aws-cdk-lib 2.176.0__py3-none-any.whl → 2.177.0__py3-none-any.whl

aws_cdk/aws_s3/__init__.py

@@ -891,6 +891,110 @@ s3.Bucket(self, "Bucket2",
     object_lock_default_retention=s3.ObjectLockRetention.compliance(Duration.days(365))
 )
 ```
+
+## Replicating Objects
+
+You can use [replicating objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html) to enable automatic, asynchronous copying of objects across Amazon S3 buckets.
+Buckets that are configured for object replication can be owned by the same AWS account or by different accounts.
+You can replicate objects to a single destination bucket or to multiple destination buckets.
+The destination buckets can be in different AWS Regions or within the same Region as the source bucket.
+
+To replicate objects to a destination bucket, you can specify the `replicationRules` property:
+
+```python
+# destination_bucket1: s3.IBucket
+# destination_bucket2: s3.IBucket
+# kms_key: kms.IKey
+
+
+source_bucket = s3.Bucket(self, "SourceBucket",
+    # Versioning must be enabled on both the source and destination bucket
+    versioned=True,
+    replication_rules=[s3.ReplicationRule(
+        # The destination bucket for the replication rule.
+        destination=destination_bucket1,
+        # The priority of the rule.
+        # Amazon S3 will attempt to replicate objects according to all replication rules.
+        # However, if there are two or more rules with the same destination bucket, then objects will be replicated according to the rule with the highest priority.
+        # The higher the number, the higher the priority.
+        # It is essential to specify priority explicitly when the replication configuration has multiple rules.
+        priority=1
+    ), s3.ReplicationRule(
+        destination=destination_bucket2,
+        priority=2,
+        # Whether to specify S3 Replication Time Control (S3 RTC).
+        # S3 RTC replicates most objects that you upload to Amazon S3 in seconds,
+        # and 99.99 percent of those objects within specified time.
+        replication_time_control=s3.ReplicationTimeValue.FIFTEEN_MINUTES,
+        # Whether to enable replication metrics about S3 RTC.
+        # If set, metrics will be output to indicate whether replication by S3 RTC took longer than the configured time.
+        metrics=s3.ReplicationTimeValue.FIFTEEN_MINUTES,
+        # The kms key to use for the destination bucket.
+        kms_key=kms_key,
+        # The storage class to use for the destination bucket.
+        storage_class=s3.StorageClass.INFREQUENT_ACCESS,
+        # Whether to replicate objects with SSE-KMS encryption.
+        sse_kms_encrypted_objects=False,
+        # Whether to replicate modifications on replicas.
+        replica_modifications=True,
+        # Whether to replicate delete markers.
+        # This property cannot be enabled if the replication rule has a tag filter.
+        delete_marker_replication=False,
+        # The ID of the rule.
+        id="full-settings-rule",
+        # The object filter for the rule.
+        filter=s3.Filter(
+            # The prefix filter for the rule.
+            prefix="prefix",
+            # The tag filter for the rule.
+            tags=[s3.Tag(
+                key="tagKey",
+                value="tagValue"
+            )
+            ]
+        )
+    )
+    ]
+)
+```
+
+### Cross Account Replication
+
+You can also set a destination bucket from a different account as the replication destination.
+
+In this case, the bucket policy for the destination bucket is required, to configure it through CDK use  `addReplicationPolicy()` method to add bucket policy on destination bucket.
+In a cross-account scenario, where the source and destination buckets are owned by different AWS accounts, you can use a KMS key to encrypt object replicas. However, the KMS key owner must grant the source bucket owner permission to use the KMS key.
+For more information, please refer to https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html .
+
+> **NOTE:** AWS managed keys don't allow cross-account use, and therefore can't be used to perform cross-account replication.
+
+If you need to ovveride the bucket ownership to destination account pass the account value to the method to provide permissions to override bucket owner.
+`addReplicationPolicy(bucket.replicationRoleArn, true, '11111111111')`;
+
+However, if the destination bucket is a referenced bucket, CDK cannot set the bucket policy,
+so you will need to [configure the necessary bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html) separately.
+
+```python
+# The destination bucket in a different account.
+# destination_bucket: s3.IBucket
+
+
+source_bucket = s3.Bucket(self, "SourceBucket",
+    versioned=True,
+    replication_rules=[s3.ReplicationRule(
+        destination=destination_bucket,
+        priority=1,
+        # Whether to want to change replica ownership to the AWS account that owns the destination bucket.
+        # The replicas are owned by same AWS account that owns the source object by default.
+        access_control_transition=True
+    )
+    ]
+)
+
+# Add permissions to the destination after replication role is created
+if source_bucket.replication_role_arn:
+    destination_bucket.add_replication_policy(source_bucket.replication_role_arn, True, "111111111111")
+```
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
@@ -1926,6 +2030,7 @@ class BucketPolicyProps:
         "object_ownership": "objectOwnership",
         "public_read_access": "publicReadAccess",
         "removal_policy": "removalPolicy",
+        "replication_rules": "replicationRules",
         "server_access_logs_bucket": "serverAccessLogsBucket",
         "server_access_logs_prefix": "serverAccessLogsPrefix",
         "target_object_key_format": "targetObjectKeyFormat",
@@ -1964,6 +2069,7 @@ class BucketProps:
         object_ownership: typing.Optional["ObjectOwnership"] = None,
         public_read_access: typing.Optional[builtins.bool] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+        replication_rules: typing.Optional[typing.Sequence[typing.Union["ReplicationRule", typing.Dict[builtins.str, typing.Any]]]] = None,
         server_access_logs_bucket: typing.Optional["IBucket"] = None,
         server_access_logs_prefix: typing.Optional[builtins.str] = None,
         target_object_key_format: typing.Optional["TargetObjectKeyFormat"] = None,
@@ -1998,6 +2104,7 @@ class BucketProps:
         :param object_ownership: The objectOwnership of the bucket. Default: - No ObjectOwnership configuration. By default, Amazon S3 sets Object Ownership to ``Bucket owner enforced``. This means ACLs are disabled and the bucket owner will own every object.
         :param public_read_access: Grants public read access to all objects in the bucket. Similar to calling ``bucket.grantPublicAccess()`` Default: false
         :param removal_policy: Policy to apply when the bucket is removed from this stack. Default: - The bucket will be orphaned.
+        :param replication_rules: A container for one or more replication rules. Default: - No replication
         :param server_access_logs_bucket: Destination bucket for the server access logs. Default: - If "serverAccessLogsPrefix" undefined - access logs disabled, otherwise - log to current bucket.
         :param server_access_logs_prefix: Optional log file prefix to use for the bucket's access logs. If defined without "serverAccessLogsBucket", enables access logs to current bucket with this prefix. Default: - No log file prefix
         :param target_object_key_format: Optional key format for log objects. Default: - the default key format is: [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
@@ -2055,6 +2162,7 @@ class BucketProps:
             check_type(argname="argument object_ownership", value=object_ownership, expected_type=type_hints["object_ownership"])
             check_type(argname="argument public_read_access", value=public_read_access, expected_type=type_hints["public_read_access"])
             check_type(argname="argument removal_policy", value=removal_policy, expected_type=type_hints["removal_policy"])
+            check_type(argname="argument replication_rules", value=replication_rules, expected_type=type_hints["replication_rules"])
             check_type(argname="argument server_access_logs_bucket", value=server_access_logs_bucket, expected_type=type_hints["server_access_logs_bucket"])
             check_type(argname="argument server_access_logs_prefix", value=server_access_logs_prefix, expected_type=type_hints["server_access_logs_prefix"])
             check_type(argname="argument target_object_key_format", value=target_object_key_format, expected_type=type_hints["target_object_key_format"])
@@ -2110,6 +2218,8 @@ class BucketProps:
             self._values["public_read_access"] = public_read_access
         if removal_policy is not None:
             self._values["removal_policy"] = removal_policy
+        if replication_rules is not None:
+            self._values["replication_rules"] = replication_rules
         if server_access_logs_bucket is not None:
             self._values["server_access_logs_bucket"] = server_access_logs_bucket
         if server_access_logs_prefix is not None:
@@ -2400,6 +2510,15 @@ class BucketProps:
         result = self._values.get("removal_policy")
         return typing.cast(typing.Optional[_RemovalPolicy_9f93c814], result)
 
+    @builtins.property
+    def replication_rules(self) -> typing.Optional[typing.List["ReplicationRule"]]:
+        '''A container for one or more replication rules.
+
+        :default: - No replication
+        '''
+        result = self._values.get("replication_rules")
+        return typing.cast(typing.Optional[typing.List["ReplicationRule"]], result)
+
     @builtins.property
     def server_access_logs_bucket(self) -> typing.Optional["IBucket"]:
         '''Destination bucket for the server access logs.
@@ -15360,6 +15479,124 @@ class EventType(enum.Enum):
     '''
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_s3.Filter",
+    jsii_struct_bases=[],
+    name_mapping={"prefix": "prefix", "tags": "tags"},
+)
+class Filter:
+    def __init__(
+        self,
+        *,
+        prefix: typing.Optional[builtins.str] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union["Tag", typing.Dict[builtins.str, typing.Any]]]] = None,
+    ) -> None:
+        '''A filter that identifies the subset of objects to which the replication rule applies.
+
+        :param prefix: An object key name prefix that identifies the object or objects to which the rule applies. Default: - applies to all objects
+        :param tags: The tag array used for tag filters. The rule applies only to objects that have the tag in this set. Default: - applies to all objects
+
+        :exampleMetadata: infused
+
+        Example::
+
+            # destination_bucket1: s3.IBucket
+            # destination_bucket2: s3.IBucket
+            # kms_key: kms.IKey
+            
+            
+            source_bucket = s3.Bucket(self, "SourceBucket",
+                # Versioning must be enabled on both the source and destination bucket
+                versioned=True,
+                replication_rules=[s3.ReplicationRule(
+                    # The destination bucket for the replication rule.
+                    destination=destination_bucket1,
+                    # The priority of the rule.
+                    # Amazon S3 will attempt to replicate objects according to all replication rules.
+                    # However, if there are two or more rules with the same destination bucket, then objects will be replicated according to the rule with the highest priority.
+                    # The higher the number, the higher the priority.
+                    # It is essential to specify priority explicitly when the replication configuration has multiple rules.
+                    priority=1
+                ), s3.ReplicationRule(
+                    destination=destination_bucket2,
+                    priority=2,
+                    # Whether to specify S3 Replication Time Control (S3 RTC).
+                    # S3 RTC replicates most objects that you upload to Amazon S3 in seconds,
+                    # and 99.99 percent of those objects within specified time.
+                    replication_time_control=s3.ReplicationTimeValue.FIFTEEN_MINUTES,
+                    # Whether to enable replication metrics about S3 RTC.
+                    # If set, metrics will be output to indicate whether replication by S3 RTC took longer than the configured time.
+                    metrics=s3.ReplicationTimeValue.FIFTEEN_MINUTES,
+                    # The kms key to use for the destination bucket.
+                    kms_key=kms_key,
+                    # The storage class to use for the destination bucket.
+                    storage_class=s3.StorageClass.INFREQUENT_ACCESS,
+                    # Whether to replicate objects with SSE-KMS encryption.
+                    sse_kms_encrypted_objects=False,
+                    # Whether to replicate modifications on replicas.
+                    replica_modifications=True,
+                    # Whether to replicate delete markers.
+                    # This property cannot be enabled if the replication rule has a tag filter.
+                    delete_marker_replication=False,
+                    # The ID of the rule.
+                    id="full-settings-rule",
+                    # The object filter for the rule.
+                    filter=s3.Filter(
+                        # The prefix filter for the rule.
+                        prefix="prefix",
+                        # The tag filter for the rule.
+                        tags=[s3.Tag(
+                            key="tagKey",
+                            value="tagValue"
+                        )
+                        ]
+                    )
+                )
+                ]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ff4b8a813f6812ab1464fced92fa61b97e151767705973ce994c0970fde139df)
+            check_type(argname="argument prefix", value=prefix, expected_type=type_hints["prefix"])
+            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if prefix is not None:
+            self._values["prefix"] = prefix
+        if tags is not None:
+            self._values["tags"] = tags
+
+    @builtins.property
+    def prefix(self) -> typing.Optional[builtins.str]:
+        '''An object key name prefix that identifies the object or objects to which the rule applies.
+
+        :default: - applies to all objects
+        '''
+        result = self._values.get("prefix")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def tags(self) -> typing.Optional[typing.List["Tag"]]:
+        '''The tag array used for tag filters.
+
+        The rule applies only to objects that have the tag in this set.
+
+        :default: - applies to all objects
+        '''
+        result = self._values.get("tags")
+        return typing.cast(typing.Optional[typing.List["Tag"]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "Filter(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.enum(jsii_type="aws-cdk-lib.aws_s3.HttpMethods")
 class HttpMethods(enum.Enum):
     '''All http request methods.'''
@@ -15467,6 +15704,16 @@ class IBucket(_IResource_c80c4260, typing_extensions.Protocol):
     def policy(self, value: typing.Optional[BucketPolicy]) -> None:
         ...
 
+    @builtins.property
+    @jsii.member(jsii_name="replicationRoleArn")
+    def replication_role_arn(self) -> typing.Optional[builtins.str]:
+        '''Role used to set up permissions on this bucket for replication.'''
+        ...
+
+    @replication_role_arn.setter
+    def replication_role_arn(self, value: typing.Optional[builtins.str]) -> None:
+        ...
+
     @jsii.member(jsii_name="addEventNotification")
     def add_event_notification(
         self,
@@ -15523,6 +15770,25 @@ class IBucket(_IResource_c80c4260, typing_extensions.Protocol):
         '''
         ...
 
+    @jsii.member(jsii_name="addReplicationPolicy")
+    def add_replication_policy(
+        self,
+        role_arn: builtins.str,
+        access_control_transition: typing.Optional[builtins.bool] = None,
+        account: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Function to add required permissions to the destination bucket for cross account replication.
+
+        These permissions will be added as a resource based policy on the bucket.
+
+        :param role_arn: -
+        :param access_control_transition: -
+        :param account: -
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-accesscontroltranslation.html
+        '''
+        ...
+
     @jsii.member(jsii_name="addToResourcePolicy")
     def add_to_resource_policy(
         self,
@@ -15982,6 +16248,19 @@ class _IBucketProxy(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "policy", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="replicationRoleArn")
+    def replication_role_arn(self) -> typing.Optional[builtins.str]:
+        '''Role used to set up permissions on this bucket for replication.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "replicationRoleArn"))
+
+    @replication_role_arn.setter
+    def replication_role_arn(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__45b20ede572212a5391ce58bc0693933ac9d1bc950c6cafac24d9b7d29ad1405)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "replicationRoleArn", value) # pyright: ignore[reportArgumentType]
+
     @jsii.member(jsii_name="addEventNotification")
     def add_event_notification(
         self,
@@ -16051,6 +16330,30 @@ class _IBucketProxy(
             check_type(argname="argument filters", value=filters, expected_type=typing.Tuple[type_hints["filters"], ...]) # pyright: ignore [reportGeneralTypeIssues]
         return typing.cast(None, jsii.invoke(self, "addObjectRemovedNotification", [dest, *filters]))
 
+    @jsii.member(jsii_name="addReplicationPolicy")
+    def add_replication_policy(
+        self,
+        role_arn: builtins.str,
+        access_control_transition: typing.Optional[builtins.bool] = None,
+        account: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Function to add required permissions to the destination bucket for cross account replication.
+
+        These permissions will be added as a resource based policy on the bucket.
+
+        :param role_arn: -
+        :param access_control_transition: -
+        :param account: -
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-accesscontroltranslation.html
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__6c2e7fc14ca3997ce00436db7203d2e5669fde630c0dd481f20a6192f12706c7)
+            check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
+            check_type(argname="argument access_control_transition", value=access_control_transition, expected_type=type_hints["access_control_transition"])
+            check_type(argname="argument account", value=account, expected_type=type_hints["account"])
+        return typing.cast(None, jsii.invoke(self, "addReplicationPolicy", [role_arn, access_control_transition, account]))
+
     @jsii.member(jsii_name="addToResourcePolicy")
     def add_to_resource_policy(
         self,
@@ -18098,6 +18401,362 @@ class ReplaceKey(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_s3.ReplaceK
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "withKey"))
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_s3.ReplicationRule",
+    jsii_struct_bases=[],
+    name_mapping={
+        "destination": "destination",
+        "access_control_transition": "accessControlTransition",
+        "delete_marker_replication": "deleteMarkerReplication",
+        "filter": "filter",
+        "id": "id",
+        "kms_key": "kmsKey",
+        "metrics": "metrics",
+        "priority": "priority",
+        "replica_modifications": "replicaModifications",
+        "replication_time_control": "replicationTimeControl",
+        "sse_kms_encrypted_objects": "sseKmsEncryptedObjects",
+        "storage_class": "storageClass",
+    },
+)
+class ReplicationRule:
+    def __init__(
+        self,
+        *,
+        destination: IBucket,
+        access_control_transition: typing.Optional[builtins.bool] = None,
+        delete_marker_replication: typing.Optional[builtins.bool] = None,
+        filter: typing.Optional[typing.Union[Filter, typing.Dict[builtins.str, typing.Any]]] = None,
+        id: typing.Optional[builtins.str] = None,
+        kms_key: typing.Optional[_IKey_5f11635f] = None,
+        metrics: typing.Optional["ReplicationTimeValue"] = None,
+        priority: typing.Optional[jsii.Number] = None,
+        replica_modifications: typing.Optional[builtins.bool] = None,
+        replication_time_control: typing.Optional["ReplicationTimeValue"] = None,
+        sse_kms_encrypted_objects: typing.Optional[builtins.bool] = None,
+        storage_class: typing.Optional["StorageClass"] = None,
+    ) -> None:
+        '''Specifies which Amazon S3 objects to replicate and where to store the replicas.
+
+        :param destination: The destination bucket for the replicated objects. The destination can be either in the same AWS account or a cross account. If you want to configure cross-account replication, the destination bucket must have a policy that allows the source bucket to replicate objects to it.
+        :param access_control_transition: Whether to want to change replica ownership to the AWS account that owns the destination bucket. This can only be specified if the source bucket and the destination bucket are not in the same AWS account. Default: - The replicas are owned by same AWS account that owns the source object
+        :param delete_marker_replication: Specifies whether Amazon S3 replicates delete markers. Default: - delete markers in source bucket is not replicated to destination bucket
+        :param filter: A filter that identifies the subset of objects to which the replication rule applies. Default: - applies to all objects
+        :param id: A unique identifier for the rule. The maximum value is 255 characters. Default: - auto generated random ID
+        :param kms_key: The customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket. Amazon S3 uses this key to encrypt replica objects. Amazon S3 only supports symmetric encryption KMS keys. Default: - Amazon S3 uses the AWS managed KMS key for encryption
+        :param metrics: A container specifying replication metrics-related settings enabling replication metrics and events. When a value is set, metrics will be output to indicate whether the replication took longer than the specified time. Default: - Replication metrics are not enabled
+        :param priority: The priority indicates which rule has precedence whenever two or more replication rules conflict. Amazon S3 will attempt to replicate objects according to all replication rules. However, if there are two or more rules with the same destination bucket, then objects will be replicated according to the rule with the highest priority. The higher the number, the higher the priority. It is essential to specify priority explicitly when the replication configuration has multiple rules. Default: 0
+        :param replica_modifications: Specifies whether Amazon S3 replicates modifications on replicas. Default: false
+        :param replication_time_control: Specifying S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. Default: - S3 Replication Time Control is not enabled
+        :param sse_kms_encrypted_objects: Specifies whether Amazon S3 replicates objects created with server-side encryption using an AWS KMS key stored in AWS Key Management Service. Default: false
+        :param storage_class: The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. Default: - The storage class of the source object
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_kms as kms
+            from aws_cdk import aws_s3 as s3
+            
+            # bucket: s3.Bucket
+            # key: kms.Key
+            # replication_time_value: s3.ReplicationTimeValue
+            # storage_class: s3.StorageClass
+            
+            replication_rule = s3.ReplicationRule(
+                destination=bucket,
+            
+                # the properties below are optional
+                access_control_transition=False,
+                delete_marker_replication=False,
+                filter=s3.Filter(
+                    prefix="prefix",
+                    tags=[s3.Tag(
+                        key="key",
+                        value="value"
+                    )]
+                ),
+                id="id",
+                kms_key=key,
+                metrics=replication_time_value,
+                priority=123,
+                replica_modifications=False,
+                replication_time_control=replication_time_value,
+                sse_kms_encrypted_objects=False,
+                storage_class=storage_class
+            )
+        '''
+        if isinstance(filter, dict):
+            filter = Filter(**filter)
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__2eb99af4044ffb625b707ac7ff5de3796f00ec1217ed24e21f6c240e90e846f0)
+            check_type(argname="argument destination", value=destination, expected_type=type_hints["destination"])
+            check_type(argname="argument access_control_transition", value=access_control_transition, expected_type=type_hints["access_control_transition"])
+            check_type(argname="argument delete_marker_replication", value=delete_marker_replication, expected_type=type_hints["delete_marker_replication"])
+            check_type(argname="argument filter", value=filter, expected_type=type_hints["filter"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument kms_key", value=kms_key, expected_type=type_hints["kms_key"])
+            check_type(argname="argument metrics", value=metrics, expected_type=type_hints["metrics"])
+            check_type(argname="argument priority", value=priority, expected_type=type_hints["priority"])
+            check_type(argname="argument replica_modifications", value=replica_modifications, expected_type=type_hints["replica_modifications"])
+            check_type(argname="argument replication_time_control", value=replication_time_control, expected_type=type_hints["replication_time_control"])
+            check_type(argname="argument sse_kms_encrypted_objects", value=sse_kms_encrypted_objects, expected_type=type_hints["sse_kms_encrypted_objects"])
+            check_type(argname="argument storage_class", value=storage_class, expected_type=type_hints["storage_class"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "destination": destination,
+        }
+        if access_control_transition is not None:
+            self._values["access_control_transition"] = access_control_transition
+        if delete_marker_replication is not None:
+            self._values["delete_marker_replication"] = delete_marker_replication
+        if filter is not None:
+            self._values["filter"] = filter
+        if id is not None:
+            self._values["id"] = id
+        if kms_key is not None:
+            self._values["kms_key"] = kms_key
+        if metrics is not None:
+            self._values["metrics"] = metrics
+        if priority is not None:
+            self._values["priority"] = priority
+        if replica_modifications is not None:
+            self._values["replica_modifications"] = replica_modifications
+        if replication_time_control is not None:
+            self._values["replication_time_control"] = replication_time_control
+        if sse_kms_encrypted_objects is not None:
+            self._values["sse_kms_encrypted_objects"] = sse_kms_encrypted_objects
+        if storage_class is not None:
+            self._values["storage_class"] = storage_class
+
+    @builtins.property
+    def destination(self) -> IBucket:
+        '''The destination bucket for the replicated objects.
+
+        The destination can be either in the same AWS account or a cross account.
+
+        If you want to configure cross-account replication,
+        the destination bucket must have a policy that allows the source bucket to replicate objects to it.
+
+        :see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html
+        '''
+        result = self._values.get("destination")
+        assert result is not None, "Required property 'destination' is missing"
+        return typing.cast(IBucket, result)
+
+    @builtins.property
+    def access_control_transition(self) -> typing.Optional[builtins.bool]:
+        '''Whether to want to change replica ownership to the AWS account that owns the destination bucket.
+
+        This can only be specified if the source bucket and the destination bucket are not in the same AWS account.
+
+        :default: - The replicas are owned by same AWS account that owns the source object
+        '''
+        result = self._values.get("access_control_transition")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def delete_marker_replication(self) -> typing.Optional[builtins.bool]:
+        '''Specifies whether Amazon S3 replicates delete markers.
+
+        :default: - delete markers in source bucket is not replicated to destination bucket
+
+        :see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html
+        '''
+        result = self._values.get("delete_marker_replication")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def filter(self) -> typing.Optional[Filter]:
+        '''A filter that identifies the subset of objects to which the replication rule applies.
+
+        :default: - applies to all objects
+        '''
+        result = self._values.get("filter")
+        return typing.cast(typing.Optional[Filter], result)
+
+    @builtins.property
+    def id(self) -> typing.Optional[builtins.str]:
+        '''A unique identifier for the rule.
+
+        The maximum value is 255 characters.
+
+        :default: - auto generated random ID
+        '''
+        result = self._values.get("id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def kms_key(self) -> typing.Optional[_IKey_5f11635f]:
+        '''The customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket.
+
+        Amazon S3 uses this key to encrypt replica objects.
+
+        Amazon S3 only supports symmetric encryption KMS keys.
+
+        :default: - Amazon S3 uses the AWS managed KMS key for encryption
+
+        :see: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+        '''
+        result = self._values.get("kms_key")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
+    @builtins.property
+    def metrics(self) -> typing.Optional["ReplicationTimeValue"]:
+        '''A container specifying replication metrics-related settings enabling replication metrics and events.
+
+        When a value is set, metrics will be output to indicate whether the replication took longer than the specified time.
+
+        :default: - Replication metrics are not enabled
+        '''
+        result = self._values.get("metrics")
+        return typing.cast(typing.Optional["ReplicationTimeValue"], result)
+
+    @builtins.property
+    def priority(self) -> typing.Optional[jsii.Number]:
+        '''The priority indicates which rule has precedence whenever two or more replication rules conflict.
+
+        Amazon S3 will attempt to replicate objects according to all replication rules.
+        However, if there are two or more rules with the same destination bucket,
+        then objects will be replicated according to the rule with the highest priority.
+
+        The higher the number, the higher the priority.
+
+        It is essential to specify priority explicitly when the replication configuration has multiple rules.
+
+        :default: 0
+        '''
+        result = self._values.get("priority")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def replica_modifications(self) -> typing.Optional[builtins.bool]:
+        '''Specifies whether Amazon S3 replicates modifications on replicas.
+
+        :default: false
+        '''
+        result = self._values.get("replica_modifications")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def replication_time_control(self) -> typing.Optional["ReplicationTimeValue"]:
+        '''Specifying S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated.
+
+        :default: - S3 Replication Time Control is not enabled
+        '''
+        result = self._values.get("replication_time_control")
+        return typing.cast(typing.Optional["ReplicationTimeValue"], result)
+
+    @builtins.property
+    def sse_kms_encrypted_objects(self) -> typing.Optional[builtins.bool]:
+        '''Specifies whether Amazon S3 replicates objects created with server-side encryption using an AWS KMS key stored in AWS Key Management Service.
+
+        :default: false
+        '''
+        result = self._values.get("sse_kms_encrypted_objects")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def storage_class(self) -> typing.Optional["StorageClass"]:
+        '''The storage class to use when replicating objects, such as S3 Standard or reduced redundancy.
+
+        :default: - The storage class of the source object
+        '''
+        result = self._values.get("storage_class")
+        return typing.cast(typing.Optional["StorageClass"], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "ReplicationRule(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+class ReplicationTimeValue(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_s3.ReplicationTimeValue",
+):
+    '''The replication time value used for S3 Replication Time Control (S3 RTC).
+
+    :exampleMetadata: infused
+
+    Example::
+
+        # destination_bucket1: s3.IBucket
+        # destination_bucket2: s3.IBucket
+        # kms_key: kms.IKey
+        
+        
+        source_bucket = s3.Bucket(self, "SourceBucket",
+            # Versioning must be enabled on both the source and destination bucket
+            versioned=True,
+            replication_rules=[s3.ReplicationRule(
+                # The destination bucket for the replication rule.
+                destination=destination_bucket1,
+                # The priority of the rule.
+                # Amazon S3 will attempt to replicate objects according to all replication rules.
+                # However, if there are two or more rules with the same destination bucket, then objects will be replicated according to the rule with the highest priority.
+                # The higher the number, the higher the priority.
+                # It is essential to specify priority explicitly when the replication configuration has multiple rules.
+                priority=1
+            ), s3.ReplicationRule(
+                destination=destination_bucket2,
+                priority=2,
+                # Whether to specify S3 Replication Time Control (S3 RTC).
+                # S3 RTC replicates most objects that you upload to Amazon S3 in seconds,
+                # and 99.99 percent of those objects within specified time.
+                replication_time_control=s3.ReplicationTimeValue.FIFTEEN_MINUTES,
+                # Whether to enable replication metrics about S3 RTC.
+                # If set, metrics will be output to indicate whether replication by S3 RTC took longer than the configured time.
+                metrics=s3.ReplicationTimeValue.FIFTEEN_MINUTES,
+                # The kms key to use for the destination bucket.
+                kms_key=kms_key,
+                # The storage class to use for the destination bucket.
+                storage_class=s3.StorageClass.INFREQUENT_ACCESS,
+                # Whether to replicate objects with SSE-KMS encryption.
+                sse_kms_encrypted_objects=False,
+                # Whether to replicate modifications on replicas.
+                replica_modifications=True,
+                # Whether to replicate delete markers.
+                # This property cannot be enabled if the replication rule has a tag filter.
+                delete_marker_replication=False,
+                # The ID of the rule.
+                id="full-settings-rule",
+                # The object filter for the rule.
+                filter=s3.Filter(
+                    # The prefix filter for the rule.
+                    prefix="prefix",
+                    # The tag filter for the rule.
+                    tags=[s3.Tag(
+                        key="tagKey",
+                        value="tagValue"
+                    )
+                    ]
+                )
+            )
+            ]
+        )
+    '''
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="FIFTEEN_MINUTES")
+    def FIFTEEN_MINUTES(cls) -> "ReplicationTimeValue":
+        '''Fifteen minutes.'''
+        return typing.cast("ReplicationTimeValue", jsii.sget(cls, "FIFTEEN_MINUTES"))
+
+    @builtins.property
+    @jsii.member(jsii_name="minutes")
+    def minutes(self) -> jsii.Number:
+        '''the time in minutes.'''
+        return typing.cast(jsii.Number, jsii.get(self, "minutes"))
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_s3.RoutingRule",
     jsii_struct_bases=[],
@@ -18916,6 +19575,30 @@ class BucketBase(
             check_type(argname="argument filters", value=filters, expected_type=typing.Tuple[type_hints["filters"], ...]) # pyright: ignore [reportGeneralTypeIssues]
         return typing.cast(None, jsii.invoke(self, "addObjectRemovedNotification", [dest, *filters]))
 
+    @jsii.member(jsii_name="addReplicationPolicy")
+    def add_replication_policy(
+        self,
+        role_arn: builtins.str,
+        access_control_transition: typing.Optional[builtins.bool] = None,
+        account: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Function to add required permissions to the destination bucket for cross account replication.
+
+        These permissions will be added as a resource based policy on the bucket
+
+        :param role_arn: -
+        :param access_control_transition: -
+        :param account: -
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-accesscontroltranslation.html
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__2baf8c6982c06606b5434f658a8175f6838f55345a6d423d335af89dfa1728cd)
+            check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
+            check_type(argname="argument access_control_transition", value=access_control_transition, expected_type=type_hints["access_control_transition"])
+            check_type(argname="argument account", value=account, expected_type=type_hints["account"])
+        return typing.cast(None, jsii.invoke(self, "addReplicationPolicy", [role_arn, access_control_transition, account]))
+
     @jsii.member(jsii_name="addToResourcePolicy")
     def add_to_resource_policy(
         self,
@@ -19515,6 +20198,18 @@ class BucketBase(
     def policy(self, value: typing.Optional[BucketPolicy]) -> None:
         ...
 
+    @builtins.property
+    @jsii.member(jsii_name="replicationRoleArn")
+    @abc.abstractmethod
+    def replication_role_arn(self) -> typing.Optional[builtins.str]:
+        '''Role used to set up permissions on this bucket for replication.'''
+        ...
+
+    @replication_role_arn.setter
+    @abc.abstractmethod
+    def replication_role_arn(self, value: typing.Optional[builtins.str]) -> None:
+        ...
+
 
 class _BucketBaseProxy(
     BucketBase,
@@ -19617,6 +20312,19 @@ class _BucketBaseProxy(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "policy", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="replicationRoleArn")
+    def replication_role_arn(self) -> typing.Optional[builtins.str]:
+        '''Role used to set up permissions on this bucket for replication.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "replicationRoleArn"))
+
+    @replication_role_arn.setter
+    def replication_role_arn(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0f4abefa77a469d6581b7fbd2e412d7d2f099dc365ac4138047e78313165885b)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "replicationRoleArn", value) # pyright: ignore[reportArgumentType]
+
 # Adding a "__jsii_proxy_class__(): typing.Type" function to the abstract class
 typing.cast(typing.Any, BucketBase).__jsii_proxy_class__ = lambda : _BucketBaseProxy
 
@@ -19672,6 +20380,7 @@ class Bucket(
         object_ownership: typing.Optional[ObjectOwnership] = None,
         public_read_access: typing.Optional[builtins.bool] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+        replication_rules: typing.Optional[typing.Sequence[typing.Union[ReplicationRule, typing.Dict[builtins.str, typing.Any]]]] = None,
         server_access_logs_bucket: typing.Optional[IBucket] = None,
         server_access_logs_prefix: typing.Optional[builtins.str] = None,
         target_object_key_format: typing.Optional[TargetObjectKeyFormat] = None,
@@ -19708,6 +20417,7 @@ class Bucket(
         :param object_ownership: The objectOwnership of the bucket. Default: - No ObjectOwnership configuration. By default, Amazon S3 sets Object Ownership to ``Bucket owner enforced``. This means ACLs are disabled and the bucket owner will own every object.
         :param public_read_access: Grants public read access to all objects in the bucket. Similar to calling ``bucket.grantPublicAccess()`` Default: false
         :param removal_policy: Policy to apply when the bucket is removed from this stack. Default: - The bucket will be orphaned.
+        :param replication_rules: A container for one or more replication rules. Default: - No replication
         :param server_access_logs_bucket: Destination bucket for the server access logs. Default: - If "serverAccessLogsPrefix" undefined - access logs disabled, otherwise - log to current bucket.
         :param server_access_logs_prefix: Optional log file prefix to use for the bucket's access logs. If defined without "serverAccessLogsBucket", enables access logs to current bucket with this prefix. Default: - No log file prefix
         :param target_object_key_format: Optional key format for log objects. Default: - the default key format is: [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
@@ -19746,6 +20456,7 @@ class Bucket(
             object_ownership=object_ownership,
             public_read_access=public_read_access,
             removal_policy=removal_policy,
+            replication_rules=replication_rules,
             server_access_logs_bucket=server_access_logs_bucket,
             server_access_logs_prefix=server_access_logs_prefix,
             target_object_key_format=target_object_key_format,
@@ -20126,6 +20837,19 @@ class Bucket(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "policy", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="replicationRoleArn")
+    def replication_role_arn(self) -> typing.Optional[builtins.str]:
+        '''Role used to set up permissions on this bucket for replication.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "replicationRoleArn"))
+
+    @replication_role_arn.setter
+    def replication_role_arn(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__3cb691a849de33681a4f0021424f266609c2785cf8cbf5306c98726a6230a9e2)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "replicationRoleArn", value) # pyright: ignore[reportArgumentType]
+
 
 __all__ = [
     "BlockPublicAccess",
@@ -20163,6 +20887,7 @@ __all__ = [
     "CfnStorageLensProps",
     "CorsRule",
     "EventType",
+    "Filter",
     "HttpMethods",
     "IBucket",
     "IBucketNotificationDestination",
@@ -20184,6 +20909,8 @@ __all__ = [
     "RedirectProtocol",
     "RedirectTarget",
     "ReplaceKey",
+    "ReplicationRule",
+    "ReplicationTimeValue",
     "RoutingRule",
     "RoutingRuleCondition",
     "StorageClass",
@@ -20321,6 +21048,7 @@ def _typecheckingstub__f2ff878f2dca3dd037442155369c2fcc7bd194425c0967a7fd7bfa576
     object_ownership: typing.Optional[ObjectOwnership] = None,
     public_read_access: typing.Optional[builtins.bool] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+    replication_rules: typing.Optional[typing.Sequence[typing.Union[ReplicationRule, typing.Dict[builtins.str, typing.Any]]]] = None,
     server_access_logs_bucket: typing.Optional[IBucket] = None,
     server_access_logs_prefix: typing.Optional[builtins.str] = None,
     target_object_key_format: typing.Optional[TargetObjectKeyFormat] = None,
@@ -21781,12 +22509,26 @@ def _typecheckingstub__beafb715fedc4fd96130b462f30e56792d8aa655173f4d4fa2e8dcd77
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__ff4b8a813f6812ab1464fced92fa61b97e151767705973ce994c0970fde139df(
+    *,
+    prefix: typing.Optional[builtins.str] = None,
+    tags: typing.Optional[typing.Sequence[typing.Union[Tag, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__eee382ff86c17d46379012dcccee86976ea92e15cb6d63c3e3f4e853c058ac53(
     value: typing.Optional[BucketPolicy],
 ) -> None:
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__45b20ede572212a5391ce58bc0693933ac9d1bc950c6cafac24d9b7d29ad1405(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__168148771b23de203b7e69eb1dbaf2f881de4c7cc276b7648b26fd4a3eddbcf0(
     event: EventType,
     dest: IBucketNotificationDestination,
@@ -21809,6 +22551,14 @@ def _typecheckingstub__4910aa7bbd431cf72fd4b6ab066e8ea5996c68d10a0bccf26fab5d478
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__6c2e7fc14ca3997ce00436db7203d2e5669fde630c0dd481f20a6192f12706c7(
+    role_arn: builtins.str,
+    access_control_transition: typing.Optional[builtins.bool] = None,
+    account: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__53d6461d1a4f06eb11f149b8578ad4a818c59103b2c6b4af84212b71aed4c24b(
     permission: _PolicyStatement_0fe33853,
 ) -> None:
@@ -22069,6 +22819,24 @@ def _typecheckingstub__080e6df7f96363149eb8dfbb9c1dcddefe96fd0ba7c0bb0e46fdbcf1b
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__2eb99af4044ffb625b707ac7ff5de3796f00ec1217ed24e21f6c240e90e846f0(
+    *,
+    destination: IBucket,
+    access_control_transition: typing.Optional[builtins.bool] = None,
+    delete_marker_replication: typing.Optional[builtins.bool] = None,
+    filter: typing.Optional[typing.Union[Filter, typing.Dict[builtins.str, typing.Any]]] = None,
+    id: typing.Optional[builtins.str] = None,
+    kms_key: typing.Optional[_IKey_5f11635f] = None,
+    metrics: typing.Optional[ReplicationTimeValue] = None,
+    priority: typing.Optional[jsii.Number] = None,
+    replica_modifications: typing.Optional[builtins.bool] = None,
+    replication_time_control: typing.Optional[ReplicationTimeValue] = None,
+    sse_kms_encrypted_objects: typing.Optional[builtins.bool] = None,
+    storage_class: typing.Optional[StorageClass] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__a8752d303f1211901bb201082ccfac00227de7385764f326153a028696cc3c69(
     *,
     condition: typing.Optional[typing.Union[RoutingRuleCondition, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -22165,6 +22933,14 @@ def _typecheckingstub__8f64f0928c3476db108d977ca1410bedef163a53d2b6d451e140ea634
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__2baf8c6982c06606b5434f658a8175f6838f55345a6d423d335af89dfa1728cd(
+    role_arn: builtins.str,
+    access_control_transition: typing.Optional[builtins.bool] = None,
+    account: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__9fb30c6ad4f147f97466d3202c95d1247eaa1236b9e36d84d77037fde8af5fb9(
     permission: _PolicyStatement_0fe33853,
 ) -> None:
@@ -22330,6 +23106,12 @@ def _typecheckingstub__1d54fb5dd19da2dbb943d620662efadde1df29be901c2f95b3ae6d389
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__0f4abefa77a469d6581b7fbd2e412d7d2f099dc365ac4138047e78313165885b(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__25f24cbf29544d9c579e765350a7b51ec4ec81bc2cc07a21660738a1e6bc81fe(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -22356,6 +23138,7 @@ def _typecheckingstub__25f24cbf29544d9c579e765350a7b51ec4ec81bc2cc07a21660738a1e
     object_ownership: typing.Optional[ObjectOwnership] = None,
     public_read_access: typing.Optional[builtins.bool] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+    replication_rules: typing.Optional[typing.Sequence[typing.Union[ReplicationRule, typing.Dict[builtins.str, typing.Any]]]] = None,
     server_access_logs_bucket: typing.Optional[IBucket] = None,
     server_access_logs_prefix: typing.Optional[builtins.str] = None,
     target_object_key_format: typing.Optional[TargetObjectKeyFormat] = None,
@@ -22436,3 +23219,9 @@ def _typecheckingstub__afd8c4da1d866abcdc76879948bb11bd5a21a374e5ebf1e4445208dec
 ) -> None:
     """Type checking stubs"""
     pass
+
+def _typecheckingstub__3cb691a849de33681a4f0021424f266609c2785cf8cbf5306c98726a6230a9e2(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass