🌎 How Amazon S3 Standard Stores and Replicates Data

Multi-AZ Durability, Cross-Region Replication, and Cross-Account Sharing Explained

---

🧭 1. How Amazon S3 Standard Stores Your Data

🏗️ Region vs Availability Zone

• Region – a geographic area (e.g., us-east-1, ap-south-1).

• Availability Zone (AZ) – a physically isolated data center within that Region.
  Example:

  us-east-1
  ├── us-east-1a
  ├── us-east-1b
  └── us-east-1c
  

💾 Multi-AZ Redundancy

When you upload an object to Amazon S3 Standard, AWS automatically:

1. Replicates the data across at least three AZs in the same Region.

2. Stores redundant copies on separate devices, networks, and power systems.

3. Performs background integrity checks and self-healing if any copy becomes corrupted.

This design achieves:

• Durability: 99.999999999 % (“11 nines”)

• Availability: 99.99 % annually

🔒 Even if an entire AZ goes offline, your data remains available from the other AZs in that Region.

---

🧩 Internal Replication Flow (Within Region)

            ┌──────────────────────────────┐
            │         S3  Bucket           │
            └──────────────────────────────┘
                     │  Object Upload
                     ▼
     ┌───────────────┼────────────────────────┐
     │   us-east-1a  │   us-east-1b  │  us-east-1c │
     │  Object copy  │  Object copy  │  Object copy│
     └───────────────┴────────────────────────┘
                 (Automatic synchronous replication)

---

🌐 2. Cross-Region Replication (CRR)

S3 Standard keeps data only within its home Region.
If you need redundancy or access in another Region — for example from US East (Virginia) to Asia Pacific (Mumbai) — enable Cross-Region Replication (CRR).

---

⚙️ What CRR Does

• Replicates newly created (or updated) objects asynchronously from a source bucket to a destination bucket in a different Region.

• Preserves metadata, ACLs, tags, object locks, and encryption keys (if configured).

• Replication typically completes within seconds to minutes.

---

🧠 Interview Note

S3 replication is asynchronous and one-way — from source → destination.
For bidirectional replication, configure two rules in opposite directions.

---

🪄 3. How to Set Up Cross-Region Replication

(Example – replicate from us-east-1 to ap-south-1)

Step 1 – Create Buckets

Source:      my-primary-bucket   (Region: us-east-1)
Destination: my-replica-bucket   (Region: ap-south-1)

Step 2 – Enable Versioning

CRR requires both buckets to have Versioning enabled.

aws s3api put-bucket-versioning --bucket my-primary-bucket --versioning-configuration Status=Enabled
aws s3api put-bucket-versioning --bucket my-replica-bucket --versioning-configuration Status=Enabled

Step 3 – Create an IAM Role for Replication

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "Service": "s3.amazonaws.com" },
      "Action": "sts:AssumeRole"
    }
  ]
}

Attach a policy granting S3 permission to read from the source and write to the destination:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["s3:GetObjectVersion", "s3:GetObjectVersionAcl"],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-primary-bucket/*"
    },
    {
      "Action": ["s3:ReplicateObject", "s3:ReplicateDelete"],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-replica-bucket/*"
    }
  ]
}

Step 4 – Add Replication Rule to Source Bucket

In the AWS Console or via CLI:

aws s3api put-bucket-replication --bucket my-primary-bucket --replication-configuration '{
  "Role": "arn:aws:iam::<source-account-id>:role/s3-replication-role",
  "Rules": [{
      "Status": "Enabled",
      "Priority": 1,
      "DeleteMarkerReplication": {"Status": "Disabled"},
      "Filter": {"Prefix": ""},
      "Destination": {
          "Bucket": "arn:aws:s3:::my-replica-bucket",
          "StorageClass": "STANDARD"
      }
  }]
}'

---

📤 Step 5 – Verify Replication

• Upload an object to my-primary-bucket.

• Within seconds, the same key appears in my-replica-bucket (Mumbai).

• Check object metadata → “Replication Status = COMPLETED”.

---

🧑‍🤝‍🧑 4. Cross-Account Replication and Sharing

🎯 Use Case

You own Account A and want to replicate or share data with Account B (partner or analytics team).

---

A. Cross-Account Replication Setup

1. Destination bucket resides in Account B.

2. Account B adds a bucket policy permitting writes from Account A’s replication role:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": { "AWS": "arn:aws:iam::<AccountA-ID>:role/s3-replication-role" },
    "Action": ["s3:ReplicateObject", "s3:ReplicateDelete"],
    "Resource": "arn:aws:s3:::my-replica-bucket/*"
  }]
}

3. Account A configures CRR exactly as before, targeting the bucket ARN in Account B.

✅ Now every new object uploaded in Account A’s my-primary-bucket will be replicated automatically to Account B’s bucket in Mumbai.

---

B. Cross-Account File Sharing Without Replication

If you just want to share existing S3 files:

Method	Description
Pre-Signed URL	Time-limited link granting read/write access to a single object.
Bucket Policy	Allow specific AWS accounts, IAM users, or roles to access your bucket.
S3 Access Points	Simplify large-scale, multi-tenant access with fine-grained policies.
AWS Resource Access Manager (RAM)	Share entire S3 buckets or subnets securely across accounts in the same Org.

Example – Pre-Signed URL

aws s3 presign s3://my-primary-bucket/data/report.csv --expires-in 3600

This generates a URL valid for 1 hour.

---

⚖️ 5. Architecture Summary

Layer	Default Behavior	Optional Enhancement
Intra-Region	Automatic multi-AZ replication	N/A
Cross-Region	Manual via CRR / SRR	Configure replication rules
Cross-Account	Manual policy or RAM	Combine with CRR for multi-account DR
Sharing	Private by default	Pre-signed URLs / Access Points / RAM

---

🧠 Interview Cheat Sheet

Question	Quick Answer
Does S3 Standard replicate across Regions?	❌ No, only across AZs within one Region.
How to replicate across Regions?	Enable Cross-Region Replication (CRR).
Is replication synchronous?	Asynchronous (near real time).
Is Versioning required?	✅ Yes — both source and destination.
Can I replicate across accounts?	✅ Yes — via proper IAM role + bucket policy.
How to share an object temporarily?	Generate a pre-signed URL.
How to share persistently with another account?	Use bucket policies or Access Points.