Test bi-directional cross-region replication (CRR)

To test bi-directional replication using the two rules your created, you will upload another object into each of the east and west S3 buckets and observe it is replicated across to the other bucket. For this step you will need two more test objects:

  • These are files that you will upload into each S3 bucket.
  • They should not be too big, as this will increase the time to upload it from your computer.
  • If you do not have files to use, you can download file #1 and download file #2
File #1File #2
OhioAwsEastOregonAwsWest

3.1 Upload objects to their respective Amazon S3 buckets

3.1.1 Upload object #1 to the east S3 bucket

  1. Go to the Amazon S3 console, or if you are already there click on Amazon S3 in the upper left corner
  2. Click on the name of the east bucket
    • if you used Ohio the name will be <your_naming_prefix>-crrlab-us-east-2
  3. Click on ⬆ Upload
  4. Upload the file you will use as object #1
    • Drag and drop the file or click Add files
    • Click Upload (note there is a Next button, but you do not need to click it)

3.1.2 Upload object #2 to the west S3 bucket

  1. Click on Amazon S3 in the upper left corner of the Amazon S3 console
  2. Click on the name of the west bucket
    • if you used Oregon the name will be <your_naming_prefix>-crrlab-us-west-2
  3. Click on ⬆ Upload
  4. Upload the file you will use as object #2
    • Drag and drop the file or click Add files
    • Click Upload (note there is a Next button, but you do not need to click it)

3.2 Verify bi-directional replication

  1. You are already looking at the objects in the west bucket
    • Verify that object #1, that you uploaded to the east bucket is present here also
    • Note the Replication status is REPLICA
  2. Click on Amazon S3 in the upper left corner
  3. Click on the name of the east bucket
    • Verify that object #2, that you uploaded to the west bucket is present here also
    • Note the Replication status is REPLICA

3.3 Explore which Amazon S3 events trigger replication and which do not

3.3.1 Use CloudWatch Logs Insights to query the CloudTrail logs

AWS CloudTrail is a service that provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. You will use AWS CloudTrail to explore which Amazon S3 events trigger replication to occur.

  1. Change back to the east AWS region

    • If you used the directions in this lab, then this is Ohio (us-east-2)
  2. The CloudFormation template you deployed configured CloudTrail to deliver a trail to CloudWatch Logs. Therefore:

  3. Where it says Select log group(s) select the one named CloudTrail/logs/<your_prefix_name>

  4. Right below that is where you can enter a query

    • Delete the query that is there

    • and enter the following query. It returns all PutObject requests on S3 buckets

            fields @timestamp, requestParameters.key AS key,
            | requestParameters.bucketName AS bucket,
            | userIdentity.invokedBy AS invokedBy,
            | userIdentity.arn AS arn,
            | userIdentity.sessionContext.sessionIssuer.userName AS UserName
            | filter eventName ='PutObject'
            | sort @timestamp desc
            | limit 20
      
  5. Click Run query

  6. Look at the results at the bottom of the screen

3.3.2 Difference between uploaded and replicated objects in S3 bucket

You are looking for three results, one for each of the test objects you uploaded. Use the key field to see the test object names.

  • Troubleshooting: If your query returned less or more than three results then consult this guide to tuning your Insights query

  • For these events look at the tabular attributes returned by the query at the bottom of the page

    • However, if you want to see all the attributes, you can click to the left of each event
  • The three events correspond to each of the objects you put into the S3 buckets

    • The object you put into the east bucket testing rule #1
    • The object you put into the east bucket testing bi-directional replication
    • The object you put into the west bucket testing bi-directional replication
      • Look at the bucket for this event. This event is for the east bucket
      • This is actually the replication event for the object you put into the west bucket
  • What is different between events where you uploaded the object into the bucket and events where the object was put into the bucket by replication?

The CloudWatch Logs Insights page should look like this:

CloudTrailForS3

The result is:

  • For an object uploaded by you
    • Amazon S3 triggers the rule you configured to replicate it to another bucket
    • And sets Replication status to COMPLETED
  • For an object replicated from another bucket
    • Amazon S3 knows not to re-replicate the object
    • And sets Replication status to REPLICA

3.4 Additional exercises

These are optional. They help you to explore and understand bi-direction cross-region replication on Amazon S3.

  • Look at the Permissions on the <your-naming-prefix>-S3-Replication-Role-… IAM Roles

    • Why do they have the policies that they do?
  • What happens when you rename an object in one of the buckets?

    • Hint: if you cannot figure it out consider that versioning is enabled (and must be enabled for replication to work)
  • Switch to the west AWS region and run the same CloudWatch Insights Query there.

    • What do you expect?

3.5 Summary

You created two S3 buckets in two different AWS regions. You then setup bi-directional cross-region replication (CRR) between the two Amazon S3 buckets. Putting an object in either bucket resulted in the object asynchronously being backed up to the other bucket. Objects encrypted in their original bucket are also encrypted in their replication bucket. Objects are replicated once – replication “looping” is prevented.