How To - Setup S3 cross account bucket replication with Linkfire to receive raw data feeds.

Details

Source Account

• Account ID: <SOURCEOWNERID>: ${source-aws-account-id}
• Bucket Name <SOURCEBUCKET>: ${source-egress-client-bucket-name}

Destination Account

• Account ID: <DESTINATIONOWNERID>: ${destination-aws-account-id}
• Bucket Name <DESTINATIONBUCKET>: ${destination-ingress-bucket-name}

⚠️ The above details will be shared between the client and Linkfire through a secure channel.

1) Client - Enable Versioning

Ensure versioning is enabled on the client owned destination bucket. Linkfire will do the same on our source bucket.

aws s3api put-bucket-versioning \
--bucket <DESTINATIONBUCKET> \
--versioning-configuration Status=Enabled

2) Client - Update S3 Bucket Policy on Client Bucket.

Add the following policy to the client bucket to ensure Linkfire can deliver raw data feeds to your destination s3 bucket.

{
    "Version": "2012-10-17",
    "Id": "LinkfireRawDataFeedDeliveryPolicy",
    "Statement": [
        {
            "Sid": "AllowLinkfireReportDelivery",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<SOURCEOWNERID>:root"
            },
            "Action": [
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning",
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Resource": [
                "arn:aws:s3:::<DESTINATIONBUCKET>",
                "arn:aws:s3:::<DESTINATIONBUCKET>/*"
            ]
        }
    ]
}

3) Profit

Notify your Linkfire account manager or the security engineer that you are working with that you have enabled versioning and the s3 bucket policy, and we will the test and ensure replication/delivery is fully enabled.

Questions

If you have any questions, please reach out to [email protected]. We also provide means to communicate through a secure channel during implementation using Keybase.