S3 replication: Access denied: Amazon S3 can't detect whether versioning is enabled on the destination bucket

Question

I'm configuring a replication between two s3 buckets. but I get the error

Access denied: Amazon S3 can't detect whether versioning is enabled on the destination bucket.

The destination bucket is in another account, different region. Here is the bucket policy in the destination bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::destination",
                "arn:aws:s3:::destination/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AROAS3AHCETXXDF5Z5GVG:*",
                        "AROAS3AHCETXX2DMH4JPY:*",
                        "AROAS3AHCEXXX4SNCNTNV:*",
                        "AROAVJZZXXXXXZBBR7PN6L:*"
                    ]
                }
            }
        },
        {
            "Sid": "S3ReplicationPolicyStmt1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXX:root"
            },
            "Action": [
                "s3:GetBucketVersioning",
                "s3:GetObjectVersionForReplication",
                "s3:PutBucketVersioning",
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:PutObjectAcl",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Resource": [
                "arn:aws:s3:::destination",
                "arn:aws:s3:::destination/*"
            ]
        }
    ]
}

My buckets are highly confidential, so I first deny all access except for some roles: So in the condition, I have the replication role ID excluded too.

Why the replication role is still not allowed to replicate? What is wrong with this bucket policy ? In the above policy I actually authorize the replication role twice. in both statements.

Here is the replication IAM role policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:Get*",
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source",
                "arn:aws:s3:::source/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:GetBucketVersioning",
                "s3:GetObjectVersionTagging",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::destination/*"
        }
    ]
}

I tried deleting the explicite deny statement and test the replication, the source bucket gets the Versioning and I had no access denied, but objects are not replicated.

Answer 1

The solution was to white list the replication role in the source bucket as well. Both buckets have similar policy so It was necessary to allow the replication role to access the source.

Answer 2

For my experience, AWS S3 policies follow a white-list approach, meaning that you first need to add statements for the actions you want to allow, and then a final statement to deny everything else.

So in your case, try to just switch the statements.