Configure bi-directional cross-region replication (CRR) for S3 buckets
Amazon S3 replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. Buckets that are configured for object replication can be owned by the same AWS account or by different accounts. You can copy objects between different AWS Regions or within the same Region. You will setup bi-directional replication between S3 buckets in two different regions, owned by the same AWS account.
Replication is configured via rules. There is no rule for bi-directional replication. You will however setup a rule to replicate from the S3 bucket in the east AWS region to the west bucket, and you will setup a second rule to replicate going the opposite direction. These two rules will enable bi-directional replication across AWS regions.
2.1 Setup rule #1 to replicate objects from east bucket to west bucket
Go to the Amazon S3 console
Click on the name of the east bucket
- if you used Ohio the name will be
<your_naming_prefix>-crrlab-us-east-2
- if you used Ohio the name will be
Click on the Management tab (Step A in screenshot)
Click Replication (Step B in screenshot)
Click + Add Rule (Step C in screenshot)
For Set source select Entire bucket
For Replication criteria leave Replicate objects encrypted with AWS KMS not selected
- Our objects are encrypted using server-side encryption
- However since you used SSE-S3 encryption, you do not need to select this option and do not need to provide a KMS key
- SSE-S3 uses KMS keys, but these managed by Amazon S3 for the user
- For more detail see What Does Amazon S3 Replicate?
Click Next
For Destination bucket leave Buckets in this account selected, and select the name of the west bucket from the drop-down
- If you used Oregon the name will be
<your_naming_prefix>-crrlab-us-west-2 - Troubleshooting: If you get an error saying The bucket doesn’t have versioning enabled then you have chosen the wrong bucket. Double check the bucket name.
- If you used Oregon the name will be
Click Next
For IAM Role select <your-naming-prefix>-S3-Replication-Role-us-east-2 from the search results box
- (If you chose a different region as your east region, then look for that region at the end of the IAM role name)
For Rule name enter
east to westLeave Status set to enabled
Click Next
Review the configuration
Click Save
The screen should say Replication configuration updated successfully. and display the Source, Destination, and Permissions of your replication rule
2.2 Test replication rule #1 - replicate object from east bucket to west bucket
To test this rule you will upload an object into the east bucket and observe that it is replicated into the west bucket. For this step you will need a test object:
- This is a file that you will upload into the east S3 bucket.
- It should not be too big, as this will increase the time to upload it from your computer.
- If you do not have a file to use, you can download this file.
Right-click and Save image as… 
Go to the Amazon S3 console, or if you are already there click on Amazon S3 in the upper left corner
Click on the name of the east bucket
- if you used Ohio the name will be
<your_naming_prefix>-crrlab-us-east-2
- if you used Ohio the name will be
Click on ⬆ Upload
Upload the file you will use as an object
- Drag and drop the file or click Add files
- Click Upload (note there is a Next button, but you do not need to click it)
When the file is finished uploading, click on the filename
- It will look like the left side of the screenshot below
- If Replication status is PENDING, wait and refresh until it says COMPLETED which should be just a few seconds.
At the top of the console click on Amazon S3 and then click on the name of the west bucket
- If you used Oregon the name will be
<your_naming_prefix>-crrlab-us-west-2
- If you used Oregon the name will be
Click on the filename of the file that you just uploaded to the other bucket (yes, it is here now too!)
- It will look like the right side of the screenshot below
Note the following in from the object details:
- Replication status: Note the different values for the source (east) and destination (west) S3 buckets. The value REPLICA in the west bucket is part of the solution how the system recognizes it should not replicate this object back again to the east bucket, which would cause an infinite loop.
- Server-side encryption: The object was encrypted in the source (east) bucket, and remains encrypted in the destination (west) bucket.
2.3 Setup rule #2 to replicate objects from west bucket to east bucket
After setting up the second rule, you will have completed configuration of bi-directional replication between our two Amazon S3 buckets.
- Go to the Amazon S3 console, or if you are already there click on Amazon S3 in the upper left corner
- Click on the name of the west bucket
- if you used Oregon the name will be
<your_naming_prefix>-crrlab-us-west-2
- if you used Oregon the name will be
- Click on the Management tab
- Click Replication
- Click + Add Rule
- For Set source select Entire bucket
- For Replication criteria leave Replicate objects encrypted with AWS KMS not selected
- Our objects are encrypted using server-side encryption
- However since you used SSE-S3 encryption, you do not need to select this option and do not need to provide a KMS key
- SSE-S3 uses KMS keys, but these managed by Amazon S3 for the user
- For more detail see What Does Amazon S3 Replicate?
- Click Next
- For Destination bucket leave Buckets in this account selected, and select the name of the east bucket from the drop-down
- If you used Ohio the name will be
<your_naming_prefix>-crrlab-us-east-2 - Troubleshooting: If you get an error saying The bucket doesn’t have versioning enabled then you have chosen the wrong bucket. Double check the bucket name.
- If you used Ohio the name will be
- Click Next
- For IAM Role select <your-naming-prefix>-S3-Replication-Role-us-west-2 from the search results box
- (If you chose a different region as your west region, then look for that region at the end of the IAM role name)
- For Rule name enter
west to east - Leave Status set to enabled
- Click Next
- Review the configuration
- Click Save
The screen should say Replication configuration updated successfully. and display the Source, Destination, and Permissions of your replication rule
