aws · mergify · May 28, 2025 · Apr 13, 2025 · Apr 13, 2025 · Apr 13, 2025
diff --git a/...teg.bucket-replication-use-custom-role.js.snapshot/BucketReplicationTestStack.assets.json b/...teg.bucket-replication-use-custom-role.js.snapshot/BucketReplicationTestStack.assets.json
diff --git a/...g.bucket-replication-use-custom-role.js.snapshot/BucketReplicationTestStack.template.json b/...g.bucket-replication-use-custom-role.js.snapshot/BucketReplicationTestStack.template.json
@@ -304,25 +304,25 @@
        }
       },
       {
-       "Action": "kms:Decrypt",
+       "Action": [
+        "kms:Encrypt",
+        "kms:GenerateDataKey*",
+        "kms:ReEncrypt*"
+       ],
        "Effect": "Allow",
        "Resource": {
         "Fn::GetAtt": [
-         "SourceKmsKeyFE472F1C",
+         "DestinationKmsKey0D94AA3C",
          "Arn"
         ]
        }
       },
       {
-       "Action": [
-        "kms:Encrypt",
-        "kms:GenerateDataKey*",
-        "kms:ReEncrypt*"
-       ],
+       "Action": "kms:Decrypt",
        "Effect": "Allow",
        "Resource": {
         "Fn::GetAtt": [
-         "DestinationKmsKey0D94AA3C",
+         "SourceKmsKeyFE472F1C",
          "Arn"
         ]
        }

diff --git a/...n-use-custom-role.js.snapshot/ReplicationIntegDefaultTestDeployAssert2C07A074.assets.json b/...n-use-custom-role.js.snapshot/ReplicationIntegDefaultTestDeployAssert2C07A074.assets.json
diff --git a/...use-custom-role.js.snapshot/ReplicationIntegDefaultTestDeployAssert2C07A074.template.json b/...use-custom-role.js.snapshot/ReplicationIntegDefaultTestDeployAssert2C07A074.template.json
diff --git a/...7b2d07b952bdefa2b8f883f42.bundle/index.js → ...8c27d7531e215bf4274fbc895.bundle/index.js b/...7b2d07b952bdefa2b8f883f42.bundle/index.js → ...8c27d7531e215bf4274fbc895.bundle/index.js
diff --git a/...integ/test/aws-s3/test/integ.bucket-replication-use-custom-role.js.snapshot/manifest.json b/...integ/test/aws-s3/test/integ.bucket-replication-use-custom-role.js.snapshot/manifest.json
diff --git a/...ork-integ/test/aws-s3/test/integ.bucket-replication-use-custom-role.js.snapshot/tree.json b/...ork-integ/test/aws-s3/test/integ.bucket-replication-use-custom-role.js.snapshot/tree.json
diff --git a/...-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-replication-use-custom-role.ts b/...-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-replication-use-custom-role.ts
@@ -47,23 +47,12 @@ class TestStack extends Stack {
       ],
     });
 
-    this.replicationRole.addToPrincipalPolicy(new iam.PolicyStatement({
-      actions: ['s3:GetReplicationConfiguration', 's3:ListBucket'],
-      resources: [this.sourceBucket.bucketArn],
-      effect: iam.Effect.ALLOW,
-    }));
-    this.replicationRole.addToPrincipalPolicy(new iam.PolicyStatement({
-      actions: ['s3:GetObjectVersionForReplication', 's3:GetObjectVersionAcl', 's3:GetObjectVersionTagging'],
-      resources: [this.sourceBucket.arnForObjects('*')],
-      effect: iam.Effect.ALLOW,
-    }));
-    this.replicationRole.addToPrincipalPolicy(new iam.PolicyStatement({
-      actions: ['s3:ReplicateObject', 's3:ReplicateDelete', 's3:ReplicateTags', 's3:ObjectOwnerOverrideToBucketOwner'],
-      resources: [this.destinationBucket.arnForObjects('*')],
-      effect: iam.Effect.ALLOW,
-    }));
-    sourceKmsKey.grantDecrypt(this.replicationRole);
-    destinationKmsKey.grantEncrypt(this.replicationRole);
+    this.sourceBucket.grantReplicationPermission(this.replicationRole, {
+      sourceDecryptionKey: sourceKmsKey,
+      destinations: [
+        { encryptionKey: destinationKmsKey, bucket: this.destinationBucket },
+      ],
+    });
   }
 }
 

diff --git a/packages/aws-cdk-lib/aws-s3/README.md b/packages/aws-cdk-lib/aws-s3/README.md
@@ -941,11 +941,14 @@ To replicate objects to a destination bucket, you can specify the `replicationRu
 declare const destinationBucket1: s3.IBucket;
 declare const destinationBucket2: s3.IBucket;
 declare const replicationRole: iam.IRole;
-declare const kmsKey: kms.IKey;
+declare const encryptionKey: kms.IKey;
+declare const destinationEncryptionKey: kms.IKey;
 
 const sourceBucket = new s3.Bucket(this, 'SourceBucket', {
   // Versioning must be enabled on both the source and destination bucket
   versioned: true,
+  // Optional. Specify the KMS key to use for encrypts objects in the source bucket.
+  encryptionKey,
   // Optional. If not specified, a new role will be created.
   replicationRole,
   replicationRules: [
@@ -970,7 +973,7 @@ const sourceBucket = new s3.Bucket(this, 'SourceBucket', {
       // If set, metrics will be output to indicate whether replication by S3 RTC took longer than the configured time.
       metrics: s3.ReplicationTimeValue.FIFTEEN_MINUTES,
       // The kms key to use for the destination bucket.
-      kmsKey,
+      kmsKey: destinationEncryptionKey,
       // The storage class to use for the destination bucket.
       storageClass: s3.StorageClass.INFREQUENT_ACCESS,
       // Whether to replicate objects with SSE-KMS encryption.
@@ -997,6 +1000,20 @@ const sourceBucket = new s3.Bucket(this, 'SourceBucket', {
     },
   ],
 });
+
+// Grant permissions to the replication role.
+// This method is not required if you choose to use an auto-generated replication role or manually grant permissions.
+sourceBucket.grantReplicationPermission(replicationRole, {
+  // Optional. Specify the KMS key to use for decrypting objects in the source bucket.
+  sourceDecryptionKey: encryptionKey,
+  destinations: [
+    { bucket: destinationBucket1 },
+    { bucket: destinationBucket2, encryptionKey: destinationEncryptionKey },
+  ],
+  // The 'encryptionKey' property within the 'destinations' array is optional.
+  // If not specified for a destination bucket, this method assumes that
+  // given destination bucket is not encrypted.
+});
 ```
 
 ### Cross Account Replication