At this moment I’m configuring a new CDN for our project.
Will use CloudFront and Cloudflare here so need to create two dedicated buckets with different names – cdn.cfr.example.com => CloudFront and cdn.cfl.example.com => Cloudflare.
To avoid coping data each time to both buckets – an AWS S3 Cross-Region Replication can be used, so data from a bucket-1 will be copied to a bucket-2.
Documentation – Cross-Region Replication.
CRR prerequisites:
- both buckets must have S3 Versioning enabled (see. Using Versioning)
- both buckets must be created in different regions
- both buckets must have permissions for replication between them
CRR limitations:
- already existing files in a source-bucket will not be copied after CRR will be configured (i.e. only new files will be replicated)
- can not create a replication-chain, i.e. Bucket-A => Bucket-B => Bucket-C
Contents
AWS S3 Cross-Region Replication set up
Create two buckets:
For both enable Versioning:
In a source-bucket bttrm-crr-source go to the Management > Replication, click on the Add rule:
Set replicate all from this bucket:
Click Next, set the receiver-bucket name:
Next – permissions and IAM role.
Chose the Create new IAM role, set its name:
Save:
Replication testing
Upload a test file to the source bttrm-crr-source bucket:
Check if it is present:
And check the destination bucket:
The file is present, all good.
Deleting files from S3 Cross-Region Replication and DeleteMarkers
if you’ll just delete a file from the current source-bucket – it will be deleted there, but not in the destination bucket.
Remove it in the source:
Check it in the destination:
The file is still here.
To delete objects from under S3 Versioning – AWS adds a special marker called DeleteMarker (see. Working with Delete Markers):
But this marker will not be copied to the destination bucket, see the What Does Amazon S3 Replicate:
- If you make a DELETE request without specifying an object version ID, Amazon S3 adds a delete marker. Amazon S3 deals with the delete marker as follows:
- If you are using the latest version of the replication configuration, that is, you specify the
Filterelement in a replication configuration rule, Amazon S3 does not replicate the delete marker. - If you don’t specify the
Filterelement, Amazon S3 assumes that the replication configuration is a prior version V1. In the earlier version, Amazon S3 handled replication of delete markers differently. For more information, see Backward Compatibility .
- If you are using the latest version of the replication configuration, that is, you specify the
- If you specify an object version ID to delete in a DELETE request, Amazon S3 deletes that object version in the source bucket, but it doesn’t replicate the deletion in the destination bucket. In other words, it doesn’t delete the same object version from the destination bucket. This protects data from malicious deletions.
Check the file in the destination bucket:
No DeleteMarkers present.
Check the replication settings:
DeleteMarkerReplication – "Status": "Disabled", okay.
IAM s3:ReplicateDelete
At first – check the IAM role used (see the Setting Up Permissions for Cross-Region Replication).
Find its name:
And find this role in the IAM:
Check it – the "s3:ReplicateDelete" in the Actions must be present:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bttrm-crr-source",
"arn:aws:s3:::bttrm-crr-source/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetObjectVersionTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bttrm-crr-dest/*"
}
]
}
S3 Bucket Policy
Now – export existing S3 policy:
Check its content:
{
"ReplicationConfiguration": {
"Role": "arn:aws:iam::534***385:role/service-role/s3crr_role_for_bttrm-crr-source_to_bttrm-crr-dest",
"Rules": [
{
"ID": "bttrm-s3-crr-replica",
"Priority": 1,
"Filter": {},
"Status": "Enabled",
"Destination": {
"Bucket": "arn:aws:s3:::bttrm-crr-dest"
},
"DeleteMarkerReplication": {
"Status": "Disabled"
}
}
]
}
}
Now remove ReplicationConfiguration, "Filter": {}, "Priority": 1, DeleteMarkerReplication parameters and add "Prefix": "", so this policy will be like Version 1:
{
"Role": "arn:aws:iam::534***385:role/service-role/s3crr_role_for_bttrm-crr-source_to_bttrm-crr-dest",
"Rules": [
{
"ID": "bttrm-s3-crr-replica",
"Prefix": "",
"Status": "Enabled",
"Destination": {
"Bucket": "arn:aws:s3:::bttrm-crr-dest"
}
}
]
}
The problem is that CRR config version 2 still can’t do DeleteMarkers replication at this moment, the AWS Support reply was:
I did have a look at your blog and the suggestions provided by you seem correct. In fact, this would have been my suggestion as well. The internal team is working on bringing feature of Delete replication in V2 as well but it may take some time for that to happen. It is possible that the way V2 has been implemented in back-end is little different from V1 and using this feature directly may have been causing issues. Unfortunately, I don’t have any ETA on when this would finish. Till then, I’m sure your blog would be able to help AWS Users 🙂
Apply this config:
Upload some new file to the source bucket:
Delete it:
Check the source bucket now:
Great – both files found, both have DeleteMarkers.
And check the destination bucket:
There is still no DeleteMarker for the testfile.txt – it’s OK, as it was deleted before we made changes in the DeleteMarkers behavior.
But for the test.file – DeleteMarker already present, it was replicated from the source, so this file is “deleted” now as well:
No test.file found.
Done.
Similar posts
Also published on Medium.