S3-Replication: L2 for Cross account replication not working

[jesperalmstrom]

Describe the bug

Hi,
In the L2 construct documentation https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_s3/ReplicationRule.html it is mentioned Cross Account support. but we have tried many different configurations without success. The only workaround is to fall back to the L1 CFN way.

        replication_config = s3.CfnBucket.ReplicationConfigurationProperty(
            role=replication_role_arn,
            rules=[
                s3.CfnBucket.ReplicationRuleProperty(
                    id=REPLICATION_RULE_ID,
                    status="Enabled",
                    prefix=REPLICATION_RULE_PREFIX,
                    priority=REPLICATION_RULE_PRIORITY,
                    destination=s3.CfnBucket.ReplicationDestinationProperty(
                        bucket=f"arn:aws:s3:::{destination_bucket}",
                        account=account,
                        access_control_translation=s3.CfnBucket.AccessControlTranslationProperty(
                            owner="Destination"
                        ),
                    ),
                )
            ],
        )

        # Apply replication configuration to the bucket
        cfn_bucket = self.bucket.node.default_child
        cfn_bucket.replication_configuration = replication_config

Could this be clarified or fixed?

I suspect that the problem is related to this destination bucket owner setting:

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

Expected Behavior

An example that work for Cross Replication or a fix

Current Behavior

Does not work

Reproduction Steps

Try to setup cross account s3 replication using only L2 constructs

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.202.0

AWS CDK CLI version

2.1030.0 (build e46adaf)

Node.js Version

v24.10.0

OS

Ubuntu 24.04

Language

Python

Language Version

Python 3.13

Other information

No response

[tysoncung]

I've hit this same issue. The L2 construct is missing the accessControlTranslation property needed for cross-account replication. Your L1 workaround is the right approach for now.

[pahud]

Hi @jesperalmstrom,

Thank you for reporting this issue. After investigating the code, I found that the L2 construct does support cross-account replication with the access control translation feature you need. The property you're looking for is accessControlTransition in the ReplicationRule interface.

aws-cdk/packages/aws-cdk-lib/aws-s3/lib/bucket.ts

Lines 1630 to 1636 in 5e4c89e

	* Whether to want to change replica ownership to the AWS account that owns the destination bucket.
	*
	* This can only be specified if the source bucket and the destination bucket are not in the same AWS account.
	*
	* @default - The replicas are owned by same AWS account that owns the source object
	*/
	readonly accessControlTransition?: boolean;

Here's how you can configure it:

source_bucket = s3.Bucket(self, "SourceBucket",
   versioned=True,
   replication_rules=[
       s3.ReplicationRule(
           destination=destination_bucket,
           priority=1,
           access_control_transition=True,  # This is the key property!
           id="cross-account-replication"
       )
   ]
)

When you set access_control_transition=True, CDK will configure the AccessControlTranslation property with Owner: Destination, which changes the replica ownership to the destination bucket owner (Account A in your case).

Additionally, you'll need to call addReplicationPolicy() on the destination bucket to grant the necessary permissions:

destination_bucket.add_replication_policy(
   source_bucket.replication_role_arn,
   access_control_transition=True,
   account=source_account_id
)

You can see a working example in our cross-account replication integration test.

That said, I acknowledge that this property could be better documented and more discoverable. Would you be interested in contributing a PR to:

1. Add an example with accessControlTransition to the integration test?
2. Improve the documentation to make this feature more visible?

Please let me know if this resolves your issue or if you encounter any other problems!

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[jesperalmstrom]

Hi @pahud! Thanks for a quick answer. I'm pretty sure i have tested this already, but i will do another test.

[jesperalmstrom]

One other thought. When looking into the cross-account replication integration test, it does not look like there are any use of accessControlTransition ... oh wait. You asked if I could do a PR for that. First i will confirm if this accessControlTransition even work.