Answer-first summary for fast verification
Answer: The IAM role and bucket policies must have the `ObjectOwnerOverrideToBucketOwner` permission.
When performing Cross-Region Replication (CRR) across different AWS accounts, the destination bucket owner does not automatically own the replicated objects. To transfer ownership of the replicated objects to the destination bucket owner, you must specify the replica ownership override in the replication configuration and grant the IAM role the `s3:ObjectOwnerOverrideToBucketOwner` permission.
Author: Ritesh Yadav
Ultimate access to all questions.
Question #76
A company is implementing Cross-Region Replication (CCR) for the company's Amazon S3 buckets. The S3 buckets are in the us-east-1 Region. The company uses server-side encryption with Amazon S3 managed keys (SSE-S3) to secure the data in the buckets.
A CloudOps engineer creates a new AWS account to store backups in S3 buckets. All backup buckets are in the us-west-2 Region. The CloudOps engineer enables versioning on the source buckets and the destination buckets. The CloudOps engineer creates an IAM role in the source account for s3.amazonaws.com. The CloudOps engineer grants the IAM role permissions to perform read actions in the source buckets, replicate actions in the destination buckets, and encrypt actions that use the destination bucket's key. The destination bucket policy allows the IAM role to perform replicate and read actions.
After the replication configuration is complete, the CloudOps engineer notices that objects are not replicating. What is the likely reason the objects are not replicating?
A
The IAM role and bucket policies must have the ObjectOwnerOverrideToBucketOwner permission.
B
The objects in the source buckets and destination buckets must be encrypted by multi-Region keys.
C
Gateway VPC endpoints for Amazon S3 must be created in the source accounts and the destination account.
D
The destination buckets must use server-side encryption with AWS KMS keys (SSE-KMS).
No comments yet.