-
Hello Vedansh,
Thank you for your question! The reason we create the IAM role in the source account for Amazon S3 to assume during replication is that S3 initiates the replication process from the source bucket, not the destination. For cross-account replication to work, S3 needs the necessary permissions to replicate objects from the source bucket to the destination bucket. The IAM role in the source account grants S3 the permissions to perform the replication. This role allows Amazon S3 to read the objects from the source bucket and copy them to the destination bucket.
The IAM role in the source account is also critical because it establishes a trust relationship between the source account and Amazon S3, enabling S3 to carry out the replication on your behalf. While the destination bucket will also need a policy that allows the source account to write objects into it, the replication IAM role itself is always set up in the source account, as that’s where the replication is initiated.
As per the latest AWS documentation on cross-region replication (CRR), the IAM role for replication permissions is created in the source account, as this is where the action starts. I hope this clears up any confusion! If you have further questions or need more details, feel free to reach out.
Regards,
Nikee @ Tutorials Dojo
