from IAM console.
Give appropriate Rule name, select priority. We will deal the Bucket policy and KMS policy later, so you can safely click Next.
On the Review page, review your replication rule. If it looks correct, choose Save. Otherwise, choose Previous to edit the rule before saving it.
Following message prompt is shown on the Replication tab.
So far we have configured the source bucket and source configuration. As the message prompt says, the remaining configuration is to be done on destination account.
Destination Account Configurations.
- Login into Destination account.
- After you sign in to the destination account, choose the Management tab, choose Replication, and then choose Receive objects on the Actions menu.
3. Receive Objects
3.1 Type the source account ID and click on Apply setting. The wizard would create a bucket policy and attach to the destination bucket itself.
3.2 Copy the KMS policy on a clipboard.
4. On another tab, open Key Management Service console. From the left hand pane, click on Customer managed keys.
4.1 Select the KMS key that was provided on the step 3.2.1 of source account configuration i.e. arn of the KMS key for decrypting the destination.
4.2 Using the Key Policy editor, insert the key policy copied earlier into the existing key policy, and then choose Save Changes. You might want to add the policy to the end of the existing policy.
We have now completed the configurations. One thing that must be noted is Cross Region Replication replicates new objects only. So, add a new object to the destination bucket. It might take a while to be copied over to the destination bucket. Refresh the destination bucket after a while, and voila, you have your objects replicated.