The latest articles on Forem by Binh Nguyen (@leondkr). https://forem.com/leondkr https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F929572%2Feff9d60e-04fd-49bf-80dc-23061588d0e4.jpg https://forem.com/leondkr en Binh Nguyen Mon, 13 Mar 2023 10:47:01 +0000 https://forem.com/leondkr/snyk-container-gitlab-container-registry-easy-integration-3cb https://forem.com/leondkr/snyk-container-gitlab-container-registry-easy-integration-3cb <ul> <li>Prerequisites</li> <li> Integration <ul> <li>Create a Personal Access Token</li> <li>Configure Integration</li> <li>Add project for scanning</li> </ul> </li> <li>References</li> </ul> <h2> Prerequisites </h2> <ol> <li> <strong>Snyk</strong> account: <strong>Organization's Administrator</strong>.</li> <li> <strong>GitLab</strong> project <strong>personal access token</strong>. <ul> <li>It is recommended to use access token instead of password.</li> <li>If you enabled MFA, the personal access token is a <strong>MUST</strong>.</li> </ul> </li> </ol> <h2> Integration </h2> <h3> Create a Personal Access Token </h3> <p>Please ensure that your token meets the following requirements:</p> <ol> <li>role: at least <code>Developer</code> </li> <li>scopes: <ul> <li><code>read_api</code></li> <li><code>read_registry</code></li> </ul> </li> </ol> <h3> Configure Integration </h3> <ol> <li>At the left navigation bar, go to <strong>Settings</strong>.</li> <li>Under <strong>Organization Settings</strong>, go to <strong>Integrations</strong>.</li> <li>Find <strong>GitLab Container Registry</strong>, under <strong>Container Registries</strong> section.</li> <li>From the <strong>Account credentials</strong> box, we have to input: <ol> <li> <code>Username</code>: <code>&lt;your-gitlab-username&gt;</code> </li> <li> <code>Password</code>: <code>&lt;your-gitlab-access-token&gt;</code> </li> <li> <code>Container registry name</code>: <code>registry.gitlab.com</code> </li> </ol> </li> <li>Then click the <em>save changes</em> button.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foyzaptlqjnc6l4dv44ho.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foyzaptlqjnc6l4dv44ho.png" alt="gitlab-container-registry-integration" width="800" height="362"></a></p> <h3> Add project for scanning </h3> <ol> <li>At the left navigation bar, go to <strong>Projects</strong>.</li> <li>Click the <em>Add projects</em> button.</li> <li>From the <strong>Image Name</strong> box, we input our project URL as follows: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;namespace&gt;/&lt;project&gt;/&lt;image&gt; </code></pre> </div> <h2> References </h2> <ul> <li><a href="https://docs.snyk.io/scan-containers/image-scanning-library/gitlab-container-registry-image-scanning/scan-container-images-from-gitlab-container-registry-in-snyk" rel="noopener noreferrer">https://docs.snyk.io/scan-containers/image-scanning-library/gitlab-container-registry-image-scanning/scan-container-images-from-gitlab-container-registry-in-snyk</a></li> <li><a href="https://docs.snyk.io/scan-containers/image-scanning-library/gitlab-container-registry-image-scanning/container-security-with-gitlab-container-registry-integration" rel="noopener noreferrer">https://docs.snyk.io/scan-containers/image-scanning-library/gitlab-container-registry-image-scanning/container-security-with-gitlab-container-registry-integration</a></li> </ul> snyk devsecops gitlab containers Binh Nguyen Fri, 17 Feb 2023 10:55:29 +0000 https://forem.com/aws-builders/use-s3-batch-replication-to-replicate-objects-to-another-account-and-encrypt-with-aws-kms-4efb https://forem.com/aws-builders/use-s3-batch-replication-to-replicate-objects-to-another-account-and-encrypt-with-aws-kms-4efb <h2> Our scenario? </h2> <p>We have an existing S3 bucket in an <strong>AWS account (A)</strong> and we have to somehow move the existing data onto <strong>AWS account (B)</strong> because of internal requirements or compliance decisions. Before the data landing onto the destination S3 bucket, it must be encrypted with an <strong>AWS KMS key</strong> which belongs to the destination account.</p> <p>For this post, I am going to use <strong>S3 Batch Replication</strong> and show steps by steps from AWS console.</p> <h2> When to use S3 Batch Replication? </h2> <p>As per <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html#batch-replication-scenario" rel="noopener noreferrer">AWS official documentation</a>, here are the main points:</p> <ol> <li>Existing objects</li> <li>Objects that failed to replicate previously</li> <li>Objects that were already replicated</li> <li>Replicas that were created from a replication rule</li> </ol> <p>The 1st point is related to our scenario.</p> <h2> Prerequisites </h2> <ol> <li>Enable <em>bucket versioning</em> on both source and destination S3 buckets.</li> <li>The service, which is <strong>Amazon S3</strong>, must have <em>permissions</em> to perform the tasks.</li> <li>Destination account (B) must allow Source acccount (A) to use its <strong>AWS KMS</strong> encryption key.</li> </ol> <h2> Preparation </h2> <h3> Enable Versioning </h3> <blockquote> <p>To be applied on both Source and Destination AWS accounts</p> </blockquote> <ol> <li>Go to your S3 bucket and locate <em>Properties</em> tab from AWS console.</li> <li>From <em>Bucket Versioning</em>, ensure the value is <code>Enabled</code>.</li> </ol> <h3> Source Account A </h3> <h4> Create a new S3 bucket </h4> <p>Let's quickly create a new bucket for storing replication reports or you can use any existing ones.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws s3api create-bucket <span class="se">\</span> <span class="nt">--bucket</span> &lt;S3_BUCKET_REPORT_A&gt; <span class="se">\</span> <span class="nt">--region</span> ap-southeast-1 <span class="se">\</span> <span class="nt">--create-bucket-configuration</span> <span class="nv">LocationConstraint</span><span class="o">=</span>ap-southeast-1 </code></pre> </div> <h4> IAM role for S3 replication </h4> <p>Let's quickly create an <strong>IAM role</strong> for our later usage of S3 replication rule.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws iam create-role <span class="se">\</span> <span class="nt">--role-name</span> &lt;IAM_ROLE_REPLICATION_A&gt; <span class="se">\</span> <span class="nt">--assume-role-policy-document</span> file://trust.json aws iam put-role-policy <span class="se">\</span> <span class="nt">--role-name</span> &lt;IAM_ROLE_REPLICATION_A&gt; <span class="se">\</span> <span class="nt">--policy-name</span> replication-policy <span class="se">\</span> <span class="nt">--policy-document</span> file://policy.json </code></pre> </div> <p>Here is the <strong>IAM policy</strong> (<code>policy.json</code>) to be used.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:InitiateReplication"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetReplicationConfiguration"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutInventoryConfiguration"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetObjectAcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetObjectTagging"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetObjectVersionForReplication"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetObjectVersionAcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetObjectVersionTagging"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::&lt;S3_BUCKET_A&gt;"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:s3:::&lt;S3_BUCKET_A&gt;/*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ReplicateObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ReplicateTags"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ReplicateDelete"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObjectAcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObjectVersionAcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObjectTagging"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObjectVersionTagging"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetObjectVersionForReplication"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ObjectOwnerOverrideToBucketOwner"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::&lt;S3_BUCKET_B&gt;"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:s3:::&lt;S3_BUCKET_B&gt;/*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::&lt;S3_BUCKET_REPORT_A&gt;/*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kms:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Here is the <strong>trust relationship</strong> (<code>trust.json</code>) to be used.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Service"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"batchoperations.s3.amazonaws.com"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3.amazonaws.com"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Destination Account B </h3> <h4> Update S3 bucket policy </h4> <p>Ensure the <strong>S3 bucket policy</strong> to be updated.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PolicyForDestinationBucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"S3PolicyStmt-DO-NOT-MODIFY-1234567890123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;AWS_ID_A&gt;:root"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;AWS_ID_A&gt;:role/service-role/&lt;IAM_ROLE_REPLICATION_A&gt;"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetBucketVersioning"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetObjectAcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ReplicateObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ReplicateDelete"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObjectAcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObjectVersionAcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutBucketVersioning"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ObjectOwnerOverrideToBucketOwner"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:Put*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::&lt;S3_BUCKET_B&gt;"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:s3:::&lt;S3_BUCKET_B&gt;/*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> Update KMS key policy </h4> <p>Ensure the <strong>KMS key policy</strong> to be updated.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-key-policy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Enable IAM User Permissions"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;AWS_ID_B&gt;:root"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kms:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow an external account to use this KMS key"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;AWS_ID_A&gt;:root"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;AWS_ID_A&gt;:role/service-role/&lt;IAM_ROLE_REPLICATION_A&gt;"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"kms:Encrypt"</span><span class="p">,</span><span class="w"> </span><span class="s2">"kms:Decrypt"</span><span class="p">,</span><span class="w"> </span><span class="s2">"kms:ReEncrypt*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"kms:GenerateDataKey*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"kms:DescribeKey"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Create a replication rule </h2> <p>From the source S3 bucket, create an <strong>S3 replication rule</strong>.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fddq6la3ah76ozon8zopy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fddq6la3ah76ozon8zopy.png" alt="create-s3-replication-rule" width="800" height="489"></a></p> <p>Choose the <em>rule scope to all objects</em> and specify destination bucket with AWS account ID.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzq4j5dp05ys2rcknbjet.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzq4j5dp05ys2rcknbjet.png" alt="specify-destination-bucket" width="800" height="667"></a></p> <p>Choose the option to change the bucket ownership and specify the <strong>IAM role</strong> that we have created earlier.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnujzv08552zecipn346p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnujzv08552zecipn346p.png" alt="specify-replication-role" width="800" height="379"></a></p> <p>Enter the <em>ARN</em> of the destination <strong>AWS KMS</strong> encryption key to be used.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4i97b0a4no96zon4xxk7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4i97b0a4no96zon4xxk7.png" alt="specify-encryption-key" width="800" height="617"></a></p> <p>For destination classes and replication options, keep them as optional if you don't have any related requirements. Then, choose option to <em>replicate existing objects</em>. This will direct you to a new page which is the next step below.</p> <h2> Create Batch Operations job </h2> <p>For <em>Job run options</em>, we choose <strong>Automatically run the job when it's ready</strong> or it is up to you.</p> <p>In order to gain visibility of replication process, we enable reports generation option and store them onto S3 bucket.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy5ucu8gnelig4i8u6bdj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy5ucu8gnelig4i8u6bdj.png" alt="generate-replication-reports" width="800" height="382"></a></p> <p>For <em>Permissions</em>, you can reuse the earlier <strong>IAM Role</strong>.</p> <p>Once you clicked the <code>Save</code> button, it will create a new <strong>Job ID</strong> and based on my job run option earlier, it automatically runs so we will wait for the result.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fixkdtrxs84fn1cz7pgbr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fixkdtrxs84fn1cz7pgbr.png" alt="new-batch-operations-job" width="800" height="305"></a></p> <blockquote> <p>If it is <code>failed</code>, you can check the job status or report for further details. In my case, my replication <strong>IAM role</strong> does not have enough permissions to generate reports to the specified bucket.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn6t1pj8xrvibclbagaba.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn6t1pj8xrvibclbagaba.png" alt="job-status-failed" width="800" height="336"></a></p> <blockquote> <p>If it is <code>progresses</code>, you will observe the % of objects that have been replicated or objects have been failed to replicate.</p> </blockquote> <h2> References </h2> <ol> <li><a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html</a></li> <li><a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html</a></li> <li><a href="https://aws.amazon.com/blogs/aws/new-replicate-existing-objects-with-amazon-s3-batch-replication/" rel="noopener noreferrer">https://aws.amazon.com/blogs/aws/new-replicate-existing-objects-with-amazon-s3-batch-replication/</a></li> </ol> watercooler