# Setting up replication
**Note**
Objects that existed in your bucket before you set up a replication rule aren't replicated automatically. In other words, Amazon S3 on Outposts doesn't replicate objects retroactively. To replicate objects that were created before your replication configuration, you can use the `CopyObject` API operation to copy them to the same bucket. After the objects are copied, they appear as "new" objects in the bucket and the replication configuration will apply to them. For more information about copying an object, see [Copying an object in an Amazon S3 on Outposts bucket using the AWS SDK for Java](S3OutpostsCopyObject.md) and [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html) in the *Amazon Simple Storage Service API Reference*.
To enable S3 Replication on Outposts, add a replication rule to your source Outposts bucket. The replication rule tells S3 on Outposts to replicate objects as specified. In the replication rule, you must provide the following:
+ **The source Outposts bucket access point** – The access point Amazon Resource Name (ARN) or access point alias of the bucket from which you want S3 on Outposts to replicate the objects. For more information about using access point aliases, see [Using a bucket-style alias for your S3 on Outposts bucket access point](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-outposts-access-points-alias.html).
+ **The objects that you want to replicate** – You can replicate all of the objects in the source Outposts bucket or a subset. You identify a subset by providing a [key name prefix](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#keyprefix), one or more object tags, or both in the configuration.
For example, if you configure a replication rule to replicate only objects with the key name prefix `Tax/`, S3 on Outposts replicates objects with keys such as `Tax/doc1` or `Tax/doc2`. But it doesn't replicate objects with the key `Legal/doc3`. If you specify both a prefix and one or more tags, S3 on Outposts replicates only objects that have the specific key prefix and tags.
+ **The destination Outposts bucket** – The ARN or access point alias of the bucket to which you want S3 on Outposts to replicate the objects.
You can configure the replication rule by using the REST API, AWS SDKs, AWS Command Line Interface (AWS CLI), or Amazon S3 console.
S3 on Outposts also provides API operations to support setting up replication rules. For more information, see the following topics in the *Amazon Simple Storage Service API Reference*:
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutBucketReplication.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutBucketReplication.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetBucketReplication.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetBucketReplication.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteBucketReplication.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteBucketReplication.html)
**Topics**
+ [Prerequisites for creating replication rules](outposts-replication-prerequisites-config.md)
+ [Creating replication rules on Outposts](replication-between-outposts.md)
# Prerequisites for creating replication rules
**Topics**
+ [Connecting your source and destination Outpost subnets](#outposts-rep-preone)
+ [Creating an IAM role](#outposts-rep-pretwo)
## Connecting your source and destination Outpost subnets
To have your replication traffic go from your source Outpost to your destination Outpost over your local gateway, you must add a new route to set up networking. You must connect the Classless Inter-Domain Routing (CIDR) networking ranges of your access points together. For each pair of access points, you need to set up this connection only once.
Some steps to set up the connection are different, depending on the access type of your Outposts endpoints that are associated with your access points. The access type for endpoints is either **Private** (direct virtual private cloud [VPC] routing for AWS Outposts) or **Customer owned IP** (a customer-owned IP address pool [CoIP pool] within your on-premises network).
### Step 1: Find the CIDR range of your source Outposts endpoint
**To find the CIDR range of your source endpoint that's associated with your source access point**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Outposts buckets**.
1. In the **Outposts buckets** list, choose the source bucket that you want for replication.
1. Choose the **Outposts access points** tab, and choose the Outposts access point for the source bucket for your replication rule.
1. Choose the Outposts endpoint.
1. Copy the subnet ID for use in [Step 5](#outposts-pre-step5).
1. The method that you use to find the CIDR range of the source Outposts endpoint depends on the access type of your endpoint.
In the **Outposts endpoint overview** section, see the **Access Type**.
+ If the access type is **Private**, copy the **Classless inter-domain routing (CIDR)** value to use in [Step 6](#outposts-pre-step6).
+ If the access type is **Customer Owned IP**, do the following:
1. Copy the **Customer owned IPv4 pool** value to use as the ID of the address pool later on.
1. Open the AWS Outposts console at [https://console.aws.amazon.com/outposts/](https://console.aws.amazon.com/outposts/home).
1. In the navigation pane, choose **Local gateway route tables**.
1. Choose the **Local gateway route table ID** value of your source Outpost.
1. In the details pane, choose the **CoIP pools** tab. Paste the value of your CoIP pool ID that you copied previously in the search box.
1. For the matched CoIP pool, copy the corresponding **CIDRs** value of your source Outposts endpoint for use in [Step 6](#outposts-pre-step6).
### Step 2: Find the subnet ID and the CIDR range of your destination Outposts endpoint
To find the subnet ID and the CIDR range of your destination endpoint that's associated with your destination access point, follow the same substeps in [Step 1](#outposts-pre-step1) and change your source Outposts endpoint to your destination Outposts endpoint when you apply those substeps. Copy the subnet ID value of your destination Outposts endpoint for use in [Step 6](#outposts-pre-step6). Copy the CIDR value of your destination Outposts endpoint for use in [Step 5](#outposts-pre-step5).
### Step 3: Find the local gateway ID of your source Outpost
**To find the local gateway ID of your source Outpost**
1. Open the AWS Outposts console at [https://console.aws.amazon.com/outposts/](https://console.aws.amazon.com/outposts/home).
1. In the left navigation pane, choose **Local gateways**.
1. On the **Local gateways** page, find the Outpost ID of your source Outpost that you want to use for replication.
1. Copy the local gateway ID value of your source Outpost for use in [Step 5](#outposts-pre-step5).
For more information about local gateway, see [Local gateway](https://docs.aws.amazon.com/outposts/latest/userguide/outposts-local-gateways.html) in the *AWS Outposts User Guide*.
### Step 4: Find the local gateway ID of your destination Outpost
To find the local gateway ID of your destination Outpost, follow the same substeps in [Step 3](#outposts-pre-step3), except look for the Outpost ID for your destination Outpost. Copy the local gateway ID value of your destination Outpost for use in [Step 6](#outposts-pre-step6).
### Step 5: Set up the connection from your source Outpost subnet to your destination Outpost subnet
**To connect from your source Outpost subnet to your destination Outpost subnet**
1. Sign in to the AWS Management Console and open the VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the left navigation pane, choose **Subnets**.
1. In the search box, enter the subnet ID for your source Outposts endpoint that you found in [Step 1](#outposts-pre-step1). Choose the subnet with the matched subnet ID.
1. For the matched subnet item, choose the **Route table** value of this subnet.
1. On the page with a selected route table, choose **Actions**, and then choose **Edit routes**.
1. On the **Edit routes** page, choose **Add route**.
1. Under **Destination**, enter the CIDR range of your destination Outposts endpoint that you found in [Step 2](#outposts-pre-step2).
1. Under **Target**, choose **Outpost Local Gateway**, and enter the local gateway ID of your source Outpost that you found in [Step 3](#outposts-pre-step3).
1. Choose **Save changes**.
1. Make sure the **Status** for the route is **Active**.
### Step 6: Set up the connection from your destination Outpost subnet to your source Outpost subnet
1. Sign in to the AWS Management Console and open the VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the left navigation pane, choose **Subnets**.
1. In the search box, enter the subnet ID for your destination Outposts endpoint that you found in [Step 2](#outposts-pre-step2). Choose the subnet with the matched subnet ID.
1. For the matched subnet item, choose the **Route table** value of this subnet.
1. On the page with a selected route table, choose **Actions**, and then choose **Edit routes**.
1. On the **Edit routes** page, choose **Add route**.
1. Under **Destination**, enter the CIDR range of your source Outposts endpoint that you found in [Step 1](#outposts-pre-step1).
1. Under **Target**, choose **Outpost Local Gateway**, and enter the local gateway ID of your destination Outpost that you found in [Step 4](#outposts-pre-step4).
1. Choose **Save changes**.
1. Make sure the **Status** for the route is **Active**.
After you connect the CIDR networking ranges of your source and destination access points, you must create an AWS Identity and Access Management (IAM) role.
## Creating an IAM role
By default, all S3 on Outposts resources—buckets, objects, and related subresources—are private, and only the resource owner can access the resource. S3 on Outposts needs permissions to read and replicate objects from the source Outposts bucket. You grant these permissions by creating an IAM *service role* and specifying that role in your replication configuration.
This section explains the trust policy and minimum required permissions policy. The example walkthroughs provide step-by-step instructions to create an IAM role. For more information, see [Creating replication rules on Outposts](replication-between-outposts.md). For more information about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *IAM User Guide*.
+ The following example shows a *trust policy*, where you identify S3 on Outposts as the service principal that can assume the role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"s3-outposts.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}
```
------
+ The following example shows an *access policy*, where you grant the role permissions to perform replication tasks on your behalf. When S3 on Outposts assumes the role, it has the permissions that you specify in this policy. To use this policy, replace the `user input placeholders` with your own information. Make sure to replace them with the Outpost IDs of your source and destination Outposts and the bucket names and access point names of your source and destination Outposts buckets.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3-outposts:GetObjectVersionForReplication",
"s3-outposts:GetObjectVersionTagging"
],
"Resource": [
"arn:aws:s3-outposts:us-east-1:123456789012:outpost/SOURCE-OUTPOST-ID/bucket/SOURCE-OUTPOSTS-BUCKET/object/*",
"arn:aws:s3-outposts:us-east-1:123456789012:outpost/SOURCE-OUTPOST-ID/accesspoint/SOURCE-OUTPOSTS-BUCKET-ACCESS-POINT/object/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3-outposts:ReplicateObject",
"s3-outposts:ReplicateDelete"
],
"Resource": [
"arn:aws:s3-outposts:us-east-1:123456789012:outpost/DESTINATION-OUTPOST-ID/bucket/DESTINATION-OUTPOSTS-BUCKET/object/*",
"arn:aws:s3-outposts:us-east-1:123456789012:outpost/DESTINATION-OUTPOST-ID/accesspoint/DESTINATION-OUTPOSTS-BUCKET-ACCESS-POINT/object/*"
]
}
]
}
```
------
The access policy grants permissions for the following actions:
+ `s3-outposts:GetObjectVersionForReplication` – Permission for this action is granted on all objects to allow S3 on Outposts to get a specific object version that's associated with each object.
+ `s3-outposts:GetObjectVersionTagging` – Permission for this action on objects in the *`SOURCE-OUTPOSTS-BUCKET`* bucket (the source bucket) allows S3 on Outposts to read object tags for replication. For more information, see [Adding tags for S3 on Outposts buckets](S3OutpostsBucketTags.md). If S3 on Outposts doesn't have this permission, it replicates the objects, but not the object tags.
+ `s3-outposts:ReplicateObject` and `s3-outposts:ReplicateDelete` – Permissions for these actions on all objects in the *`DESTINATION-OUTPOSTS-BUCKET`* bucket (the destination bucket) allow S3 on Outposts to replicate objects or delete markers to the destination Outposts bucket. For information about delete markers, see [How delete operations affect replication](S3OutpostsReplication.md#outposts-replication-delete-op).
**Note**
Permission for the `s3-outposts:ReplicateObject` action on the *`DESTINATION-OUTPOSTS-BUCKET`* bucket (the destination bucket) also allows replication of object tags. Therefore, you don't need to explicitly grant permission for the `s3-outposts:ReplicateTags` action.
For cross-account replication, the owner of the destination Outposts bucket must update its bucket policy to grant permission for the `s3-outposts:ReplicateObject` action on the*`DESTINATION-OUTPOSTS-BUCKET`*. The `s3-outposts:ReplicateObject` action allows S3 on Outposts to replicate objects and object tags to the destination Outposts bucket.
For a list of S3 on Outposts actions, see [Actions defined by S3 on Outposts](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3onoutposts.html#amazons3onoutposts-actions-as-permissions).
**Important**
The AWS account that owns the IAM role must have permissions for the actions that it grants to the IAM role.
For example, suppose that the source Outposts bucket contains objects owned by another AWS account. The owner of the objects must explicitly grant the AWS account that owns the IAM role the required permissions through the bucket policy and the access point policy. Otherwise, S3 on Outposts can't access the objects, and replication of the objects fails.
The permissions described here are related to the minimum replication configuration. If you choose to add optional replication configurations, you must grant additional permissions to S3 on Outposts.
### Granting permissions when the source and destination Outposts buckets are owned by different AWS accounts
When the source and destination Outposts buckets aren't owned by the same accounts, the owner of the destination Outposts bucket must update the bucket and access point policies for the destination bucket. These policies must grant the owner of the source Outposts bucket and the IAM service role permissions to perform replication actions, as shown in the following policy examples, or replication will fail. In these policy examples, *`DESTINATION-OUTPOSTS-BUCKET`* is the destination bucket. To use these policy examples, replace the `user input placeholders` with your own information.
If you're creating the IAM service role manually, set the role path as `role/service-role/`, as shown in the following policy examples. For more information, see [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) in the *IAM User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "PolicyForDestinationBucket",
"Statement": [
{
"Sid": "Permissions on objects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/service-role/source-account-IAM-role"
},
"Action": [
"s3-outposts:ReplicateDelete",
"s3-outposts:ReplicateObject"
],
"Resource": [
"arn:aws:s3-outposts:us-east-1:444455556666:outpost/DESTINATION-OUTPOST-ID/bucket/DESTINATION-OUTPOSTS-BUCKET/object/*"
]
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "PolicyForDestinationAccessPoint",
"Statement": [
{
"Sid": "Permissions on objects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/service-role/source-account-IAM-role"
},
"Action": [
"s3-outposts:ReplicateDelete",
"s3-outposts:ReplicateObject"
],
"Resource": [
"arn:aws:s3-outposts:us-east-1:111122223333:outpost/DESTINATION-OUTPOST-ID/accesspoint/DESTINATION-OUTPOSTS-BUCKET-ACCESS-POINT/object/*"
]
}
]
}
```
------
**Note**
If objects in the source Outposts bucket are tagged, note the following:
If the source Outposts bucket owner grants S3 on Outposts permission for the `s3-outposts:GetObjectVersionTagging` and `s3-outposts:ReplicateTags` actions to replicate object tags (through the IAM role), Amazon S3 replicates the tags along with the objects. For information about the IAM role, see [Creating an IAM role](#outposts-rep-pretwo).
# Creating replication rules on Outposts
S3 Replication on Outposts is the automatic, asynchronous replication of objects across buckets in the same or different AWS Outposts. Replication copies newly created objects and object updates from a source Outposts bucket to a destination Outposts bucket or buckets. For more information, see [Replicating objects for S3 on Outposts](S3OutpostsReplication.md).
**Note**
Objects that existed in the source Outposts bucket before you set up replication rules aren't replicated. In other words, S3 on Outposts doesn't replicate objects retroactively. To replicate objects that were created before your replication configuration, you can use the `CopyObject` API operation to copy them to the same bucket. After the objects are copied, they appear as "new" objects in the bucket and the replication configuration will apply to them. For more information about copying an object, see [Copying an object in an Amazon S3 on Outposts bucket using the AWS SDK for Java](S3OutpostsCopyObject.md) and [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html) in the *Amazon Simple Storage Service API Reference*.
When you configure replication, you add replication rules to the source Outposts bucket. Replication rules define which source Outposts bucket objects to replicate and the destination Outposts bucket or buckets where the replicated objects will be stored. You can create a rule to replicate all the objects in a bucket or a subset of objects with a specific key name prefix, one or more object tags, or both. A destination Outposts bucket can be in the same Outpost as the source Outposts bucket, or it can be in a different Outpost.
For S3 on Outposts replication rules, you must provide both the source Outposts bucket's access point Amazon Resource Name (ARN) and the destination Outposts bucket's access point ARN instead of the source and destination Outposts bucket names.
If you specify an object version ID to delete, S3 on Outposts deletes that object version in the source Outposts bucket. But it doesn't replicate the deletion to the destination Outposts bucket. In other words, it doesn't delete the same object version from the destination Outposts bucket. This behavior protects data from malicious deletions.
When you add a replication rule to an Outposts bucket, the rule is enabled by default, so the rule starts working as soon as you save it.
In this example, you set up replication for source and destination Outposts buckets that are on different Outposts and are owned by the same AWS account. Examples are provided for using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), and the AWS SDK for Java and AWS SDK for .NET. For information about cross-account S3 Replication on Outposts permissions, see [Granting permissions when the source and destination Outposts buckets are owned by different AWS accounts](outposts-replication-prerequisites-config.md#outposts-rep-prethree).
For prerequisites to set up S3 on Outposts replication rules, see [Prerequisites for creating replication rules](outposts-replication-prerequisites-config.md).
## Using the S3 console
Follow these steps to configure a replication rule when the destination Amazon S3 on Outposts bucket is in a different Outpost from the source Outposts bucket.
If the destination Outposts bucket is in a different account from the source Outposts bucket, you must add a bucket policy to the destination Outposts bucket to grant the owner of the source Outposts bucket account permission to replicate objects in the destination Outposts bucket.
**To create a replication rule**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the **Outposts Buckets** list, choose the name of the bucket that you want to use as the source bucket.
1. Choose the **Management** tab, scroll down to the **Replication rules** section, and then choose **Create replication rule**.
1. For **Replication rule name**, enter a name for your rule to help identify the rule later. The name is required and must be unique within the bucket.
1. Under **Status**, **Enabled** is chosen by default. An enabled rule starts to work as soon as you save it. If you want to enable the rule later, choose **Disabled**.
1. Under **Priority**, the rule's priority value determines which rule to apply if there are overlapping rules. When objects are included in the scope of more than one replication rule, S3 on Outposts uses these priority values to avoid conflicts. By default, new rules are added to the replication configuration at the highest priority. The higher the number, the higher the priority.
To change the priority for the rule, after you save the rule, choose the rule name from the replication rule list, choose **Actions**, and then choose **Edit priority**.
1. Under **Source bucket**, you have the following options for setting the replication source:
+ To replicate the whole bucket, choose **Apply to *all *objects in the bucket**.
+ To apply prefix or tag filtering to the replication source, choose **Limit the scope of this rule by using one or more filters**. You can combine a prefix and tags.
+ To replicate all objects that have the same prefix, under **Prefix**, enter a prefix in the box. Using the **Prefix** filter limits replication to all objects that have names that begin with the same string (for example, `pictures`).
If you enter a prefix that is the name of a folder, you must use a **/** (forward slash) as the last character (for example, `pictures/`).
+ To replicate all objects that have one or more of the same object tags, choose **Add tag**, and then enter the key-value pair in the boxes. To add another tag, repeat the procedure. For more information about object tags, see [Adding tags for S3 on Outposts buckets](S3OutpostsBucketTags.md).
1. To access your S3 on Outposts source bucket for replication, under **Source access point name**, choose an access point that is attached to the source bucket.
1. Under **Destination**, choose the access point ARN of the destination Outposts bucket where you want S3 on Outposts to replicate objects. The destination Outposts bucket can be in the same or a different AWS account as the source Outposts bucket.
If the destination bucket is in a different account from the source Outposts bucket, you must add a bucket policy to the destination Outposts bucket to grant the owner of the source Outposts bucket account permission to replicate objects to the destination Outposts bucket. For more information, see [Granting permissions when the source and destination Outposts buckets are owned by different AWS accounts](outposts-replication-prerequisites-config.md#outposts-rep-prethree).
**Note**
If versioning is not enabled on the destination Outposts bucket, you get a warning that contains an **Enable versioning** button. Choose this button to enable versioning on the bucket.
1. Set up an AWS Identity and Access Management (IAM) service role that S3 on Outposts can assume to replicate objects on your behalf.
To set up an IAM role, under **IAM role**, do one of the following:
+ To have S3 on Outposts create a new IAM role for your replication configuration, choose **Choose from existing IAM roles**, and then choose **Create new role**. When you save the rule, a new policy is generated for the IAM role that matches the source and destination Outposts buckets that you choose. We recommend that you choose **Create new role**.
+ You can also choose to use an existing IAM role. If you do, you must choose a role that grants S3 on Outposts the necessary permissions for replication. If this role doesn't grant S3 on Outposts sufficient permissions to follow your replication rule, replication fails.
To choose an existing role, choose **Choose from existing IAM roles**, and then choose the role from the dropdown menu. You can also choose **Enter an IAM role ARN** and then enter the IAM role's Amazon Resource Name (ARN).
**Important**
When you add a replication rule to an S3 on Outposts bucket, you must have the `iam:CreateRole` and `iam:PassRole` permissions to be able to create and pass the IAM role that grants S3 on Outposts replication permissions. For more information, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the *IAM User Guide*.
1. All objects in Outposts buckets are encrypted by default. For more information about S3 on Outposts encryption, see [Data encryption in S3 on Outposts](s3-outposts-data-encryption.md). Only objects that are encrypted by using server-side encryption with Amazon S3 managed keys (SSE-S3) can be replicated. The replication of objects that are encrypted by using server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) or server-side encryption with customer-provided encryption keys (SSE-C) is not supported.
1. As needed, enable the following additional options while setting the replication rule configuration:
+ If you want to enable S3 on Outposts replication metrics in your replication configuration, select **Replication metrics**. For more information, see [Monitoring progress with replication metrics](manage-outposts-replication.md#outposts-enabling-replication-metrics).
+ If you want to enable delete marker replication in your replication configuration, select **Delete marker replication**. For more information, see [How delete operations affect replication](S3OutpostsReplication.md#outposts-replication-delete-op).
+ If you want to replicate metadata changes made to the replicas back to the source objects, select **Replica modification sync**. For more information, see [Replication status if Amazon S3 replica modification sync on Outposts is enabled](manage-outposts-replication.md#outposts-replication-status-sync).
1. To finish, choose **Create rule**.
After you save your rule, you can edit, enable, disable, or delete your rule. To do so, go to the **Management** tab for the source Outposts bucket, scroll down to the **Replication rules** section, choose your rule, and then choose **Edit rule**.
## Using the AWS CLI
To use the AWS CLI to set up replication when the source and destination Outposts buckets are owned by the same AWS account, you do the following:
+ Create source and destination Outposts buckets.
+ Enable versioning on both of the buckets.
+ Create an IAM role that gives S3 on Outposts permission to replicate objects.
+ Add the replication configuration to the source Outposts bucket.
To verify your setup, you test it.
**To set up replication when the source and destination Outposts buckets are owned by the same AWS account**
1. Set a credentials profile for the AWS CLI. In this example, we use the profile name `acctA`. For information about setting credential profiles, see [Named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html) in the *AWS Command Line Interface User Guide*.
**Important**
The profile that you use for this exercise must have the necessary permissions. For example, in the replication configuration, you specify the IAM service role that S3 on Outposts can assume. You can do this only if the profile that you use has the `iam:CreateRole` and `iam:PassRole` permissions. For more information, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the *IAM User Guide*. If you use administrator credentials to create a named profile, the named profile will have the necessary permission to perform all the tasks.
1. Create a source bucket and enable versioning on it. The following `create-bucket` command creates a `SOURCE-OUTPOSTS-BUCKET` bucket in the US East (N. Virginia) (`us-east-1`) Region. To use this command, replace the `user input placeholders` with your own information.
```
aws s3control create-bucket --bucket SOURCE-OUTPOSTS-BUCKET --outpost-id SOURCE-OUTPOST-ID --profile acctA --region us-east-1
```
The following `put-bucket-versioning` command enables versioning on the `SOURCE-OUTPOSTS-BUCKET` bucket. To use this command, replace the `user input placeholders` with your own information.
```
aws s3control put-bucket-versioning --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/SOURCE-OUTPOST-ID/bucket/SOURCE-OUTPOSTS-BUCKET --versioning-configuration Status=Enabled --profile acctA
```
1. Create a destination bucket and enable versioning on it. The following `create-bucket` command creates a `DESTINATION-OUTPOSTS-BUCKET` bucket in the US West (Oregon) (`us-west-2`) Region. To use this command, replace the `user input placeholders` with your own information.
**Note**
To set up a replication configuration when both the source and destination Outposts buckets are in the same AWS account, you use the same named profile. This example uses `acctA`. To test the replication configuration when the buckets are owned by different AWS accounts, you specify different profiles for each bucket.
```
aws s3control create-bucket --bucket DESTINATION-OUTPOSTS-BUCKET --create-bucket-configuration LocationConstraint=us-west-2 --outpost-id DESTINATION-OUTPOST-ID --profile acctA --region us-west-2
```
The following `put-bucket-versioning` command enables versioning on the `DESTINATION-OUTPOSTS-BUCKET` bucket. To use this command, replace the `user input placeholders` with your own information.
```
aws s3control put-bucket-versioning --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/DESTINATION-OUTPOST-ID/bucket/DESTINATION-OUTPOSTS-BUCKET --versioning-configuration Status=Enabled --profile acctA
```
1. Create an IAM service role. Later in the replication configuration, you add this service role to the `SOURCE-OUTPOSTS-BUCKET` bucket. S3 on Outposts assumes this role to replicate objects on your behalf. You create an IAM role in two steps:
1. Create an IAM role.
1. Copy the following trust policy and save it to a file named `s3-on-outposts-role-trust-policy.json` in the current directory on your local computer. This policy grants S3 on Outposts service principal permissions to assume the service role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"s3-outposts.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}
```
------
1. Run the following command to create the role. Replace the `user input placeholders` with your own information.
```
aws iam create-role --role-name replicationRole --assume-role-policy-document file://s3-on-outposts-role-trust-policy.json --profile acctA
```
1. Attach a permissions policy to the service role.
1. Copy the following permissions policy and save it to a file named `s3-on-outposts-role-permissions-policy.json` in the current directory on your local computer. This policy grants permissions for various S3 on Outposts bucket and object actions. To use this policy, replace the `user input placeholders` with your own information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3-outposts:GetObjectVersionForReplication",
"s3-outposts:GetObjectVersionTagging"
],
"Resource": [
"arn:aws:s3-outposts:us-east-1:123456789012:outpost/SOURCE-OUTPOST-ID/bucket/SOURCE-OUTPOSTS-BUCKET/object/*",
"arn:aws:s3-outposts:us-east-1:123456789012:outpost/SOURCE-OUTPOST-ID/accesspoint/SOURCE-OUTPOSTS-BUCKET-ACCESS-POINT/object/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3-outposts:ReplicateObject",
"s3-outposts:ReplicateDelete"
],
"Resource": [
"arn:aws:s3-outposts:us-east-1:123456789012:outpost/DESTINATION-OUTPOST-ID/bucket/DESTINATION-OUTPOSTS-BUCKET/object/*",
"arn:aws:s3-outposts:us-east-1:123456789012:outpost/DESTINATION-OUTPOST-ID/accesspoint/DESTINATION-OUTPOSTS-BUCKET-ACCESS-POINT/object/*"
]
}
]
}
```
------
1. Run the following command to create a policy and attach it to the role. Replace the `user input placeholders` with your own information.
```
aws iam put-role-policy --role-name replicationRole --policy-document file://s3-on-outposts-role-permissions-policy.json --policy-name replicationRolePolicy --profile acctA
```
1. Add a replication configuration to the `SOURCE-OUTPOSTS-BUCKET` bucket.
1. Although the S3 on Outposts API requires a replication configuration in XML format, the AWS CLI requires that you specify the replication configuration in JSON format. Save the following JSON in a file called `replication.json` to the local directory on your computer. To use this configuration, replace the `user input placeholders` with your own information.
```
{
"Role": "IAM-role-ARN",
"Rules": [
{
"Status": "Enabled",
"Priority": 1,
"DeleteMarkerReplication": { "Status": "Disabled" },
"Filter" : { "Prefix": "Tax"},
"Destination": {
"Bucket":
"arn:aws:s3-outposts:region:123456789012:outpost/DESTINATION-OUTPOST-ID/accesspoint/DESTINATION-OUTPOSTS-BUCKET-ACCESS-POINT"
}
}
]
}
```
1. Run the following `put-bucket-replication` command to add the replication configuration to your source Outposts bucket. To use this command, replace the `user input placeholders` with your own information.
```
aws s3control put-bucket-replication --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/SOURCE-OUTPOST-ID/bucket/SOURCE-OUTPOSTS-BUCKET --replication-configuration file://replication.json --profile acctA
```
1. To retrieve the replication configuration, use the `get-bucket-replication` command. To use this command, replace the `user input placeholders` with your own information.
```
aws s3control get-bucket-replication --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/SOURCE-OUTPOST-ID/bucket/SOURCE-OUTPOSTS-BUCKET --profile acctA
```
1. Test the setup in the Amazon S3 console:
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the `SOURCE-OUTPOSTS-BUCKET` bucket, create a folder named `Tax`.
1. Add sample objects to the `Tax` folder in the `SOURCE-OUTPOSTS-BUCKET` bucket.
1. In the `DESTINATION-OUTPOSTS-BUCKET` bucket, verify the following:
+ S3 on Outposts replicated the objects.
**Note**
The amount of time that it takes for S3 on Outposts to replicate an object depends on the size of the object. For information about how to see the status of replication, see [Getting replication status information](manage-outposts-replication.md#outposts-replication-status).
+ On the object's **Properties** tab, the **Replication status** is set to **Replica** (identifying this as a replica object).