Audit an S3 replication configuration
📑 On this page
Part 74 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.
What we are learning
A replication audit should answer which keys match, where they go, which role acts, and whether each rule is enabled.
Before you run it
aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.
The command
aws s3api get-bucket-replication \
--bucket "$BUCKET"A successful configuration command may return no output. Treat inspection as a separate required step.
Inspect the result
aws s3api get-bucket-replication \
--bucket "$BUCKET" \
--query "ReplicationConfiguration.{Role:Role,Rules:Rules[].{ID:ID,Priority:Priority,Status:Status,Filter:Filter,Destination:Destination.Bucket,DeleteMarkers:DeleteMarkerReplication.Status}}"Read the returned fields rather than assuming the write succeeded exactly as intended.
One tiny variation
aws s3api get-bucket-replication \
--bucket "$BUCKET" \
--query "ReplicationConfiguration.Rules[?Status=='Enabled'].ID" \
--output textReturn only active rule IDs for a quick checklist.
Common mistake
Configuration presence does not prove replication health. Inspect object replication status, CloudWatch metrics when enabled, and destination versions.
Cleanup
# This lesson does not require an additional persistent resource.
aws s3api head-bucket --bucket "$BUCKET"Keep the shared demo bucket for the next lesson, or remove only the configuration and objects created here.
Next, we will learn Create an S3 bucket with Object Lock.