Ensure S3 bucket has cross-region replication enabled

Error: S3 bucket cross-region replication disabled

Bridgecrew Policy ID: BC_AWS_GENERAL_72
Checkov Check ID: CKV_AWS_144
Severity: LOW

S3 bucket cross-region replication disabled

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets.
By default, replication supports copying new S3 objects after it is enabled. It also requires versioning for the buckets involved. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

Fix - Buildtime

Terraform

  • Resource: aws_s3_bucket, aws_s3_bucket_replication_configuration
resource "aws_s3_bucket" "east" {
  bucket = "tf-test-bucket-east-12345"
}

+ resource "aws_s3_bucket_versioning" "east" {
+   bucket = aws_s3_bucket.east.id
+   versioning_configuration {
+     status = "Enabled"
+   }
+ }

+ resource "aws_s3_bucket" "west" {
+   provider = aws.west
+   bucket   = "tf-test-bucket-west-12345"
+ }

+ resource "aws_s3_bucket_versioning" "west" {
+   provider = aws.west

+   bucket = aws_s3_bucket.west.id
+   versioning_configuration {
+     status = "Enabled"
+   }
+ }

+ resource "aws_s3_bucket_replication_configuration" "east_to_west" {
+   depends_on = [aws_s3_bucket_versioning.east]
+   role   = aws_iam_role.east_replication.arn
+   bucket = aws_s3_bucket.east.id
+ 
+   rule {
+     status = "Enabled"
+ 
+     destination {
+       bucket        = aws_s3_bucket.west.arn
+       storage_class = "STANDARD"
+     }
+   }
+ }