Unable to set Cross Region Replication on S3 bucket with SSE

Question

I am not able to setup Cross Region Replication when the objects are server side encrypted. I am using awscli to set it up. This is what I have done.

Cross region replication role IAM policy looks like this:

{


   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetReplicationConfiguration",
            "s3:ListBucket"
         ],
         "Resource":[
            "arn:aws:s3:::source-bucket"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[

            "s3:GetObjectVersion",
            "s3:GetObjectVersionAcl",
            "s3:GetObjectVersionTagging"

         ],
         "Resource":[
            "arn:aws:s3:::source-bucket/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ReplicateObject",
            "s3:ReplicateDelete",
            "s3:ReplicateTags"
         ],
         "Resource":"arn:aws:s3:::destination-bucket/*"
      }
   ]
}

This is how my replication configuration file looks like:

{
    "Role": "arn:aws:iam::1234567890:role/replication-role",
    "Rules": [
        {
            "ID": "abcd",
            "Prefix": "",
            "Status": "Enabled",
            "SourceSelectionCriteria": {
                "SseKmsEncryptedObjects": {
                    "Status": "Enabled"
                }
            },
            "Destination": {
                "Bucket": "arn:aws:s3:::destinationbucket",
                "EncryptionConfiguration": {
                    "ReplicaKmsKeyID": "arn:aws:kms:us-west-2:1234567890:key/849b779d-bdc3-4190-b285-6006657a578c"
                }
            }
        }
    ]
}

This is how my cli command looks like:

aws s3api put-bucket-replication --bucket "sourcebucket" --replication-configuration  file://./replicationconfigfile.json

When I go to S3 bucket after running the cli command, I can see the replication rule being created with KMS-Encrypted Object as replicate but when i click on edit to see the details, it does not have any KMS keys selected.

------Update-------

if i delete the rule created by cli and set it up using console, it selects all the kms keys in the wizard. So the question is why is it not selecting kms keys in source region when I am using cli? what am I missing here?

Answer 1

KMS list field that is showed in the wizard is missing in the CLI, I have the same issue because I am using KMS to encrypt my origin and my destination bucket and I can't select the key to decrypt the objects in my origin bucket as I am using Terraform to created the replication rule.

As you can see here the only parameter that exists is "Replication criteria" and the value just can be true or false, the list field "Choose one or more keys for decrypting source objects" does not exist in the AWS CLI.

I already sent this issue to them.

What did I do? I replaced my generated KMS key managed by me to use the key managed by AWS, I just enabled server-side encryption and I choose the AES256 encryption type in both bucket, origin and destination and it works fine to me.

Answer 2

Just in case anyone else runs into this issue, I had a long conversation with AWS support where they confirmed that there is no way to set the key for decrypting source objects programmatically (or in CloudFormation). In my case, I had to set up the configuration with the SDK and then manually set the decryption key in the console. Fairly annoying that they haven't fixed this as of 7/8/2020.

Looking around at a Terraform thread where they discuss this same issue, I believe they get around this by setting the IAM policy for CRR directly, but I'm unsure of exactly how you do that. https://github.com/terraform-providers/terraform-provider-aws/issues/6046#issuecomment-427960842