Contents x
      Cross-Account Replication With the Wasabi S3 API
      • 13 Feb 2025
      • 2 Minutes to read
      • Print
      • PDF
      Contents

      Cross-Account Replication With the Wasabi S3 API

      • Updated on 13 Feb 2025
      • 2 Minutes to read
      • Print
      • PDF
      Article summary

      Scheduling a Cross-Account Replication Job

      1. Create a source bucket on account-1 and a destination bucket on account-2.

        Source-bucket : my-replication-source-account-1
        Source-bucket-arn: arn:aws:s3:::my-replication-source-account-1
        Destination – bucket: my-replication-destination-account-2
        Destination-bucket-arn: arn:aws:s3:::my-replication-destination-account-2

        Make sure both the source and destination buckets match the same bucket-property while scheduling the replication configuration.
             Non-versioned source —> Non-versioned destination
             Versioned source —> Versioned destination
      2. Create an IAM policy in account-1.

        Policy: My-Policy-Account-1
        Policy-Document:
        {
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:ListBucket",
            "s3:GetReplicationConfiguration",
            "s3:GetObjectVersionForReplication",
            "s3:GetObjectVersionAcl",
            "s3:GetObjectVersionTagging",
            "s3:GetObjectRetention",
            "s3:GetObjectLegalHold"
         ],
         "Resource": [
            "arn:aws:s3:::my-replication-source-account-1",
            "arn:aws:s3:::my-replication-source-account-1/*",
            "arn:aws:s3:::my-replication-destination-account-2",
            "arn:aws:s3:::my-replication-destination-account-2/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "s3:ReplicateObject",
            "s3:ReplicateDelete",
            "s3:ReplicateTags"
         ],
         "Resource": [
            "arn:aws:s3:::my-replication-source-account-1/*",
            "arn:aws:s3:::my-replication-destination-account-2/*"
         ]
      }
   ]
}
      3. Create a role and attach the IAM policy (account-1).

        Role: My-Role-Account-1
        Role-Arn: arn:aws:iam::account-1-id:role/My-Role-Account-1
        Role – trust Policy
        {
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
             "AWS": "*"
         },
         "Action": "sts:AssumeRole"
      }
   ]
}
      4. Create a destination bucket policy (account-2).

        Destination-bucket policy:
        {
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Set-permissions-for-objects",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::account-1-id:role/My-Role-Account-1"
         },
         "Action": [
            "s3:ReplicateObject",
            "s3:ReplicateDelete",
            "s3:ReplicateTags"
         ],
         "Resource": "arn:aws:s3:::my-replication-destination-account-2/*"
      },
      {
         "Sid": "Set permissions on bucket",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::account-1-id:role/My-Role-Account-1"
         },
         "Action": [
            "s3:List*",
            "s3:GetBucketVersioning",
            "s3:PutBucketVersioning"
         ],
         "Resource": "arn:aws:s3:::my-replication-destination-account-2"
      }
   ]
}
      5. Schedule a cross-account replication job, per the criteria below.

      Schedule a Cross-Account Replication Job (Without Filters)

      PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication

      Request body:

      <?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Role>arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
   <Rule>
      <ID>Cross-acct-replication-no-filter</ID>
      <Priority>1</Priority>
      <Status>Enabled</Status>
      <DeleteMarkerReplication>
         <Status>Enabled</Status>
      </DeleteMarkerReplication>
      <Destination>
         <Bucket> arn:aws:s3:::my-replication-destination-account-2</Bucket>
         <Account>account-2-id</Account>
         <AccessControlTranslation>
            <Owner>Destination</Owner>
         </AccessControlTranslation>
      </Destination>
      <Filter></Filter>
   </Rule>
</ReplicationConfiguration>

      Status: 200 OK

      Response body: No content

      Schedule a Cross-Account Replication Job (With Filter—Prefix Alone)

      The following example replicates only objects/folders that match the prefix “Office-“ condition.

      PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication

      Request body:

      <?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Role>arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
   <Rule>
      <ID>Cross-acct-replication-prefix-filter</ID>
      <Priority>1</Priority>
      <Status>Enabled</Status>
      <DeleteMarkerReplication>
         <Status>Enabled</Status>
      </DeleteMarkerReplication>
      <Destination>
         <Bucket> arn:aws:s3:::my-replication-destination-account-2</Bucket>
         <Account> account-2-id </Account>
         <AccessControlTranslation>
            <Owner>Destination</Owner>
         </AccessControlTranslation>
      </Destination>
      <Filter>
         <Prefix>Office-</Prefix>
      </Filter>
   </Rule>
</ReplicationConfiguration>

      Status: 200 OK

      Response body: No content

      Schedule a Cross-Account Replication Job (With Filter—Tags Alone)

      The following example replicates objects that match the Tags condition.

      PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication

      Request body:

      <?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Role> arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
   <Rule>
      <ID>Cross-acct-replication-tags-filter</ID>
      <Priority>1</Priority>
      <Status>Enabled</Status>
      <DeleteMarkerReplication>
         <Status>Disabled</Status>
      </DeleteMarkerReplication>
      <Destination>
         <Bucket> arn:aws:s3:::my-replication-destination-account-2</Bucket>
         <Account> account-2-id </Account>
         <AccessControlTranslation>
            <Owner>Destination</Owner>
         </AccessControlTranslation>
      </Destination>
      <Filter>
         <And>
            <Tag>
               <Key>key2</Key>
               <Value>value2</Value>
            </Tag>
            <Tag>
               <Key>key1</Key>
               <Value>value1</Value>
            </Tag>
         </And>
      </Filter>
   </Rule>
</ReplicationConfiguration>

      Status: 200 OK

      Response body: No content

      Schedule a Cross-Account Replication Job (With Filter—Both Prefix and Tags)

      The following example replicates only objects that match the Prefix and Tags conditions.

      PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication

      Request body:

      <?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Role> arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
   <Rule>
      <ID>Cross-acct-replication-prefix-tags-filter</ID>
      <Priority>1</Priority>
      <Status>Enabled</Status>
      <DeleteMarkerReplication>
         <Status>Disabled</Status>
      </DeleteMarkerReplication>
      <Destination>
         <Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
         <Account> account-2-id </Account>
         <AccessControlTranslation>
            <Owner>Destination</Owner>
         </AccessControlTranslation>
      </Destination>
      <Filter>
         <And>
            <Prefix>common/</Prefix>
            <Tag>
               <Key>key2</Key>
               <Value>value2</Value>
            </Tag>
            <Tag>
               <Key>key1</Key>
               <Value>value1</Value>
            </Tag>
         </And>
      </Filter>
   </Rule>
</ReplicationConfiguration>

      Status: 200 OK

      Response body: No content

      Replicating Existing Objects

      To replicate the existing objects from the source to the destination, you need to initiate the following API only after scheduling the replication configuration.

      PUT https://s3.<region>.wasabisys.com/my-source-account-1?
manifestCreateAndProcess

      Request body: No content

      Status: 200 OK

      Response body:

      <?xml version="1.0" encoding="UTF-8"?>
<ManifestCreateAndProcess>jobId : f234de0f-XXXX-ABCD-bc3a-
45d4a6874b95</ManifestCreateAndProcess>

      Updating the Replication Configuration

      The following example updates the previous Prefix value “common/” as “private/” and updates the previous Tags key1=value1 as “key3=value3”.

      PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication

      Request body:

      <?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Role> arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
   <Rule>
      <ID>Cross-acct-replication-prefix-tags-filter</ID>
      <Priority>1</Priority>
      <Status>Enabled</Status>
      <DeleteMarkerReplication>
         <Status>Disabled</Status>
      </DeleteMarkerReplication>
      <Destination>
         <Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
         <Account> account-2-id </Account>
         <AccessControlTranslation>
            <Owner>Destination</Owner>
         </AccessControlTranslation>
      </Destination>
      <Filter>
         <And>
            <Prefix>private/</Prefix>
            <Tag>
               <Key>key2</Key>
               <Value>value2</Value>
            </Tag>
            <Tag>
               <Key>key3</Key>
               <Value>value3</Value>
            </Tag>
         </And>
      </Filter>
   </Rule>
</ReplicationConfiguration>

      Status: 200 OK

      Response body: No content

      Deleting the Replication Configuration

      DELETE https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication

      Request body: No content

      Status: 204 No Content

      Response body: No content


      What's Next
      Copyright © 2025 by Wasabi Technologies LLC
      75 Arlington Street, Suite 810, Boston, MA 02116 USA
      All Rights Reserved
      Visit us at https://wasabi.com.
      WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

      Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.