事象
原因
- オブジェクトの所有者を変更できる IAM 権限(s3:ObjectOwnerOverrideToBucketOwner) がないため。
解決策
- 送信元のS3バケットのレプリケーションルールで指定しているIAMロールに s3:ObjectOwnerOverrideToBucketOwner を追加する。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::rep-src-sse-s3"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl"
],
"Resource": "arn:aws:s3:::rep-src-sse-s3/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Resource": "arn:aws:s3:::rep-dst1-sse-s3/*"
}
]
}
- 送信先S3バケットのバケットポリシーに s3:ObjectOwnerOverrideToBucketOwner を追加する。
{
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "Set permissions for objects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/S3ReplicationRole"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Resource": "arn:aws:s3:::rep-dst1-sse-s3/*"
},
{
"Sid": "Set permissions on bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/S3ReplicationRole"
},
"Action": [
"s3:GetBucketVersioning",
"s3:PutBucketVersioning"
],
"Resource": "arn:aws:s3:::rep-dst1-sse-s3"
}
]
}
