Receiving replication failure events with Amazon S3 Event Notifications
If you've enabled S3 Replication metrics on your replication configuration, you can set up Amazon S3 Event Notifications to notify you when objects don't replicate to their destination AWS Region. If you've enabled S3 Replication Time Control (S3 RTC) on your replication configuration, you can also be notified when objects don't replicate within the 15-minute S3 RTC threshold for replication.
By using the following Replication event types, you can monitor the
minute-by-minute progress of replication events by tracking bytes pending, operations pending,
and replication latency. For more information about S3 Replication metrics, see Using S3 Replication metrics.
-
The
s3:Replication:OperationFailedReplicationevent type notifies you when an object that was eligible for replication failed to replicate. -
The
s3:Replication:OperationMissedThresholdevent type notifies you when an object that was eligible for replication that uses S3 RTC exceeds the 15-minute threshold for replication. -
The
s3:Replication:OperationReplicatedAfterThresholdevent type notifies you when an object that was eligible for replication that uses S3 RTC replicates after the 15-minute threshold. -
The
s3:Replication:OperationNotTrackedevent type notifies you when an object that was eligible for live replication (either Same-Region Replication [SRR] or Cross-Region Replication [CRR]) is no longer being tracked by replication metrics.
For full descriptions of all the supported replication event types, see Supported event types for SQS, SNS, and Lambda.
For a list of the failure codes captured by S3 Event Notifications, see Amazon S3 replication failure reasons.
You can receive S3 Event Notifications through Amazon Simple Queue Service (Amazon SQS), Amazon Simple Notification Service (Amazon SNS), or AWS Lambda. For more information, see Amazon S3 Event Notifications.
For instructions on how to configure Amazon S3 Event Notifications, see Enabling event notifications.
Note
In addition to enabling event notifications, make sure that you also enable S3 Replication metrics. For more information, see Enabling S3 Replication metrics.
The following is an example of a message that Amazon S3 sends to publish an
s3:Replication:OperationFailedReplication event. For more information, see
Event message structure.
{ "Records": [ { "eventVersion": "2.2", "eventSource": "aws:s3", "awsRegion": "us-east-1", "eventTime": "2024-09-05T21:04:32.527Z", "eventName": "Replication:OperationFailedReplication", "userIdentity": { "principalId": "s3.amazonaws.com" }, "requestParameters": { "sourceIPAddress": "s3.amazonaws.com" }, "responseElements": { "x-amz-request-id": "123bf045-2b4b-4ca8-a211-c34a63c59426", "x-amz-id-2": "12VAWNDIHnwJsRhTccqQTeAPoXQmRt22KkewMV8G3XZihAuf9CLDdmkApgZzudaIe2KlLfDqGS0=" }, "s3": { "s3SchemaVersion": "1.0", "configurationId": "ReplicationEventName", "bucket": { "name": "amzn-s3-demo-bucket1", "ownerIdentity": { "principalId": "111122223333" }, "arn": "arn:aws:s3:::amzn-s3-demo-bucket1" }, "object": { "key": "replication-object-put-test.png", "size": 520080, "eTag": "e12345ca7e88a38428305d3ff7fcb99f", "versionId": "abcdeH0Xp66ep__QDjR76LK7Gc9X4wKO", "sequencer": "0066DA1CBF104C0D51" } }, "replicationEventData": { "replicationRuleId": "notification-test-replication-rule", "destinationBucket": "arn:aws:s3:::amzn-s3-demo-bucket2", "s3Operation": "OBJECT_PUT", "requestTime": "2024-09-05T21:03:59.168Z", "failureReason": "AssumeRoleNotPermitted" } } ] }
Amazon S3 replication failure reasons
The following table lists Amazon S3 Replication failure reasons. You can view these reasons
by receiving the s3:Replication:OperationFailedReplication event with Amazon S3
Event Notifications and then looking at the failureReason value.
You can also view these failure reasons in an S3 Batch Replication completion report. For more information, see Batch Replication completion report.
| Replication failure reason | Description |
|---|---|
AssumeRoleNotPermitted |
Amazon S3 can't assume the AWS Identity and Access Management (IAM) role that's specified in the replication configuration or in the Batch Operations job. |
DstBucketInvalidRegion |
The destination bucket is not in the same AWS Region as specified by the Batch Operations job. This error is specific to Batch Replication. |
DstBucketNotFound |
Amazon S3 is unable to find the destination bucket that's specified in the replication configuration. |
DstBucketObjectLockConfigMissing |
To replicate objects from a source bucket with Object Lock enabled, the destination bucket must also have Object Lock enabled. This error indicates that Object Lock might not be enabled in the destination bucket. For more information, see Object Lock considerations. |
DstBucketUnversioned |
Versioning is not enabled for the S3 destination bucket. To replicate objects with S3 Replication, enable versioning for the destination bucket. |
DstDelObjNotPermitted |
Amazon S3 is unable to replicate delete markers to the destination bucket. The
s3:ReplicateDelete permission might be missing for the destination
bucket. |
DstKmsKeyInvalidState |
The AWS Key Management Service (AWS KMS) key for the destination bucket isn't in a valid state. Review and enable the required AWS KMS key. For more information about managing AWS KMS keys, see Key states of AWS KMS keys in the AWS Key Management Service Developer Guide. |
DstKmsKeyNotFound |
The AWS KMS key that's configured for the destination bucket in the replication configuration doesn't exist. |
DstMultipartCompleteNotPermitted |
Amazon S3 is unable to complete multipart uploads of objects in the destination
bucket. The s3:ReplicateObject permission might be missing for the
destination bucket. |
DstMultipartInitNotPermitted |
Amazon S3 is unable to initiate multipart uploads of objects to the destination
bucket. The s3:ReplicateObject permission might be missing for the
destination bucket. |
DstMultipartPartUploadNotPermitted |
Amazon S3 is unable to upload multipart upload objects to the destination bucket. The
s3:ReplicateObject permission might be missing for the destination
bucket. |
DstObjectHardDeleted |
S3 Batch Replication does not support re-replicating objects deleted with the version ID of the object from the destination bucket. This error is specific to Batch Replication. |
DstPutAclNotPermitted |
Amazon S3 is unable to replicate object access control lists (ACLs) to the
destination bucket. The s3:ReplicateObject permission might be missing
for the destination bucket. |
DstPutLegalHoldNotPermitted |
Amazon S3 is unable to put an Object Lock legal hold on the destination objects
when it is replicating immutable objects. The s3:PutObjectLegalHold
permission might be missing for the destination bucket. For more information, see
Legal holds. |
DstPutObjectNotPermitted |
Amazon S3 is unable to replicate objects to the destination bucket. The
s3:ReplicateObject or
s3:ObjectOwnerOverrideToBucketOwner permissions might be missing for
the destination bucket. |
DstPutTaggingNotPermitted |
Amazon S3 is unable to replicate object tags to the destination bucket. The
s3:ReplicateObject permission might be missing for the destination
bucket. |
DstVersionNotFound |
Amazon S3 is unable to find the required object version in the destination bucket for which metadata needs to be replicated. |
InitiateReplicationNotPermitted |
Amazon S3 is unable to initiate replication on objects. The
s3:InitiateReplication permission might be missing for the Batch Operations
job. This error is specific to Batch Replication. |
SrcBucketInvalidRegion |
The source bucket is not in the same AWS Region as specified by the Batch Operations job. This error is specific to Batch Replication. |
SrcBucketNotFound |
Amazon S3 is unable to find the source bucket. |
SrcBucketReplicationConfigMissing |
Amazon S3 couldn't find a replication configuration for the source bucket. |
SrcGetAclNotPermitted |
Amazon S3 is unable to access the object in the source bucket for replication. The
The objects in the source bucket must be owned by the bucket owner. If ACLs
are enabled, then verify if Object Ownership is set to Bucket owner preferred or
Object writer. If Object Ownership is set to Bucket owner preferred, then the
source bucket objects must have the |
SrcGetLegalHoldNotPermitted |
Amazon S3 is unable to access the S3 Object Lock legal hold information. |
SrcGetObjectNotPermitted |
Amazon S3 is unable to access the object in the source bucket for replication. The
s3:GetObjectVersionForReplication permission might be missing for the
source bucket. |
SrcGetRetentionNotPermitted |
Amazon S3 is unable to access the S3 Object Lock retention period information. |
SrcGetTaggingNotPermitted |
Amazon S3 is unable to access object tag information from the source bucket. The
s3:GetObjectVersionTagging permission might be missing for the source
bucket. |
SrcHeadObjectNotPermitted |
Amazon S3 is unable to retrieve object metadata from the source bucket. The
s3:GetObjectVersionForReplication permission might be missing for the
source bucket. |
SrcKeyNotFound |
Amazon S3 is unable to find the source object key to replicate. Source object may have been deleted before replication was complete. |
SrcKmsKeyInvalidState |
The AWS KMS key for the source bucket isn't in a valid state. Review and enable the required AWS KMS key. For more information about managing AWS KMS keys, see Key states of AWS KMS keys in the AWS Key Management Service Developer Guide. |
SrcObjectNotEligible |
Some objects aren't eligible for replication. This may be due to the object's storage class or the object tags don't match the replication configuration. |
SrcObjectNotFound |
Source object does not exist. |
SrcReplicationNotPending |
Amazon S3 has already replicated this object. This object is no longer pending replication. |
SrcVersionNotFound |
Amazon S3 is unable to find the source object version to replicate. Source object version may have been deleted before replication was complete. |
Related topics
Setting up permissions for live replication
