This rule ensures enabling cross-region replication for S3 buckets.
Rule | S3 bucket cross-region replication should be enabled |
Framework | SOC 2 |
Severity | ✔ Critical |
Rule Description:
S3 bucket cross-region replication should be enabled to meet the requirements of SOC 2 compliance. Cross-region replication ensures that your data in an S3 bucket is replicated in a different AWS region, providing redundancy and protecting against regional failures. This is important for SOC 2 compliance as it ensures data availability and integrity, as well as provides a backup in case of any disasters or data loss.
Troubleshooting Steps (if applicable):
Necessary Codes (if applicable):
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnableCrossRegionReplication", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:role/cross-region-replication-role" }, "Action": "s3:GetReplicationConfiguration", "Resource": "arn:aws:s3:::YOUR_SOURCE_BUCKET" }, { "Sid": "EnableCrossRegionReplicationDestination", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:role/cross-region-replication-role" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::YOUR_DESTINATION_BUCKET" } ] }
Create a new IAM role called "cross-region-replication-role" with the following trust relationship policy document:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Assign the required permissions to this role based on your specific cross-region replication needs, such as
s3:GetObjectVersion
, s3:GetObjectVersionAcl
, s3:GetObjectVersionForReplication
, and s3:GetReplicationConfiguration
.Step by Step Guide for Remediation:
By following these steps and implementing cross-region replication for your S3 buckets, you can ensure compliance with SOC 2 requirements and enhance data availability and protection.