Reading25 min read·Module 2

S3 Cross-Region Replication

Key concepts

  • CRR vs SRR

  • Replication requirements

  • Replication time control (RTC)

  • Delete marker replication

  • Bi-directional replication

Introduction

Amazon S3 Replication enables automatic, asynchronous copying of objects across S3 buckets. With Cross-Region Replication (CRR) and Same-Region Replication (SRR), you can replicate objects to buckets in different or same AWS regions for disaster recovery, compliance, latency reduction, and data aggregation.

S3 Replication Core Concept

S3 Replication requires versioning enabled on both source and destination buckets. Cross-Region Replication (CRR) copies objects to different regions for DR and latency. Same-Region Replication (SRR) copies within the same region for log aggregation and compliance. Replication only applies to NEW objects - use Batch Replication for existing objects.


Types of S3 Replication

Cross-Region Replication (CRR)

Replicates objects from a source bucket to a destination bucket in a different AWS region.

Same-Region Replication (SRR)

Replicates objects from a source bucket to a destination bucket in the same AWS region.


Requirements and Considerations

Replication Prerequisites

Mandatory Requirements:

  1. Versioning: Must be enabled on BOTH source and destination buckets
  2. IAM Permissions: S3 must have permission to replicate (IAM role)
  3. Bucket Ownership: Source bucket owner must have source and destination regions enabled
  4. Destination Access: For cross-account, destination bucket policy must allow replication

What Gets Replicated:

  • Objects created AFTER replication is enabled
  • Object metadata and tags
  • Object ACL updates
  • S3 Object Lock retention information (if configured)

What Does NOT Get Replicated:

  • Objects that existed before replication was enabled (use Batch Replication)
  • Objects created with SSE-C (customer-provided keys)
  • Objects in the source bucket that are replicas from another replication rule
  • Delete markers (unless explicitly enabled)
  • Lifecycle actions (deletions via lifecycle rules)
Existing Objects Not Replicated

S3 Replication only applies to NEW objects uploaded after the replication rule is created. To replicate existing objects, you must use S3 Batch Replication, which creates a one-time job to copy existing objects.

Exam Tip

If versioning is disabled on either bucket, replication will fail. If you disable versioning on the source bucket while a replication configuration exists, S3 returns an error. You must remove the replication configuration before disabling versioning.


Replication Configuration

Replication Rule Components

Rule Elements:

  • Status: Enabled or Disabled
  • Priority: Order of rule evaluation (higher = evaluated first)
  • Filter: Optional scope limiting (prefix, tags, or both)
  • Destination: Target bucket, storage class, account
  • Delete Marker Replication: Enable/disable replication of delete markers
  • Replication Time Control: Optional predictable replication SLA
  • Replica Modification Sync: Sync metadata changes

Filter Options:

No filter: All objects replicated
Prefix: Objects with specific key prefix (e.g., "logs/")
Tags: Objects with specific tags
Prefix + Tags: Combination of both
SHReplication Configuration (CLI)
```bash
# Create IAM role for replication
aws iam create-role \
    --role-name S3ReplicationRole \
    --assume-role-policy-document '{
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": {"Service": "s3.amazonaws.com"},
            "Action": "sts:AssumeRole"
        }]
    }'

# Configure replication
aws s3api put-bucket-replication \
    --bucket source-bucket \
    --replication-configuration '{
        "Role": "arn:aws:iam::123456789:role/S3ReplicationRole",
        "Rules": [{
            "ID": "ReplicateAll",
            "Status": "Enabled",
            "Priority": 1,
            "Filter": {},
            "Destination": {
                "Bucket": "arn:aws:s3:::destination-bucket",
                "StorageClass": "STANDARD"
            },
            "DeleteMarkerReplication": {
                "Status": "Enabled"
            }
        }]
    }'
```

Delete Marker Replication

Delete Marker Handling

Default Behavior:

  • Delete markers from S3 DELETE operations CAN be replicated (if enabled)
  • Delete markers from lifecycle rules are NEVER replicated
  • Permanent deletes (delete specific version) are NEVER replicated

Configuration Versions:

  • V1 (Legacy): Delete markers replicated by default
  • V2 (Current): Delete markers NOT replicated by default, must explicitly enable

Tag-Based Rules Limitation: If your replication rule uses tag-based filtering, delete marker replication must be disabled.

Exam Tip

Delete marker replication can be enabled to sync deletions across buckets. However, permanent deletes (deleting a specific version ID) are NEVER replicated. This prevents accidental or malicious deletion of all copies.


S3 Replication Time Control (RTC)

Replication Time Control (RTC)

What is RTC? S3 Replication Time Control provides predictable replication with an SLA:

  • 99.99% of objects replicated within 15 minutes
  • Backed by AWS Service Level Agreement

Features:

  • Replication metrics in CloudWatch
  • S3 Event Notifications for replication
  • Replication time visibility

Requirements:

  • Must enable S3 Replication Metrics
  • Additional cost per GB replicated

When to Use:

  • Compliance requirements for timely backup
  • Business continuity needs
  • Real-time data synchronization requirements

Standard Replication vs RTC

FeatureStandard ReplicationReplication Time Control (RTC)
SLANo SLA (best effort)99.99% within 15 minutes
MetricsBasicDetailed CloudWatch metrics
CostReplication + storageAdditional RTC fee
NotificationsLimitedFull event notifications
Use CaseGeneral replicationCompliance, DR with SLA

Batch Replication

S3 Batch Replication

Purpose: Replicate existing objects that were created before replication was enabled.

Use Cases:

  • Backfill newly created destination bucket
  • Retry previously failed replications
  • Migrate data across accounts
  • Add new buckets to data lake

How It Works:

  1. Enable standard replication rule first
  2. Generate manifest (S3 can auto-generate or use Inventory report)
  3. Create Batch Replication job
  4. S3 processes manifest and replicates objects

Requirements:

  • Existing replication configuration on source bucket
  • Manifest stored in same region as source bucket
  • IAM permissions for Batch Operations
TEXTBatch Replication Job (Console Steps)
```
1. Go to S3 Console → Source Bucket → Management
2. Under Replication Rules, select existing rule
3. Click "Create replication job"
4. Choose scope:
   - All objects in bucket
   - Objects with specific prefix
   - Objects from Inventory report
5. Configure IAM role
6. Review and create job
7. Monitor job status in S3 Batch Operations
```

Two-Way (Bidirectional) Replication

Two-Way Replication

Purpose: Keep multiple buckets synchronized in both directions.

Configuration:

  1. Create replication rule from Bucket A → Bucket B
  2. Create replication rule from Bucket B → Bucket A
  3. S3 automatically prevents replication loops

Key Points:

  • Both buckets must have versioning enabled
  • Each bucket needs its own replication rule
  • Replica Modification Sync should be enabled
  • S3 identifies replicas to prevent infinite loops

Use Cases:

  • Active-active multi-region architectures
  • Multi-Region Access Points
  • Distributed data processing
Two-Way Replication Architecture
Bidirectional replication between two S3 buckets in different regions

Multi-Region Access Points

Multi-Region Access Points with Replication

What are Multi-Region Access Points? A global endpoint that routes requests to the closest bucket automatically.

Integration with Replication:

  • Configure CRR between buckets in Multi-Region Access Point
  • Requests automatically route to nearest bucket
  • Two-way replication keeps all buckets synchronized

Important Consideration: Without replication, a GET request routed to a bucket without the object returns 404. Enable two-way replication to ensure object availability across all buckets.

Best Practices:

  • Enable S3 RTC for predictable replication
  • Enable Replica Modification Sync
  • Use CloudWatch to monitor replication lag
Multi-Region Access Points Architecture
Multi-Region Access Point with CRR keeping buckets synchronized across regions

Encryption Considerations

Replication and Encryption

SSE-S3 (S3 Managed Keys):

  • Replicated by default
  • No additional configuration needed

SSE-KMS (KMS Managed Keys):

  • Must explicitly enable in replication configuration
  • Specify destination KMS key
  • For cross-region: Use multi-region KMS keys or separate keys per region
  • Additional KMS API costs

SSE-C (Customer Provided Keys):

  • NOT supported for replication
  • Objects encrypted with SSE-C cannot be replicated

Client-Side Encryption:

  • Objects replicated as-is (encrypted blobs)
  • Destination needs access to decryption keys for reading
JSONReplication with SSE-KMS
```json
{
    "Rules": [{
        "ID": "ReplicateWithKMS",
        "Status": "Enabled",
        "Filter": {},
        "Destination": {
            "Bucket": "arn:aws:s3:::destination-bucket",
            "EncryptionConfiguration": {
                "ReplicaKmsKeyID": "arn:aws:kms:eu-west-1:123456789:key/mrk-xxx"
            }
        },
        "SourceSelectionCriteria": {
            "SseKmsEncryptedObjects": {
                "Status": "Enabled"
            }
        }
    }]
}
```

Cross-Account Replication

Cross-Account Replication Setup

Additional Requirements:

  1. Destination bucket policy must grant source account permission
  2. Optionally change object ownership to destination account

Destination Bucket Policy Example:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "AllowReplication",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::SOURCE_ACCOUNT:role/S3ReplicationRole"
        },
        "Action": [
            "s3:ReplicateObject",
            "s3:ReplicateDelete",
            "s3:ReplicateTags"
        ],
        "Resource": "arn:aws:s3:::destination-bucket/*"
    }]
}

Object Ownership:

  • By default, source account owns replicated objects
  • Enable "Replica ownership override" to transfer ownership
  • Requires additional bucket policy permissions

CRR vs SRR Comparison

CRR vs SRR Comparison

FeatureCRRSRR
RegionDifferent regionsSame region
Latency ReductionYes (geo-proximity)No
Disaster RecoveryYes (regional)No (same region failure)
Data Transfer CostCross-region chargesNo transfer charges
Use CaseGlobal DR, complianceLog aggregation, sync
RTC SupportYesYes
Versioning RequiredYesYes

Common Exam Scenarios

Exam Tip

S3 Replication Scenarios: DR to another region → CRR | Log aggregation → SRR | Replicate existing objects → Batch Replication | Predictable time for compliance → RTC | Two regions in sync → Two-way replication | Global users → Multi-Region Access Points + CRR | KMS objects → Enable SSE-KMS in config

Q

A company has an S3 bucket in us-east-1 with 5 TB of existing data. They want to set up disaster recovery by replicating all data to eu-west-1. After enabling Cross-Region Replication, they notice the existing 5 TB hasn't replicated. What should they do?

ADelete and recreate the replication rule
BUse S3 Batch Replication to replicate existing objects
CRe-upload all 5 TB of data
DEnable versioning on the destination bucket
Q

A solutions architect is configuring S3 Cross-Region Replication for compliance purposes. The compliance team requires proof that 99.99% of objects are replicated within 15 minutes. What should they enable?

AS3 Transfer Acceleration
BS3 Replication Time Control (RTC)
CS3 Intelligent Tiering
DS3 Batch Operations
Q

Which of the following are requirements for S3 Cross-Region Replication? (Select TWO)

ABoth source and destination buckets must have versioning enabled
BThe buckets must be in the same AWS account
CS3 must have IAM permissions to replicate objects
DServer-side encryption must be disabled
EBoth buckets must use the same storage class

Best Practices

S3 Replication Best Practices
  1. Enable versioning first: Required before configuring replication
  2. Use Batch Replication: For existing objects before rule creation
  3. Enable RTC for compliance: When you need SLA-backed replication times
  4. Monitor with CloudWatch: Track replication metrics and failures
  5. Consider encryption: Plan for SSE-KMS key management across regions
  6. Test delete marker behavior: Ensure deletion handling meets requirements
  7. Document IAM roles: Clear documentation of replication permissions
  8. Use lifecycle rules wisely: Remember lifecycle deletions don't replicate
  9. Enable Replica Modification Sync: For two-way replication scenarios

Summary

S3 Replication is a powerful feature for disaster recovery, compliance, and data distribution:

  • CRR: Cross-region for DR, latency, and geo-redundancy
  • SRR: Same-region for log aggregation and account sync
  • Batch Replication: For existing objects
  • RTC: For SLA-backed replication times
  • Two-Way Replication: For active-active architectures

Understanding the requirements (versioning, IAM, encryption) and limitations (existing objects, lifecycle deletions) is critical for the SAA-C03 exam.

Related services

S3