Ref: https://learn.cantrill.io/courses/1820301/lectures/41301487

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301488

• Summary
• Contents:

S3 Replication - Overview

• 🔧 Replicate (copy) and sync objects between source (SRC) & destination (DST) buckets
  • Documentation: https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html
• Types:
  • According to bucket regions:
    • Same-Region Replication (SRR) → buckets are in the same region
    • Cross-Region Replication (CRR) → buckets are in different regions
  • According to bucket accounts:
    • Same-Account Replication → buckets are in the same account
    • Cross-Account Replication → buckets are in different accounts

Use Cases for S3 Replication

• SRR:
  • Data aggregation into a single S3 bucket
    • Logs → gather all regional logs into a single S3 bucket
    • Audits → put all regional data in an isolated account
  • Syncing data between e.g. TEST & PROD accounts
  • Resilience with strict sovereignty
    • Data can't leave region, but still want better resilience
• CRR:
  • Global resilience improvements
    • If primary region fails, can failover to a bucket in secondary region
  • Latency reduction
    • End-users can access data from bucket closest to them

S3 Replication - Architecture

• S3 must assume an IAM role with permissions to read SRC bucket and write to DST bucket
  • If buckets are in the same account → DST bucket automatically trusts the IAM role
  • ‼️ If buckets are in different accounts → Bucket policy of DST bucket must explicitly TRUST the role from the external account!

S3 Replication - Features

• Can replicate all objects (default) or subset of objects (filter by prefix and/or tags)
• Can select storage class for replicated objects in DST
  • Default: use same storage class as in SRC
  • Changing could be better (e.g. use 1Z-IA for cheaper storage of zonal backups)
• ❗ Careful with replicated object ownership!
  • ‼️ DEFAULT: replicated objects in DST bucket owned by account of SRC bucket!!
  • If cross-account replication, DST account might not be able to read the replicated objects inside its bucket! → Make sure to change ownership of replicated objects to DST account to avoid this (if desired)
• ❗ Replication Time Control (RTC) = 15-min replication Service Level Agreement (SLA)
  • Disabled by default → Default is best-effort replication
  • For strict business requirements
    • Need replication to be delivered as fast as possible
  • Provides detailed metrics of replication process
  • Incurs additional costs $$$

S3 Replication - Considerations/Limitations