From 7e78701980696e0e244ce2864d16647a66c469a3 Mon Sep 17 00:00:00 2001 From: shikha372 Date: Fri, 20 Dec 2024 16:10:19 -0800 Subject: [PATCH] readme info for KMS key --- packages/aws-cdk-lib/aws-s3/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/aws-cdk-lib/aws-s3/README.md b/packages/aws-cdk-lib/aws-s3/README.md index 28cff58516adf..6392a329452b9 100644 --- a/packages/aws-cdk-lib/aws-s3/README.md +++ b/packages/aws-cdk-lib/aws-s3/README.md @@ -1001,6 +1001,10 @@ const sourceBucket = new s3.Bucket(this, 'SourceBucket', { You can also set a destination bucket from a different account as the replication destination. In this case, the bucket policy for the destination bucket is required, to configure it through CDK use `addReplicationPolicy()` method to add bucket policy on destination bucket. +In a cross-account scenario, where the source and destination buckets are owned by different AWS accounts, you can use a KMS key to encrypt object replicas. However, the KMS key owner must grant the source bucket owner permission to use the KMS key. +For more information, please refer to https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html . +> **NOTE:** AWS managed keys don't allow cross-account use, and therefore can't be used > to perform cross-account replication. + If you need to ovveride the bucket ownership to destination account pass the account value to the method to provide permissions to override bucket owner. `addReplicationPolicy(bucket.replicationRoleArn, true, '11111111111')`;