S3 Replication - s3:PutReplicationConfiguration
I have been attempting to introduce S3 bucket replication into my existing project's stack. I kept getting an 'API: s3:PutBucketReplication Access Denied' error in CloudFormation when updating my stack through my CodeBuild/CodePipeline project after adding the Replication rule on the source bucket + S3 replication role. For testing, I've added full S3 permission ( s3:* ) to the CodeBuild Role for all resources ( "*" ), as well as full S3 permissions on the S3 replication role -- again I got the same result.
Additionally, I tried running a stand-alone, stripped down version of the CF template (so not updating my existing application infrastructure stack) - which creates the buckets (source + target) and the S3 replication role. It was deployed/run through CloudFormation while logged in with my Admin role via the console and again I got the same error as when attempting the deployment with my CodeBuild role in CodePipeline.
As a last ditch sanity check, again being logged in using my admin role for the account, I attempted to perform the replication setup manually on buckets that I created using the S3 console and I got the below error:
You don't have permission to update the replication configuration You or your AWS admin must update your IAM permissions to allow s3:PutReplicationConfiguration, and then try again. Learn more about Identity and access management in Amazon S3 API response Access Denied
I confirmed that my role has full S3 access across all resources. This message seems to suggest to me that the permission s3:PutReplicationConfiguration may be different then other S3 permissions somehow - needing to be configured with root access to the account or something?
Also, it seems strange to me that CloudFormation indicates the s3:PutBucketReplication permission, where as the S3 console error references the permission s3:PutReplicationConfiguration. There doesn't seem to be an IAM action for s3:PutBucketReplication (ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html) only s3:PutReplicationConfiguration.
It turns out that the required permission s3:PutReplicationConfiguration was actually being blocked by a preventive ControlTower Guard Rail that was put in place on the OU the AWS account exists in. Unfortunately, this DENY is not visible as a user from anywhere within the AWS account itself - as it exists outside of any Permission Boundary or IAM Policy. This required some investigation from our internal IT team to identify the source of the DENY from the Guard Rail Control.
Reference: https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html#disallow-s3-ccr
- AWS s3 V3 Javascript SDK stream file from bucket (GetObjectCommand)
- Generate S3 URL in "path-style" format
- How to authenticate large numbers of amazon S3 get requests
- AWS SDK file upload to S3 via Node/Express using stream PassThrough - file is always corrupt
- How to specify a prefix when uploading to S3 using activestorage's direct upload?
- How to perform AWS S3 Multipart Copy with golang
- Amazon Web Services : Setting S3 policy to allow putObject and getObject but deny listBucket
- Amazon S3 error- A conflicting conditional operation is currently in progress against this resource.
- Can I switch to Amazon S3 later in Rails 7 after using local storage?
- How to upgrade AWS CLI to the latest version?
- getting "The bucket does not allow ACLs" Error
- Dynamically build a zip archive on AWS S3 using the Java SDK?
- OPA eval command
- What is the difference between AWS Glue ETL Job and AWS EMR?
- PostgreSQL `aws_s3` Extension: SSL Certificate Verification Failed with Self-Signed Certificate
- How can I use boto to stream a file out of Amazon S3 to Rackspace Cloudfiles?
- Downloading App update OTA from Amazon Aws s3 iOS
- Issue uploading files to S3 from Django in Docker
- pyspark overwrite silently failed to remove stale parquet files
- How to apply BucketPolicy (LifecycleConfiguration) to an existing bucket using CloudFormation template?
- Amazon S3 console: download multiple files at once
- Image from S3 bucket does not display on server
- Missing required field Principal - Amazon S3 - Bucket Policy
- Laravel + AWS S3: cURL error 60
- How to read remote video on Amazon S3 using ffmpeg
- Terragrunt string interpolation on generate block
- What to do when getting 'software.amazon.awssdk.services.s3 does not exist' error in Maven project?
- Large Multipart.File uploads directly to AWS S3
- How to allow AWS Athena access to cloudfront standard logs in s3 bucket?
- AWS Prefix Hierarchy vs Request Rate Limit: Does request to A/B/C count against A/B and A/?