S3 CloudWatch Metrics and Replication

S3 CloudWatch Metrics

You can use the AWS Management Console to enable the generation of 1-minute CloudWatch request metrics for your S3 bucket or configure filters for the metrics using a prefix or object tag. Alternatively, you can call the S3 PUT Bucket Metrics API to enable and configure the publication of S3 storage metrics.

CloudWatch Request Metrics will be available in CloudWatch within 15 minutes after they are enabled. They are enabled by default for all buckets and reported once per day.

The S3 metrics that can be monitored include:

• S3 requests
• Bucket storage
• Bucket size
• All requests
• HTTP 4XX/5XX errors

Cross Region Replication (CRR)

CRR is an Amazon S3 feature that automatically replicates data across AWS Regions. With CRR, every object uploaded to an S3 bucket is automatically replicated to a destination bucket in a different AWS Region that you choose. It provides automatic, asynchronous copying of objects between buckets in different regions.

CRR is configured at the S3 bucket level. You enable a CRR configuration on your source bucket by specifying a destination bucket in a different Region for replication. You can use either the AWS Management Console, the REST API, the AWS CLI, or the AWS SDKs to enable CRR.

• Versioning must be enabled for both the source and destination buckets.
• Replication is 1:1 (one source bucket to one destination bucket).
• AWS S3 will encrypt data-in-transit with SSL.
• You can configure separate S3 Lifecycle rules on the source and destination buckets.
• You can replicate KMS-encrypted objects by providing a destination KMS key in your replication configuration.
• You can set up CRR across AWS accounts to store your replicated data in a different account in the target region.
• It provides low latency access for data by copying objects to buckets that are closer to users.

With CRR, you can only replicate between regions and not within a region (see SRR below for single region replication).

To activate CRR, you need to configure the replication on the source bucket.

• Define the bucket in the other region to replicate into.
• Specify if all objects or a subset of objects with specific key name prefixes are to be replicated.

The replicas will be exact replicas and will share the same key names and metadata. You can specify a different storage class (by default, the source storage class will be used).

Permissions

• AWS S3 must have permission to replicate objects.
• Bucket owners must have permission to read the object and object ACL.
• CRR can be used across accounts but the source bucket owner must have permission to replicate objects into the destination bucket.

Triggers for replication are:

• Uploading objects to the source bucket.
• DELETE of objects in the source bucket.
• Changes to the object, its metadata, or ACL.

What is replicated:

• New objects created after enabling replication
• Changes to objects
• Objects created using SSE-S3 using the AWS managed key
• Object ACL updates

What isn’t replicated:

• Objects that existed before enabling replication (we can use the copy API)
• Objects created with SSE-C and SSE-KMS
• Objects to which the bucket owner does not have permissions
• Updates to bucket-level subresources
• Actions from lifecycle rules
• Objects in the source bucket that are replicated from another region

Deletion behavior

• If a DELETE request is made without specifying an object version ID, a delete marker will be added and replicated.
• If a DELETE request is made specifying an object version ID, the object is deleted but the delete marker is not replicated.

|-|

Charges
Requests for upload
Inter-region transfer
S3 storage in both regions