User Guide

S3-replicator user guide

An AWS lambda function that replicate a main AWS S3 Bucket to multiple AWS target S3 buckets

Configuration:

1. Main S3 bucket configuration

   1.1. Add a Parameter to get main S3 bucket name

   "BucketName": {
         "Type": "String",
         "Description": "S3 source bucket name (Not ARN)"
   }

   1.2. Add a Parameter to get S3 replicator lambda function ARN

   "S3ReplicatorFunctionName": {
         "Type": "String",
         "Description": "ARN of Lambda function to execute"
   }

   1.3. Add a Parameter to get target S3 buckets names

   "ReplicatedTargetBuckets": {
         "Type": "String",
         "Description": "Name (Not ARN) of target bucket@region separated by space (e.g. bucket1@ap-southeast-1 bucket2@eu-central-1)"
   }

   • Note: that this is a 'space' separated string and you need to attach region name to your bucket name using '@' character

   1.4. Add Lambda notification to CF resource creation step for "AWS::S3::Bucket"

   "NotificationConfiguration": {
       "LambdaConfigurations": [
           {
               "Event": "s3:ObjectCreated:Put",
               "Function": { "Ref": "S3ReplicatorFunctionName" }
           },
           {
               "Event": "s3:ObjectRemoved:Delete",
               "Function": { "Ref": "S3ReplicatorFunctionName" }
           }
       ]
   }

   1.5. Create a "AWS::Lambda::Permission" resource to give access to your lambda function

   "permissionForS3Replicator": {
       "Type": "AWS::Lambda::Permission",
       "Properties": {
           "FunctionName": { "Ref": "S3ReplicatorFunctionName" },
           "Action": "lambda:InvokeFunction",
           "Principal": "s3.amazonaws.com",
           "SourceArn": {"Fn::Join": ["", ["arn:aws:s3:::", {
               "Ref": "BucketName"
           }]]}
       }
   }

   1.6. Define a condition to specify either the bucket is on 'sandbox' or 'prod'

   "Conditions": {
     "CreateProdEnvironmentTag" : {"Fn::Equals" : [{ "Ref" : "AWS::AccountId" }, "325714046698"]}
   }

   1.7. Attach these ` Tag`s to your main S3 bucket

   "Tags": [
      {
         "Key": "ReplicatedTargetBuckets",
         "Value": {
             "Ref": "ReplicatedTargetBuckets"
         }
      },
      {
         "Key": "AWSAccount",
         "Value": {
             "Fn::If" : [
                 "CreateProdEnvironmentTag",
                 "prod",
                 "sandbox"
             ]
         }
      }
   ]

2. Lambda Function Execution role

   1.1. List of permission S3 replicator lambda function needs to access S3 buckets

   "s3:ListBucket",
   "s3:GetBucketTagging",
   "s3:GetObject",
   "s3:GetObjectAcl",
   "s3:GetObjectVersion",
   "s3:PutObject",
   "s3:PutObjectAcl",
   "s3:DeleteObject",
   "s3:DeleteObjectVersion"