← All posts
2 min read

Audit an S3 replication configuration

#aws#cli#s3#storage#replication
📑 On this page

Part 74 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

A replication audit should answer which keys match, where they go, which role acts, and whether each rule is enabled.

Before you run it

aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"

Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.

The command

aws s3api get-bucket-replication \
  --bucket "$BUCKET"

A successful configuration command may return no output. Treat inspection as a separate required step.

Inspect the result

aws s3api get-bucket-replication \
  --bucket "$BUCKET" \
  --query "ReplicationConfiguration.{Role:Role,Rules:Rules[].{ID:ID,Priority:Priority,Status:Status,Filter:Filter,Destination:Destination.Bucket,DeleteMarkers:DeleteMarkerReplication.Status}}"

Read the returned fields rather than assuming the write succeeded exactly as intended.

One tiny variation

aws s3api get-bucket-replication \
  --bucket "$BUCKET" \
  --query "ReplicationConfiguration.Rules[?Status=='Enabled'].ID" \
  --output text

Return only active rule IDs for a quick checklist.

Common mistake

Configuration presence does not prove replication health. Inspect object replication status, CloudWatch metrics when enabled, and destination versions.

Cleanup

# This lesson does not require an additional persistent resource.
aws s3api head-bucket --bucket "$BUCKET"

Keep the shared demo bucket for the next lesson, or remove only the configuration and objects created here.

Next, we will learn Create an S3 bucket with Object Lock.

Official AWS CLI reference