S3 Cross-Region Replication
Key concepts
CRR vs SRR
Replication requirements
Replication time control (RTC)
Delete marker replication
Bi-directional replication
Introduction
Amazon S3 Replication enables automatic, asynchronous copying of objects across S3 buckets. With Cross-Region Replication (CRR) and Same-Region Replication (SRR), you can replicate objects to buckets in different or same AWS regions for disaster recovery, compliance, latency reduction, and data aggregation.
S3 Replication Core Concept
S3 Replication requires versioning enabled on both source and destination buckets. Cross-Region Replication (CRR) copies objects to different regions for DR and latency. Same-Region Replication (SRR) copies within the same region for log aggregation and compliance. Replication only applies to NEW objects - use Batch Replication for existing objects.
Types of S3 Replication
Cross-Region Replication (CRR)
Replicates objects from a source bucket to a destination bucket in a different AWS region.
Same-Region Replication (SRR)
Replicates objects from a source bucket to a destination bucket in the same AWS region.
Requirements and Considerations
Replication Prerequisites
Mandatory Requirements:
- Versioning: Must be enabled on BOTH source and destination buckets
- IAM Permissions: S3 must have permission to replicate (IAM role)
- Bucket Ownership: Source bucket owner must have source and destination regions enabled
- Destination Access: For cross-account, destination bucket policy must allow replication
What Gets Replicated:
- Objects created AFTER replication is enabled
- Object metadata and tags
- Object ACL updates
- S3 Object Lock retention information (if configured)
What Does NOT Get Replicated:
- Objects that existed before replication was enabled (use Batch Replication)
- Objects created with SSE-C (customer-provided keys)
- Objects in the source bucket that are replicas from another replication rule
- Delete markers (unless explicitly enabled)
- Lifecycle actions (deletions via lifecycle rules)
Existing Objects Not Replicated
S3 Replication only applies to NEW objects uploaded after the replication rule is created. To replicate existing objects, you must use S3 Batch Replication, which creates a one-time job to copy existing objects.
If versioning is disabled on either bucket, replication will fail. If you disable versioning on the source bucket while a replication configuration exists, S3 returns an error. You must remove the replication configuration before disabling versioning.
Replication Configuration
Replication Rule Components
Rule Elements:
- Status: Enabled or Disabled
- Priority: Order of rule evaluation (higher = evaluated first)
- Filter: Optional scope limiting (prefix, tags, or both)
- Destination: Target bucket, storage class, account
- Delete Marker Replication: Enable/disable replication of delete markers
- Replication Time Control: Optional predictable replication SLA
- Replica Modification Sync: Sync metadata changes
Filter Options:
No filter: All objects replicated
Prefix: Objects with specific key prefix (e.g., "logs/")
Tags: Objects with specific tags
Prefix + Tags: Combination of both
```bash
# Create IAM role for replication
aws iam create-role \
--role-name S3ReplicationRole \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Service": "s3.amazonaws.com"},
"Action": "sts:AssumeRole"
}]
}'
# Configure replication
aws s3api put-bucket-replication \
--bucket source-bucket \
--replication-configuration '{
"Role": "arn:aws:iam::123456789:role/S3ReplicationRole",
"Rules": [{
"ID": "ReplicateAll",
"Status": "Enabled",
"Priority": 1,
"Filter": {},
"Destination": {
"Bucket": "arn:aws:s3:::destination-bucket",
"StorageClass": "STANDARD"
},
"DeleteMarkerReplication": {
"Status": "Enabled"
}
}]
}'
```Delete Marker Replication
Delete Marker Handling
Default Behavior:
- Delete markers from S3 DELETE operations CAN be replicated (if enabled)
- Delete markers from lifecycle rules are NEVER replicated
- Permanent deletes (delete specific version) are NEVER replicated
Configuration Versions:
- V1 (Legacy): Delete markers replicated by default
- V2 (Current): Delete markers NOT replicated by default, must explicitly enable
Tag-Based Rules Limitation: If your replication rule uses tag-based filtering, delete marker replication must be disabled.
Delete marker replication can be enabled to sync deletions across buckets. However, permanent deletes (deleting a specific version ID) are NEVER replicated. This prevents accidental or malicious deletion of all copies.
S3 Replication Time Control (RTC)
Replication Time Control (RTC)
What is RTC? S3 Replication Time Control provides predictable replication with an SLA:
- 99.99% of objects replicated within 15 minutes
- Backed by AWS Service Level Agreement
Features:
- Replication metrics in CloudWatch
- S3 Event Notifications for replication
- Replication time visibility
Requirements:
- Must enable S3 Replication Metrics
- Additional cost per GB replicated
When to Use:
- Compliance requirements for timely backup
- Business continuity needs
- Real-time data synchronization requirements
Standard Replication vs RTC
| Feature | Standard Replication | Replication Time Control (RTC) |
|---|---|---|
| SLA | No SLA (best effort) | 99.99% within 15 minutes |
| Metrics | Basic | Detailed CloudWatch metrics |
| Cost | Replication + storage | Additional RTC fee |
| Notifications | Limited | Full event notifications |
| Use Case | General replication | Compliance, DR with SLA |
Batch Replication
S3 Batch Replication
Purpose: Replicate existing objects that were created before replication was enabled.
Use Cases:
- Backfill newly created destination bucket
- Retry previously failed replications
- Migrate data across accounts
- Add new buckets to data lake
How It Works:
- Enable standard replication rule first
- Generate manifest (S3 can auto-generate or use Inventory report)
- Create Batch Replication job
- S3 processes manifest and replicates objects
Requirements:
- Existing replication configuration on source bucket
- Manifest stored in same region as source bucket
- IAM permissions for Batch Operations
```
1. Go to S3 Console → Source Bucket → Management
2. Under Replication Rules, select existing rule
3. Click "Create replication job"
4. Choose scope:
- All objects in bucket
- Objects with specific prefix
- Objects from Inventory report
5. Configure IAM role
6. Review and create job
7. Monitor job status in S3 Batch Operations
```Two-Way (Bidirectional) Replication
Two-Way Replication
Purpose: Keep multiple buckets synchronized in both directions.
Configuration:
- Create replication rule from Bucket A → Bucket B
- Create replication rule from Bucket B → Bucket A
- S3 automatically prevents replication loops
Key Points:
- Both buckets must have versioning enabled
- Each bucket needs its own replication rule
- Replica Modification Sync should be enabled
- S3 identifies replicas to prevent infinite loops
Use Cases:
- Active-active multi-region architectures
- Multi-Region Access Points
- Distributed data processing

Multi-Region Access Points
Multi-Region Access Points with Replication
What are Multi-Region Access Points? A global endpoint that routes requests to the closest bucket automatically.
Integration with Replication:
- Configure CRR between buckets in Multi-Region Access Point
- Requests automatically route to nearest bucket
- Two-way replication keeps all buckets synchronized
Important Consideration: Without replication, a GET request routed to a bucket without the object returns 404. Enable two-way replication to ensure object availability across all buckets.
Best Practices:
- Enable S3 RTC for predictable replication
- Enable Replica Modification Sync
- Use CloudWatch to monitor replication lag

Encryption Considerations
Replication and Encryption
SSE-S3 (S3 Managed Keys):
- Replicated by default
- No additional configuration needed
SSE-KMS (KMS Managed Keys):
- Must explicitly enable in replication configuration
- Specify destination KMS key
- For cross-region: Use multi-region KMS keys or separate keys per region
- Additional KMS API costs
SSE-C (Customer Provided Keys):
- NOT supported for replication
- Objects encrypted with SSE-C cannot be replicated
Client-Side Encryption:
- Objects replicated as-is (encrypted blobs)
- Destination needs access to decryption keys for reading
```json
{
"Rules": [{
"ID": "ReplicateWithKMS",
"Status": "Enabled",
"Filter": {},
"Destination": {
"Bucket": "arn:aws:s3:::destination-bucket",
"EncryptionConfiguration": {
"ReplicaKmsKeyID": "arn:aws:kms:eu-west-1:123456789:key/mrk-xxx"
}
},
"SourceSelectionCriteria": {
"SseKmsEncryptedObjects": {
"Status": "Enabled"
}
}
}]
}
```Cross-Account Replication
Cross-Account Replication Setup
Additional Requirements:
- Destination bucket policy must grant source account permission
- Optionally change object ownership to destination account
Destination Bucket Policy Example:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowReplication",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNT:role/S3ReplicationRole"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Resource": "arn:aws:s3:::destination-bucket/*"
}]
}
Object Ownership:
- By default, source account owns replicated objects
- Enable "Replica ownership override" to transfer ownership
- Requires additional bucket policy permissions
CRR vs SRR Comparison
CRR vs SRR Comparison
| Feature | CRR | SRR |
|---|---|---|
| Region | Different regions | Same region |
| Latency Reduction | Yes (geo-proximity) | No |
| Disaster Recovery | Yes (regional) | No (same region failure) |
| Data Transfer Cost | Cross-region charges | No transfer charges |
| Use Case | Global DR, compliance | Log aggregation, sync |
| RTC Support | Yes | Yes |
| Versioning Required | Yes | Yes |
Common Exam Scenarios
S3 Replication Scenarios: DR to another region → CRR | Log aggregation → SRR | Replicate existing objects → Batch Replication | Predictable time for compliance → RTC | Two regions in sync → Two-way replication | Global users → Multi-Region Access Points + CRR | KMS objects → Enable SSE-KMS in config
A company has an S3 bucket in us-east-1 with 5 TB of existing data. They want to set up disaster recovery by replicating all data to eu-west-1. After enabling Cross-Region Replication, they notice the existing 5 TB hasn't replicated. What should they do?
A solutions architect is configuring S3 Cross-Region Replication for compliance purposes. The compliance team requires proof that 99.99% of objects are replicated within 15 minutes. What should they enable?
Which of the following are requirements for S3 Cross-Region Replication? (Select TWO)
Best Practices
S3 Replication Best Practices
- Enable versioning first: Required before configuring replication
- Use Batch Replication: For existing objects before rule creation
- Enable RTC for compliance: When you need SLA-backed replication times
- Monitor with CloudWatch: Track replication metrics and failures
- Consider encryption: Plan for SSE-KMS key management across regions
- Test delete marker behavior: Ensure deletion handling meets requirements
- Document IAM roles: Clear documentation of replication permissions
- Use lifecycle rules wisely: Remember lifecycle deletions don't replicate
- Enable Replica Modification Sync: For two-way replication scenarios
Summary
S3 Replication is a powerful feature for disaster recovery, compliance, and data distribution:
- CRR: Cross-region for DR, latency, and geo-redundancy
- SRR: Same-region for log aggregation and account sync
- Batch Replication: For existing objects
- RTC: For SLA-backed replication times
- Two-Way Replication: For active-active architectures
Understanding the requirements (versioning, IAM, encryption) and limitations (existing objects, lifecycle deletions) is critical for the SAA-C03 exam.