Receiving replication failure events with Amazon S3 Event Notifications (original) (raw)
If you've enabled S3 Replication metrics on your replication configuration, you can set up Amazon S3 Event Notifications to notify you when objects don't replicate to their destination AWS Region. If you've enabled S3 Replication Time Control (S3 RTC) on your replication configuration, you can also be notified when objects don't replicate within the 15-minute S3 RTC threshold for replication.
Important
To receive replication failure event notifications (s3:Replication:OperationFailedReplication), you must enable S3 Replication metrics on your replication rule. You do not need to enable S3 Replication Time Control (S3 RTC) to receive failure notifications. S3 RTC is only required for threshold-based notifications (s3:Replication:OperationMissedThreshold ands3:Replication:OperationReplicatedAfterThreshold). You can enable S3 Replication metrics independently of S3 RTC. For more information, see Enabling S3 Replication metrics.
By using the following Replication event types, you can monitor the minute-by-minute progress of replication events by tracking bytes pending, operations pending, and replication latency. For more information about S3 Replication metrics, see Using S3 Replication metrics.
- The
s3:Replication:OperationFailedReplicationevent type notifies you when an object that was eligible for replication failed to replicate. - The
s3:Replication:OperationMissedThresholdevent type notifies you when an object that was eligible for replication that uses S3 RTC exceeds the 15-minute threshold for replication. - The
s3:Replication:OperationReplicatedAfterThresholdevent type notifies you when an object that was eligible for replication that uses S3 RTC replicates after the 15-minute threshold. - The
s3:Replication:OperationNotTrackedevent type notifies you when an object that was eligible for live replication (either Same-Region Replication [SRR] or Cross-Region Replication [CRR]) is no longer being tracked by replication metrics.
For full descriptions of all the supported replication event types, see Supported event types for SQS, SNS, and Lambda.
For a list of the failure codes captured by S3 Event Notifications, see Amazon S3 replication failure reasons.
You can receive S3 Event Notifications through Amazon Simple Queue Service (Amazon SQS), Amazon Simple Notification Service (Amazon SNS), or AWS Lambda. For more information, see Amazon S3 Event Notifications.
For instructions on how to configure Amazon S3 Event Notifications, see Enabling event notifications.
The following is an example of a message that Amazon S3 sends to publish ans3:Replication:OperationFailedReplication event. For more information, seeEvent message structure.
{
"Records": [
{
"eventVersion": "2.2",
"eventSource": "aws:s3",
"awsRegion": "us-east-1",
"eventTime": "2024-09-05T21:04:32.527Z",
"eventName": "Replication:OperationFailedReplication",
"userIdentity": {
"principalId": "s3.amazonaws.com"
},
"requestParameters": {
"sourceIPAddress": "s3.amazonaws.com"
},
"responseElements": {
"x-amz-request-id": "123bf045-2b4b-4ca8-a211-c34a63c59426",
"x-amz-id-2": "12VAWNDIHnwJsRhTccqQTeAPoXQmRt22KkewMV8G3XZihAuf9CLDdmkApgZzudaIe2KlLfDqGS0="
},
"s3": {
"s3SchemaVersion": "1.0",
"configurationId": "ReplicationEventName",
"bucket": {
"name": "amzn-s3-demo-bucket1",
"ownerIdentity": {
"principalId": "111122223333"
},
"arn": "arn:aws:s3:::amzn-s3-demo-bucket1"
},
"object": {
"key": "replication-object-put-test.png",
"size": 520080,
"eTag": "e12345ca7e88a38428305d3ff7fcb99f",
"versionId": "abcdeH0Xp66ep__QDjR76LK7Gc9X4wKO",
"sequencer": "0066DA1CBF104C0D51"
}
},
"replicationEventData": {
"replicationRuleId": "notification-test-replication-rule",
"destinationBucket": "arn:aws:s3:::amzn-s3-demo-bucket2",
"s3Operation": "OBJECT_PUT",
"requestTime": "2024-09-05T21:03:59.168Z",
"failureReason": "AssumeRoleNotPermitted"
}
}
]
}Amazon S3 replication failure reasons
The following table lists Amazon S3 Replication failure reasons. You can view these reasons by receiving the s3:Replication:OperationFailedReplication event with Amazon S3 Event Notifications and then looking at the failureReason value.
You can also view these failure reasons in an S3 Batch Replication completion report. For more information, see Batch Replication completion report.
| Replication failure reason | Description |
|---|---|
| AssumeRoleNotPermitted | Amazon S3 can't assume the AWS Identity and Access Management (IAM) role that's specified in the replication configuration or in the Batch Operations job. |
| DstBucketInvalidRegion | The destination bucket is not in the same AWS Region as specified by the Batch Operations job. This error is specific to Batch Replication. |
| DstBucketNotFound | Amazon S3 is unable to find the destination bucket that's specified in the replication configuration. |
| DstBucketObjectLockConfigMissing | To replicate objects from a source bucket with Object Lock enabled, the destination bucket must also have Object Lock enabled. This error indicates that Object Lock might not be enabled in the destination bucket. For more information, see Object Lock considerations. |
| DstBucketUnversioned | Versioning is not enabled for the S3 destination bucket. To replicate objects with S3 Replication, enable versioning for the destination bucket. |
| DstDelObjNotPermitted | Amazon S3 is unable to replicate delete markers to the destination bucket. Thes3:ReplicateDelete permission might be missing for the destination bucket. |
| DstKmsKeyInvalidState | The AWS Key Management Service (AWS KMS) key for the destination bucket isn't in a valid state. Review and enable the required AWS KMS key. For more information about managing AWS KMS keys, see Key states of AWS KMS keys in the_AWS Key Management Service Developer Guide_. |
| DstKmsKeyNotFound | The AWS KMS key that's configured for the destination bucket in the replication configuration doesn't exist. |
| DstMultipartCompleteNotPermitted | Amazon S3 is unable to complete multipart uploads of objects in the destination bucket. The s3:ReplicateObject permission might be missing for the destination bucket. |
| DstMultipartInitNotPermitted | Amazon S3 is unable to initiate multipart uploads of objects to the destination bucket. The s3:ReplicateObject permission might be missing for the destination bucket. |
| DstMultipartUploadNotPermitted | Amazon S3 is unable to upload multipart upload objects to the destination bucket. Thes3:ReplicateObject permission might be missing for the destination bucket. |
| DstObjectHardDeleted | S3 Batch Replication does not support re-replicating objects deleted with the version ID of the object from the destination bucket. This error is specific to Batch Replication. |
| DstPutAclNotPermitted | Amazon S3 is unable to replicate object access control lists (ACLs) to the destination bucket. The s3:ReplicateObject permission might be missing for the destination bucket. |
| DstPutLegalHoldNotPermitted | Amazon S3 is unable to put an Object Lock legal hold on the destination objects when it's replicating immutable objects. The s3:PutObjectLegalHold permission might be missing for the destination bucket. For more information, seeLegal holds. |
| DstPutObjectNotPermitted | Amazon S3 is unable to replicate objects to the destination bucket. This can occur when required permissions (s3:ReplicateObject or s3:ObjectOwnerOverrideToBucketOwner permissions) are missing for the destination bucket or when the AWS KMS key policy doesn't allow the source bucket's replication role to use the AWS KMS key (kms:Decrypt and kms:GenerateDataKey* actions) at the destination bucket. |
| DstPutRetentionNotPermitted | Amazon S3 is unable to put a retention period on the destination objects when it's replicating immutable objects. The s3:PutObjectRetention permission might be missing for the destination bucket. |
| DstPutTaggingNotPermitted | Amazon S3 is unable to replicate object tags to the destination bucket. Thes3:ReplicateObject permission might be missing for the destination bucket. |
| DstVersionNotFound | Amazon S3 is unable to find the required object version in the destination bucket for which metadata needs to be replicated. |
| InitiateReplicationNotPermitted | Amazon S3 is unable to initiate replication on objects. Thes3:InitiateReplication permission might be missing for the Batch Operations job. This error is specific to Batch Replication. |
| SrcBucketInvalidRegion | The source bucket isn't in the same AWS Region as specified by the Batch Operations job. This error is specific to Batch Replication. |
| SrcBucketNotFound | Amazon S3 is unable to find the source bucket. |
| SrcBucketReplicationConfigMissing | Amazon S3 couldn't find a replication configuration for the source bucket. |
| SrcGetAclNotPermitted | Amazon S3 is unable to access the object in the source bucket for replication. Thes3:GetObjectVersionAcl permission might be missing for the source bucket object. The objects in the source bucket must be owned by the bucket owner. If ACLs are enabled, then verify if Object Ownership is set to Bucket owner preferred or Object writer. If Object Ownership is set to Bucket owner preferred, then the source bucket objects must have the bucket-owner-full-control ACL for the bucket owner to become the object owner. The source account can take ownership of all objects in their bucket by setting Object Ownership to Bucket owner enforced and disabling ACLs. |
| SrcGetLegalHoldNotPermitted | Amazon S3 is unable to access the S3 Object Lock legal hold information. |
| SrcGetObjectNotPermitted | Amazon S3 is unable to access the object in the source bucket for replication. Thes3:GetObjectVersionForReplication permission might be missing for the source bucket. |
| SrcGetRetentionNotPermitted | Amazon S3 is unable to access the S3 Object Lock retention period information. |
| SrcGetTaggingNotPermitted | Amazon S3 is unable to access object tag information from the source bucket. Thes3:GetObjectVersionTagging permission might be missing for the source bucket. |
| SrcHeadObjectNotPermitted | Amazon S3 is unable to retrieve object metadata from the source bucket. Thes3:GetObjectVersionForReplication permission might be missing for the source bucket. |
| SrcKeyNotFound | Amazon S3 is unable to find the source object key to replicate. Source object may have been deleted before replication was complete. |
| SrcKmsKeyInvalidState | The AWS KMS key for the source bucket isn't in a valid state. Review and enable the required AWS KMS key. For more information about managing AWS KMS keys, see Key states of AWS KMS keys in the AWS Key Management Service Developer Guide. |
| SrcObjectNotEligible | Some objects aren't eligible for replication. This may be due to the object's storage class or the object tags don't match the replication configuration. |
| SrcObjectNotFound | Source object does not exist. |
| SrcReplicationNotPending | Amazon S3 has already replicated this object. This object is no longer pending replication. |
| SrcVersionNotFound | Amazon S3 is unable to find the source object version to replicate. Source object version may have been deleted before replication was complete. |
| SrcAnnotationNotFound | Source annotation was not found. The annotation was deleted before replication completed. |
| SrcGetObjectAnnotationNotPermitted | Access denied when retrieving the source annotation for replication. The IAM role is missings3:GetObjectVersionAnnotationForReplication. |
| DstPutObjectAnnotationNotPermitted | Access denied when replicating the annotation to the destination bucket. The IAM role is missing s3:ReplicateObject or does not have access to the required AWS KMS key. |
| SrcAnnotationEncryptionUnsupported | The object annotation encryption type is not supported. |
| AnnotationLimitExceeded | The object annotation count exceeds the limit (1000). Replication would exceed the annotation limit on the destination. |