This chapter covers Amazon S3 Cross-Region Replication (CRR) and Same-Region Replication (SRR), two powerful features that automatically replicate objects across S3 buckets. Understanding replication is critical for the SAA-C03 exam, particularly under the Resilient Architectures domain (Objective 2.4), as it directly impacts data durability, disaster recovery, and compliance. Approximately 5-8% of exam questions touch on S3 replication, often in scenario-based questions testing your ability to choose between CRR, SRR, and other replication methods like Multi-Region Access Points or S3 Batch Replication.
Jump to a section
Imagine a library system where every book must exist in two branches: a main branch (source) and a backup branch (destination). The library uses a dedicated courier service to copy each book exactly. For Cross-Region Replication, the branches are in different cities (e.g., New York and London). For Same-Region Replication, they are in the same city but different buildings. The courier works asynchronously: when a new book is added to the main branch, the librarian stamps it with a unique ID (version ID), records the event in a log (S3 Event Notification), and places a copy request in a queue. The courier picks up the request, travels to the destination branch, and places an exact copy of the book on the shelf, preserving the ID. If the book is updated, the courier replaces the old copy with the new one, but only if the new version ID is later. The librarian also checks permissions: only books that the courier is allowed to copy (based on IAM roles) are replicated. If the destination branch already has a book with the same ID but a different content (e.g., due to a prior replication), the courier overwrites it. However, if the destination branch has a newer version (e.g., via a separate update), the courier skips the copy to avoid overwriting newer data. This asynchronous process means there is a delay (typically 15 minutes to several hours) before the backup is consistent. The library also offers a 'replication time control' feature to guarantee a 15-minute RPO for critical books by paying extra for dedicated couriers.
What is S3 Replication?
S3 Replication is an automatic, asynchronous feature that copies objects from a source bucket to a destination bucket. The destination can be in the same AWS Region (Same-Region Replication, SRR) or a different AWS Region (Cross-Region Replication, CRR). Replication is configured at the bucket level using replication rules, which specify the source bucket, destination bucket, IAM role, and optional filters (e.g., prefix, tags). Once enabled, any object upload, delete, or metadata change that meets the rule criteria is replicated to the destination bucket.
Why It Exists
Replication addresses several key requirements: - Disaster Recovery (DR): CRR provides geographic redundancy, ensuring data survives a region-wide outage. - Compliance: SRR can maintain copies in the same region for regulatory requirements like data sovereignty. - Latency Reduction: CRR places data closer to users in different geographies. - Data Aggregation: SRR consolidates data from multiple buckets into a single bucket for analytics. - Security: Replicating to a different account can isolate data for access control.
How It Works Internally
When an object is uploaded to the source bucket, S3 triggers the replication process:
Object Upload: The client uploads an object using PutObject or multipart upload. The source bucket assigns a version ID (if versioning is enabled) and stores the object.
Event Notification: S3 generates a replication event for the object. This event is placed into an internal queue specific to the replication rule.
IAM Role Assumption: The replication process assumes the IAM role specified in the replication rule. This role must have permissions to read from the source bucket and write to the destination bucket.
Replication Execution: S3's replication service reads the object from the source, including its metadata and tags, and writes it to the destination bucket. The destination object receives the same version ID as the source (if versioning is enabled on both buckets). The replication is asynchronous, meaning there is no guarantee of immediate consistency. Typical replication times range from minutes to hours, depending on object size and regional latency.
Metadata and Tags: All user-defined metadata, S3 object tags, and system metadata (except for some like ETag and storage class) are replicated. The last-modified timestamp is preserved.
Storage Class: By default, the destination object retains the same storage class as the source. However, you can configure the replication rule to change the storage class (e.g., replicate to S3 Standard-IA or S3 Glacier Instant Retrieval) to reduce costs.
Key Components, Values, Defaults, and Timers
Versioning: Both source and destination buckets must have versioning enabled. Without versioning, replication cannot track object versions and will fail.
IAM Role: Required for replication. The role must have a trust policy allowing S3 to assume it and permissions for s3:GetObject, s3:GetObjectVersion, s3:GetObjectTagging, s3:GetObjectVersionTagging, s3:ListBucket, and s3:PutObject (with versioning).
Replication Time Control (RTC): An optional feature that provides a predictable 15-minute Service Level Agreement (SLA) for replication of most objects. RTC is available for CRR only and incurs additional costs.
Delete Marker Replication: By default, delete markers are not replicated. You must enable a specific option in the replication rule to replicate delete markers. However, permanently deleted object versions are never replicated.
Replication Metrics: CloudWatch metrics like ReplicationLatency and BytesPendingReplication help monitor replication health.
Replication Status: Objects replicated successfully have the ReplicationStatus metadata set to COMPLETED. If replication fails, the status is FAILED.
Batch Replication: For replicating existing objects, use S3 Batch Replication. This is a separate feature that creates a batch job to replicate objects that existed before the replication rule was enabled.
Configuration and Verification Commands
Replication is configured via the AWS Management Console, AWS CLI, or SDKs. Here is an example CLI command to set up replication:
aws s3api put-bucket-replication \
--bucket source-bucket \
--replication-configuration file://replication.jsonExample replication.json:
{
"Role": "arn:aws:iam::123456789012:role/s3-replication-role",
"Rules": [
{
"Status": "Enabled",
"Priority": 1,
"Filter": {
"Prefix": ""
},
"Destination": {
"Bucket": "arn:aws:s3:::destination-bucket",
"StorageClass": "STANDARD_IA"
},
"DeleteMarkerReplication": {
"Status": "Disabled"
}
}
]
}To verify replication status:
aws s3api head-object --bucket source-bucket --key myobject.txtLook for the ReplicationStatus field in the output.
How It Interacts with Related Technologies
S3 Event Notifications: Replication can be combined with S3 Event Notifications to trigger Lambda functions or SQS/SNS upon replication events. However, note that replication itself generates events (e.g., s3:ObjectCreated:Put) on the destination bucket, which can cause infinite loops if not handled carefully.
S3 Object Lock: Replication respects Object Lock settings. If the source object has a legal hold or retention period, the destination object will also have the same settings, provided the destination bucket has Object Lock enabled.
S3 Lifecycle Policies: Lifecycle policies on the destination bucket can further manage replicated objects (e.g., transition to Glacier after 30 days). However, lifecycle actions on the source bucket do not affect the destination.
Multi-Region Access Points (MRAPs): MRAPs provide a global endpoint that routes requests to multiple buckets across regions. They are not a replication feature; they rely on replication to keep buckets in sync. MRAPs can be used in conjunction with CRR to provide active-active access.
S3 Batch Operations: Batch Replication is a type of batch operation that replicates existing objects. It is useful for backfilling replication after initial setup.
Important Exam Considerations
Asynchronous Nature: Replication is not synchronous. There is no SLA for replication completion without RTC. Exam questions often test that replication is eventual consistent.
Versioning Required: Both source and destination must have versioning enabled. A common trap is that only source needs versioning; in reality, both do.
Delete Marker Replication: By default, delete markers are not replicated. If you delete an object in the source, a delete marker is created, but it is not replicated unless explicitly enabled. This can lead to data inconsistency.
Replication of Existing Objects: Replication only applies to objects created after the rule is enabled. To replicate existing objects, use S3 Batch Replication.
Cross-Account Replication: Replication can be set up across accounts. The destination bucket must have a bucket policy granting the source account's IAM role permissions to write.
Replication and Encryption: Objects encrypted with SSE-S3 or SSE-KMS can be replicated. For SSE-KMS, you must specify the KMS key to use for encryption on the destination side. SSE-C (customer-provided keys) is not supported for replication.
Replication Time Control (RTC): Available only for CRR. It provides a 15-minute SLA for 99.99% of objects. RTC is not available for SRR.
Replication Metrics: You can monitor replication using CloudWatch metrics and S3 Inventory reports.
Step-by-Step Configuration
Enable Versioning on both source and destination buckets.
Create an IAM Role that S3 can assume, with permissions to read from source and write to destination.
Create a Replication Rule in the source bucket's management tab. Specify the destination bucket, IAM role, and optional filters.
Configure Additional Options: Choose whether to replicate delete markers, change storage class, or enable RTC.
Save the Rule: Replication begins for new objects. Existing objects are not replicated unless you use Batch Replication.
Monitor: Use CloudWatch metrics and S3 replication logs to verify.
Enable Versioning on Buckets
Replication requires versioning on both source and destination buckets. Without versioning, S3 cannot track object versions, and replication will fail. Versioning also allows you to recover from accidental deletions or overwrites. In the AWS Console, go to the bucket's Properties tab and enable 'Versioning'. Note that versioning cannot be disabled once enabled; you can only suspend it. For replication, both buckets must have versioning enabled (not suspended). This is a common misconfiguration that causes replication to silently fail.
Create IAM Replication Role
The IAM role grants S3 permission to read objects from the source bucket and write them to the destination bucket. The role must have a trust policy that allows S3 to assume it. The required permissions include `s3:GetObject`, `s3:GetObjectVersion`, `s3:GetObjectTagging`, `s3:GetObjectVersionTagging`, `s3:ListBucket`, and `s3:PutObject` (with versioning). For cross-account replication, the destination bucket must also have a bucket policy allowing the source account's role to write. The role is specified in the replication rule. If you use SSE-KMS, additional KMS permissions are needed.
Configure Replication Rule
In the source bucket's Management tab, create a replication rule. You must specify the destination bucket (by ARN), the IAM role, and optionally a filter (prefix or tags) to select which objects to replicate. You can also set the storage class for the destination objects. Important options: enable 'Delete marker replication' if you want delete markers to be replicated (default is disabled). For CRR, you can enable 'Replication Time Control' for a 15-minute SLA. You can also choose to replicate objects encrypted with SSE-KMS by specifying the destination KMS key. The rule can be enabled or disabled; only enabled rules replicate.
Verify Replication Status
After configuring replication, upload a test object to the source bucket. Use the AWS CLI or console to check the object's metadata. The `ReplicationStatus` field should show `COMPLETED` once replication succeeds. You can also check the destination bucket for the object. For monitoring, use CloudWatch metrics like `ReplicationLatency` and `BytesPendingReplication`. If replication fails, check the source bucket's replication logs (if enabled) or the destination bucket's access logs. Common failures include incorrect IAM permissions, versioning not enabled, or destination bucket in a different region without proper permissions.
Replicate Existing Objects (Optional)
Replication rules only apply to objects created after the rule is enabled. To replicate existing objects, use S3 Batch Replication. This creates a batch job that copies objects from the source to the destination. The job can be filtered by prefix or tags. Batch Replication is a one-time operation; ongoing replication is handled by the rule. Note that Batch Replication does not replicate delete markers or object versions; it only copies current versions. For full backfill, consider using S3 Sync or AWS DataSync.
Enterprise Scenario 1: Global Media Distribution
A media company produces video content in the US (us-east-1) and needs to distribute it to users in Europe and Asia. They use CRR to replicate content to buckets in eu-west-1 and ap-southeast-1. This reduces latency for end users and provides disaster recovery. The source bucket stores original high-resolution files (S3 Standard), while destination buckets use S3 Standard-IA to save costs since content is accessed less frequently after initial distribution. They enable Replication Time Control (RTC) for critical content to ensure a 15-minute RPO. A common mistake is forgetting to enable RTC, leading to hours of replication delay during peak upload times. They also set up S3 Event Notifications on the destination buckets to trigger Lambda functions that transcode videos for local formats. Monitoring is done via CloudWatch dashboards showing replication latency and pending bytes. When misconfigured (e.g., missing IAM permissions), replication silently fails, and the company may serve stale content to users.
Enterprise Scenario 2: Compliance Data Aggregation
A financial institution must maintain copies of all transaction records within the same region for regulatory compliance. They use SRR to replicate from multiple application buckets (e.g., 'transactions-prod', 'transactions-archive') to a central 'compliance-audit' bucket. The central bucket has Object Lock enabled to prevent modification or deletion for a retention period of 7 years. SRR ensures that all records are automatically copied without application changes. They configure replication rules with filters based on prefixes (e.g., 'year=2024/') to replicate only relevant data. A challenge is that delete markers are not replicated by default; if an application deletes an object, the compliance bucket still retains the original, which is desired. However, they must ensure that the IAM role has permissions to write to the destination bucket, which is in a different AWS account. They use a bucket policy on the destination to allow cross-account writes. A common issue is that the destination bucket's Object Lock retention period conflicts with the source's lifecycle policy, causing replication failures. They resolve this by ensuring the destination bucket's default retention mode is 'COMPLIANCE' and that the source bucket does not have a lifecycle rule that expires objects before the retention period.
Scenario 3: Disaster Recovery with Cross-Region Replication
A SaaS company runs its primary infrastructure in us-west-2 and wants DR in us-east-2. They use CRR to replicate all bucket data, including user uploads and configuration files. They enable delete marker replication to ensure that deletions are also mirrored. They use S3 Batch Replication to backfill existing data. They monitor replication using S3 replication metrics and set up alarms for high latency. A critical consideration is that replication is asynchronous; during a disaster, some data may not yet be replicated. They mitigate this by also using S3 Versioning to recover from accidental deletions. They test DR by periodically failing over to the secondary region using Route53 and bucket policies. A common exam trap is assuming replication provides synchronous data protection; it does not. The company also uses S3 Object Lock on the destination bucket to prevent ransomware from encrypting replicated data.
SAA-C03 Exam Focus on S3 Replication
The SAA-C03 exam tests S3 replication under Objective 2.4: 'Design resilient architectures' and specifically 'Implement S3 replication (CRR and SRR)'. Questions typically present a scenario with requirements for data durability, disaster recovery, latency, or compliance, and ask you to choose the appropriate replication strategy.
Most Common Wrong Answers and Why
'Use CRR for compliance within the same region' – Wrong. CRR is for cross-region. For same-region compliance, use SRR. Candidates often confuse the two because they remember 'CRR' but forget the 'Cross' part.
'Replication is synchronous' – Wrong. Replication is asynchronous. Candidates may assume it is synchronous because they think of it as a mirroring feature. The exam tests this with scenarios requiring immediate consistency; the answer is to use S3 Sync or Multi-Region Access Points with CRR, but even then, replication is eventual.
'Delete markers are replicated by default' – Wrong. They are not. Candidates often think that because versioning is enabled, all operations are replicated. The exam may present a scenario where an object is deleted and the candidate expects it to be deleted in the destination, but it is not unless delete marker replication is explicitly enabled.
'Replication works without versioning' – Wrong. Both buckets must have versioning enabled. Candidates may think only the source needs versioning, but the destination also must have it to accept versioned objects.
Specific Numbers and Terms to Remember
15 minutes: RTC provides a 15-minute SLA for CRR.
99.99%: RTC guarantees replication of 99.99% of objects within 15 minutes.
Replication Time Control (RTC): Only for CRR, not SRR.
Batch Replication: For existing objects only.
Delete marker replication: Disabled by default; must be explicitly enabled.
Storage class: Can be changed at the destination via replication rule.
SSE-S3 and SSE-KMS: Supported for replication; SSE-C is not.
IAM role: Required; must have specific permissions.
Edge Cases and Exceptions
Replication of multipart uploads: Replication works for multipart uploads, but the replication process may take longer due to the number of parts.
Replication and S3 Event Notifications: Replication generates events on the destination bucket. If you have a Lambda function that writes back to the source, you can create an infinite loop. The exam may test your ability to avoid this by using separate prefixes or disabling event triggers on replicated objects.
Replication across accounts: The destination bucket must have a bucket policy allowing the source account to write. The IAM role must be in the source account.
Replication with Object Lock: The destination bucket must have Object Lock enabled to replicate objects with retention settings. If the destination does not have Object Lock, replication will fail for objects with legal hold or retention.
Replication of large objects: Objects up to 5 TB can be replicated. For objects larger than 5 TB, use S3 Transfer Acceleration or multipart upload.
How to Eliminate Wrong Answers
Identify whether the requirement is for same-region or cross-region. If same-region, eliminate CRR and MRAP (which is cross-region).
Check if the scenario mentions 'immediate consistency' or 'real-time'. If so, replication is not the answer; use S3 Sync or a custom solution.
Look for keywords like 'compliance', 'data sovereignty', 'latency reduction', or 'disaster recovery' to guide your choice.
If the question involves deleting objects and expecting the destination to also delete, ensure delete marker replication is mentioned. If not, the answer likely involves enabling it.
Watch for 'existing objects' – if the scenario requires replicating data that already exists, you need Batch Replication, not just a replication rule.
Both source and destination buckets must have versioning enabled for replication to work.
Replication is asynchronous; there is no immediate consistency guarantee without RTC.
Delete markers are NOT replicated by default; you must explicitly enable delete marker replication.
Replication rules only apply to objects created after the rule is enabled; use S3 Batch Replication for existing objects.
CRR supports Replication Time Control (RTC) for a 15-minute SLA; SRR does not.
Objects encrypted with SSE-C cannot be replicated; SSE-S3 and SSE-KMS are supported.
Replication across accounts requires a bucket policy on the destination bucket allowing the source account's IAM role to write.
Replication can change the storage class of the destination object (e.g., from S3 Standard to S3 Glacier).
These come up on the exam all the time. Here's how to tell them apart.
Cross-Region Replication (CRR)
Replicates objects across different AWS Regions (e.g., us-east-1 to eu-west-1).
Used for disaster recovery (DR) across regions, global latency reduction, and cross-region compliance.
Supports Replication Time Control (RTC) for a 15-minute SLA.
Higher latency due to cross-region data transfer; incurs data transfer costs.
Requires both buckets to be in different regions; destination bucket cannot be in the same region as source.
Same-Region Replication (SRR)
Replicates objects within the same AWS Region (e.g., us-east-1 to us-east-1).
Used for data aggregation, compliance within a region, and protecting against bucket-level failures.
Does NOT support Replication Time Control (RTC).
Lower latency since data stays within the region; no data transfer costs between regions.
Both buckets must be in the same region; destination bucket can be in the same region as source.
Mistake
Replication is synchronous and provides immediate consistency.
Correct
S3 Replication is asynchronous. There is no SLA for replication completion unless you enable Replication Time Control (RTC), which provides a 15-minute SLA for CRR only. Objects are not immediately available in the destination bucket after upload to the source.
Mistake
Delete markers are automatically replicated by default.
Correct
Delete markers are not replicated by default. You must explicitly enable 'Delete marker replication' in the replication rule. If you delete an object in the source, the delete marker is created but not copied to the destination unless you enable this option.
Mistake
Only the source bucket needs versioning enabled.
Correct
Both the source and destination buckets must have versioning enabled. Without versioning on the destination, S3 cannot store multiple versions of the same object, and replication will fail.
Mistake
CRR and SRR can replicate existing objects automatically.
Correct
Replication rules only apply to objects created after the rule is enabled. To replicate existing objects, you must use S3 Batch Replication or another tool like AWS DataSync.
Mistake
Replication works with SSE-C (customer-provided encryption keys).
Correct
S3 Replication does not support objects encrypted with SSE-C. It supports SSE-S3 and SSE-KMS. For SSE-KMS, you must specify the destination KMS key in the replication rule.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
CRR (Cross-Region Replication) copies objects to a bucket in a different AWS Region, while SRR (Same-Region Replication) copies objects to a bucket in the same region. CRR is used for disaster recovery across regions, global latency reduction, and cross-region compliance. SRR is used for data aggregation, compliance within a region, and protecting against bucket-level failures. CRR supports Replication Time Control (RTC) for a 15-minute SLA; SRR does not. CRR incurs data transfer costs between regions; SRR does not.
No, replication rules only apply to objects created after the rule is enabled. To replicate existing objects, you must use S3 Batch Replication, which is a batch operation that copies existing objects from the source to the destination. You can also use AWS DataSync or S3 Sync for one-time transfers.
By default, delete markers are not replicated. You can enable 'Delete marker replication' in the replication rule. However, permanently deleted object versions (via DELETE with version ID) are never replicated. If you enable delete marker replication, a delete marker created in the source will be replicated to the destination, effectively deleting the object in the destination as well.
If you delete a specific version (permanent delete), that deletion is not replicated. Only delete markers (soft deletes) can be replicated if the option is enabled. Permanent deletes are not replicated to prevent data loss in the destination.
Yes, cross-account replication is supported. The source account's IAM replication role must have permissions to write to the destination bucket, and the destination bucket must have a bucket policy granting the source account's role access. The destination bucket can be in a different account, but both buckets must have versioning enabled.
Yes, but the destination bucket must have Object Lock enabled. If the source object has a legal hold or retention period, the destination object will have the same settings. If the destination bucket does not have Object Lock, replication will fail for objects with retention settings.
RTC is an optional feature for CRR that provides a predictable 15-minute SLA for replicating 99.99% of objects. It ensures that most objects are replicated within 15 minutes. RTC is not available for SRR. It incurs additional costs and is useful for applications requiring a defined RPO.
You've just covered S3 Cross-Region and Same-Region Replication — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?