Skip to main content
HashnodeGeorge Palangattil's blog

Command Palette

Search for a command to run...

Global Data Durability: Implementing Amazon S3 Cross-Region Replication

Updated
3 min read
Global Data Durability: Implementing Amazon S3 Cross-Region Replication
G
George Palangattil

Introduction

Amazon S3 is a highly durable, scalable object storage service that provides 99.999999999% durability by storing data across multiple Availability Zones. However, certain compliance, latency, and disaster recovery requirements demand storing data across different AWS Regions. This is where Cross-Region Replication (CRR) comes in.

CRR enables automatic, asynchronous replication of objects from one S3 bucket to another in a different AWS Region. It ensures business continuity, improves performance for global users, and helps meet regulatory requirements.

Why Use Cross-Region Replication?

According to AWS best practices and industry use cases:

  • Compliance: Some regulations require data copies in geographically distant regions.

  • Disaster Recovery: Replicating data across regions mitigates risks from regional outages.

  • Latency Optimization: Serve global customers faster by storing data closer to them.

  • Ownership Override: CRR allows changing object ownership in the destination bucket for access control.

How CRR Works

CRR uses live replication for new objects and S3 Batch Replication for existing objects. Key requirements:

  • Both buckets must have versioning enabled.

  • An IAM role must grant permissions for replication.

  • Objects uploaded before enabling replication are not automatically replicated.

Replication Types:

  • Same-Region Replication (SRR): For compliance within a region.

  • Cross-Region Replication (CRR): For multi-region backups and disaster recovery.

Advanced Option: Enable Replication Time Control (RTC) for predictable replication within 15 minutes (additional cost).

Step-by-Step Configuration

1. Create Buckets and Enable Versioning

  • Create source bucket in primary region.

  • Enable versioning via Properties → Bucket Versioning.

  • Create destination bucket in secondary region with versioning enabled.

2. Configure Replication Rule (source bucket)

  • Navigate to Management → Replication rules → Create replication rule.

  • Scope: Entire bucket or filtered by prefix/tags.

  • Destination: Select destination bucket.

  • IAM Role: Assign or create a role with permissions:

IAM Replication Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetReplicationConfiguration",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::source-br"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::source-br/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags"
            ],
            "Resource": "arn:aws:s3:::target-br/*"
        }
    ]
}

There is an advance option for S3 objects to be replicated within 15 minutes, you’ll need to tick the “Replication Time Control (RTC)” box. Please note that this feature incurs additional charges.

3. Test Replication

  • Upload a new file to the source bucket.

  • Verify replication in the destination bucket.

  • Note: Existing objects require S3 Batch Replication.

Now validate if the uploaded files are replicated to our target bucket.

Advanced Scenarios

Encrypted Objects

  • By default, KMS-encrypted objects are not replicated.

  • Edit replication rule → Enable Replicate objects encrypted with AWS KMS.

  • Specify destination KMS key.

Folder-Based Replication

  • Use prefix filter (e.g., crr-test/) to replicate only specific folders.

Tag-Based Replication

  • Create rule with Tag filter (e.g., Key=replicate, Value=yes).

  • Only tagged objects replicate.

Delete Marker Replication

  • By default, deletions are not replicated.

  • Enable Delete marker replication if required.

Best Practices & Considerations

  • Cost: Replication incurs storage and request charges in both regions.

  • Monitoring: Use Amazon S3 Replication metrics, CloudWatch, and EventBridge for alerts.

  • Multi-Region Access Points: Combine CRR with Multi-Region Access Points for global applications.

  • Security: Apply least-privilege IAM roles and enable encryption for compliance.

Conclusion

Amazon S3 CRR is a powerful feature for compliance, disaster recovery, and performance optimization. By leveraging versioning, replication rules, and advanced filters, you can design robust multi-region backup strategies.

Reference

  1. Replicating objects within and across Regions

  2. Setting up permissions for live replication

  3. Replicating existing objects with Batch Replication

  4. Using S3 Replication metrics

#s3crossreplication#s3-replication#s3-object-copy-from-cross-account
19 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

George Palangattil's blog

14 posts