Problem Statement
I am looking for a supported way to configure S3 bucket replication between multiple AWS accounts using the MDAA data lake modules.
Currently, the S3 data lake modules do not appear to support cross-account replication out of the box for two primary reasons:
Replication permissions are not included in the default bucket policy configuration.
Cross-account IAM role references are not allowed/supported by the current implementation.
Current Workaround
To enable replication, I implemented a temporary workaround by:
Extending the data lake bucket permissions to include replication-related actions.
Referencing the destination account replication role using the unique role ID from the target AWS account.
This approach works, but it feels like a quick-and-dirty solution and may not be the intended pattern.
Relevant Code
MDAA Repository:
https://github.com/aws/modern-data-architecture-accelerator/blob/main/packages/utilities/s3-bucketpolicy-helper/lib/index.ts
Current section:
static readonly READ_WRITE_ACTIONS = [
...RestrictObjectPrefixToRoles.READ_ACTIONS,
's3:PutObject',
's3:PutObjectTagging',
's3:DeleteObject',
*```
's3:Replicate',
's3:ObjectOwnerOverrideToBucketOwner',
];
Questions
- Is there a recommended or supported approach for configuring cross-account S3 replication using MDAA?
- Are there plans to add native support for replication permissions and cross-account replication roles?
- Is there a cleaner implementation pattern that avoids modifying the default bucket policy helper?
Expected Outcome
It would be useful if the framework could natively support:
S3 replication permissions in bucket policy generation.
Cross-account replication IAM role references.
Thank you for any guidance or recommendations.
Problem Statement
I am looking for a supported way to configure S3 bucket replication between multiple AWS accounts using the MDAA data lake modules.
Currently, the S3 data lake modules do not appear to support cross-account replication out of the box for two primary reasons:
Replication permissions are not included in the default bucket policy configuration.
Cross-account IAM role references are not allowed/supported by the current implementation.
Current Workaround
To enable replication, I implemented a temporary workaround by:
Extending the data lake bucket permissions to include replication-related actions.
Referencing the destination account replication role using the unique role ID from the target AWS account.
This approach works, but it feels like a quick-and-dirty solution and may not be the intended pattern.
Relevant Code
MDAA Repository:
https://github.com/aws/modern-data-architecture-accelerator/blob/main/packages/utilities/s3-bucketpolicy-helper/lib/index.ts
Current section:
static readonly READ_WRITE_ACTIONS = [
...RestrictObjectPrefixToRoles.READ_ACTIONS,
's3:PutObject',
's3:PutObjectTagging',
's3:DeleteObject',
*```
's3:Replicate',
's3:ObjectOwnerOverrideToBucketOwner',