S3 bucket cross-region replication disabled
Description
Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets. By default, replication supports copying new S3 objects after it is enabled. It also requires versioning for the buckets involved. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.
Code Example
go
resource "aws_s3_bucket" "east" {
bucket = "tf-test-bucket-east-12345"
}
+ resource "aws_s3_bucket_versioning" "east" {
+ bucket = aws_s3_bucket.east.id
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }
+ resource "aws_s3_bucket" "west" {
+ provider = aws.west
+ bucket = "tf-test-bucket-west-12345"
+ }
+ resource "aws_s3_bucket_versioning" "west" {
+ provider = aws.west
+ bucket = aws_s3_bucket.west.id
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }
+ resource "aws_s3_bucket_replication_configuration" "east_to_west" {
+ depends_on = [aws_s3_bucket_versioning.east]
+ role = aws_iam_role.east_replication.arn
+ bucket = aws_s3_bucket.east.id
+
+ rule {
+ status = "Enabled"
+
+ destination {
+ bucket = aws_s3_bucket.west.arn
+ storage_class = "STANDARD"
+ }
+ }
+ }Remediation
Terraform
- Resource: aws_s3_bucket, aws_s3_bucket_replication_configuration
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0194 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_144 |