A company compliance policy mandates that all production account data must be stored across multiple geographically distant locations.
In order to meet this requirement, they configured Amazon S3 Cross-Region Replication on their production account buckets.
However, they find that S3 objects are not being replicated.
What needs to be implemented to resolve this issue (SELECT TWO)?
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer: B and C.
Option A is incorrect because server-side encryption with SSE-KMS is not a requirement.
The replication requirements can be found in https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html#replication-requirements.
Option B is CORRECT because the source bucket owner must have permission to replicate objects on the destination S3 bucket for replication to succeed.
Option C is CORRECT because the source bucket owner must have access permissions to objects being replicated for replication to succeed.It is possible that IAM users other than the S3 bucket owner have permission to put objects in the source bucket.
In that scenario, the object owner must grant access permissions on the objects to the bucket owner.
Option D is incorrect because S3 Lifecycle policies allow you to automatically review objects within your S3 Buckets and have them moved to Glacier or have the objects deleted from S3, but they are not responsible for data replication in S3.
Option E is incorrect because the Amazon S3 event notification feature enables you to receive notifications when certain events happen in your bucket.
This does not provide a solution to cross-region replication.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-troubleshoot.html https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-8To meet the compliance policy requirement of storing production account data across multiple geographically distant locations, the company has configured Amazon S3 Cross-Region Replication on their production account buckets. However, they find that S3 objects are not being replicated. To resolve this issue, the following two steps need to be implemented:
Bucket policy on the destination bucket must allow the source bucket owner to replicate objects: When S3 objects are replicated from a source bucket to a destination bucket, the destination bucket must have a bucket policy that allows the source bucket owner to replicate objects. By default, only the bucket owner can access and modify the bucket policy. Hence, the destination bucket policy must be modified to include the ARN (Amazon Resource Name) of the source bucket and grant the required permissions to the source bucket owner. Therefore, option B is correct.
S3 buckets must enable server-side encryption with SSE-KMS: S3 objects can be replicated across regions only if they are encrypted using SSE-S3 or SSE-KMS. Therefore, the production account buckets must enable server-side encryption with SSE-KMS, which allows encryption keys to be managed centrally using AWS Key Management Service (KMS). This ensures that the replicated objects are encrypted with the same keys as the source objects. Therefore, option A is correct.
Hence, options A and B are the correct answers to resolve the issue of S3 objects not being replicated. The other options, C, D, and E, are not relevant to this issue.