If you already have replication configured on your primary S3 bucket, then you already have an IAM role for replication. Since AWS associates a single IAM role with all replication rules on a source S3 bucket, then you will need to make the modifications to your existing IAM role and replication settings.
1. When presented with replication options by Arpio, select “I'll configure bucket replication myself.” Arpio will provide you with further instructions. Those instructions are for an S3 bucket without existing replication, so do not use them. However, from those instructions please make note of the following:
- The destination bucket name and arn
- The destination KMS key arn
2. Add a new replication rule for the source bucket.
- Destination bucket: <as noted above>
- Replication IAM Role: <use your existing S3 replication role>
- Replicate objects encrypted with KMS: Enabled
- KMS key for encrypted objects: <as noted above>
- Replication Time Control (RTC): Enabled
- Delete marker replication: Enabled
Click here for detailed instructions on configuring bucket replication
3. Grant your existing IAM role permission to replicate to the Arpio-created recovery bucket. You will need to add new permission policy statements to your replication role if they are not already present.
Option A:
- Find the IAM Role who name starts with “ArpioBucketReplicationRole…” and with role description that starts "Arpio-created role permitting S3 to replicate
<source bucket>..." - Copy the policy statements from this role to your replication role if they are not already present.
Option B:
- Use the following policy statement template and replace the contents in angle-brackets
<>. This is a JSON snippet that is intended to be added to an existing IAM permissions policy document:
{
"Sid": "SourceBucketObjectAccess",
"Effect": "Allow",
"Action": [
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging"
],
"Resource": [
"<arn of source S3 bucket>/*"
]
},
{
"Sid": "SourceBucketAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration"
],
"Resource": [
"<arn of source S3 bucket>"
]
},
{
"Sid": "TargetBucketObjectReplication",
"Effect": "Allow",
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Resource": "<arn of destination S3 bucket>/*"
},
{
"Sid": "SourceKmsKeyAccess",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
},
{
"Sid": "TargetKmsKeyAccess",
"Effect": "Allow",
"Action": [
"kms:Encrypt"
],
"Resource": [
"<KMS arn as noted above>"
],
"Condition": {
"StringLike": {
"kms:ViaService": "s3.<destination_AWS_Region>.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"<arn of destination S3 bucket>"
]
}
}
}
4. Update the bucket policy on the Arpio-created bucket.
- Update the bucket policy on the Arpio-created bucket to allow your existing IAM replication role to write objects to it. When you update the bucket policy, you must do it in a new statement (not one that Arpio has written) and you must append "-ArpioRetain" to the statement ID or else Arpio will view it as drift and delete it.
- The new additional statement on the destination bucket policy should look like this (replace the contents in angle-brackets)
{
"Sid": "ArpioReplication-ArpioRetain",
"Effect": "Allow",
"Principal": {
"AWS": "<arn of your existing replication IAM role>"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Resource": "<arn of this (destination) S3 bucket>/*"
}
Once all these steps are complete, then return to the Arpio console, and under Issues, click “Try Again”.