Fatskills
Practice. Master. Repeat.
Study Guide: TECH **AWS S3 Lifecycle Policies & Replication (CRR, SRR) – Zero-Fluff Study Guide**
Source: https://www.fatskills.com/aws-certified-solutions-architect-associate/chapter/tech-aws-s3-lifecycle-policies-replication-crr-srr-zero-fluff-study-guide

TECH **AWS S3 Lifecycle Policies & Replication (CRR, SRR) – Zero-Fluff Study Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~8 min read

AWS S3 Lifecycle Policies & Replication (CRR, SRR) – Zero-Fluff Study Guide

For AWS Solutions Architect – Associate (SAA-C03) and Real-World Deployments


1. What This Is & Why It Matters

You’re a cloud engineer at a SaaS company. Your team stores 10TB of user-uploaded files in S3—logs, backups, and media assets. Over time: - Costs explode because old files sit in expensive Standard storage.
- Compliance audits fail because you can’t prove data is retained (or deleted) per policy.
- A region outage wipes out critical backups because they weren’t replicated.

S3 Lifecycle Policies and Replication (CRR/SRR) are your tools to: ✅ Slash storage costs by automatically moving data to cheaper tiers (e.g., Glacier Deep Archive).
Enforce retention/deletion rules (e.g., "Delete logs after 90 days").
Survive regional disasters by replicating data to another AWS region (CRR) or account (SRR).

Ignoring this?
- Your AWS bill will look like a phone number.
- You’ll fail compliance (GDPR, HIPAA, SOC2).
- A single AZ failure could mean permanent data loss.


2. Core Concepts & Components


? S3 Storage Classes

Class Use Case Cost Retrieval Time Production Insight
Standard Frequently accessed data $$$ Milliseconds Default class—expensive for long-term storage.
Intelligent-Tiering Unknown/fluctuating access patterns $$ Milliseconds Auto-moves data between frequent/infrequent tiers.
Standard-IA Long-lived, infrequently accessed $ Milliseconds 30-day minimum charge—don’t use for short-lived data.
One Zone-IA Non-critical, single-AZ data $ Milliseconds 20% cheaper than Standard-IA but not resilient to AZ failures.
Glacier Instant Retrieval Long-term backups, rarely accessed ¢ Milliseconds Faster than Glacier Flexible but more expensive.
Glacier Flexible Retrieval Archive data (accessed 1-2x/year) ¢ Minutes to hours Cheapest but slow retrieval (3-5 hours for bulk).
Glacier Deep Archive Compliance archives (accessed <1x/year) ¢ 12+ hours Penny-per-GB but retrieval takes half a day.

Production Insight:
- Never store short-lived data (e.g., logs <30 days) in Standard-IA—you’ll pay the 30-day minimum charge.
- Glacier Deep Archive is cheaper than tape—use it for 7+ year retention (e.g., medical records).


? S3 Lifecycle Policies

Definition: Rules that automatically transition or expire objects based on age or tags.
Key Actions:
- Transition: Move to a cheaper storage class (e.g., StandardGlacier).
- Expiration: Permanently delete objects (e.g., "Delete logs after 90 days").
- Noncurrent Version Expiration: Delete old versions of objects (for versioned buckets).

Production Insight:
- Lifecycle policies are free—but misconfigurations cost thousands.
- Always test with a small subset of data before applying to production.


? S3 Replication (CRR & SRR)

Type Full Name Use Case Production Insight
CRR Cross-Region Replication Disaster recovery, compliance Replicates to another AWS region (e.g., us-east-1eu-west-1).
SRR Same-Region Replication Log aggregation, multi-account access Replicates within the same region (e.g., us-east-1us-east-1 in another account).

Key Requirements:
1. Source and destination buckets must have versioning enabled.
2. IAM role must have s3:GetObject (source) and s3:ReplicateObject (destination).
3. Replication only applies to new objects (unless you use S3 Batch Operations to backfill).

Production Insight:
- CRR is not a backup—if you delete an object in the source, it deletes in the destination (unless you use MFA Delete).
- SRR is great for multi-account setups (e.g., centralizing logs from dev/staging/prod accounts).


3. Step-by-Step Hands-On: Deploy a Lifecycle Policy + CRR


Prerequisites

✅ AWS account with admin IAM permissions.
✅ Two S3 buckets (one source, one destination for CRR).
✅ AWS CLI installed (aws --version).


Task 1: Create a Lifecycle Policy (Move Old Logs to Glacier)

Goal: Automatically move logs older than 30 days to Glacier Flexible Retrieval and delete them after 365 days.


Step 1: Create a Bucket (if you don’t have one)

aws s3api create-bucket --bucket my-logs-bucket-$(date +%s) --region us-east-1

Step 2: Enable Versioning (Required for Lifecycle Rules)

aws s3api put-bucket-versioning --bucket my-logs-bucket-123456789 --versioning-configuration Status=Enabled

Step 3: Upload Test Data

echo "Test log entry" > test-log.txt
aws s3 cp test-log.txt s3://my-logs-bucket-123456789/logs/2023-10-01.log

Step 4: Create a Lifecycle Policy JSON File

{
  "Rules": [
{
"ID": "MoveOldLogsToGlacier",
"Status": "Enabled",
"Filter": {
"Prefix": "logs/"
},
"Transitions": [
{
"Days": 30,
"StorageClass": "GLACIER"
}
],
"Expiration": {
"Days": 365
}
} ] }

Save as lifecycle-policy.json.


Step 5: Apply the Policy

aws s3api put-bucket-lifecycle-configuration \
  --bucket my-logs-bucket-123456789 \
  --lifecycle-configuration file://lifecycle-policy.json

Step 6: Verify the Policy

aws s3api get-bucket-lifecycle-configuration --bucket my-logs-bucket-123456789

Expected Output:


{
  "Rules": [
{
"ID": "MoveOldLogsToGlacier",
"Status": "Enabled",
"Filter": { "Prefix": "logs/" },
"Transitions": [ { "Days": 30, "StorageClass": "GLACIER" } ],
"Expiration": { "Days": 365 }
} ] }


Task 2: Set Up Cross-Region Replication (CRR)

Goal: Replicate all objects from us-east-1 to eu-west-1 for disaster recovery.


Step 1: Create a Destination Bucket (in eu-west-1)

aws s3api create-bucket --bucket my-logs-bucket-replica-$(date +%s) --region eu-west-1 --create-bucket-configuration LocationConstraint=eu-west-1

Step 2: Enable Versioning on Destination Bucket

aws s3api put-bucket-versioning --bucket my-logs-bucket-replica-123456789 --versioning-configuration Status=Enabled --region eu-west-1

Step 3: Create an IAM Role for Replication

  1. Create a trust policy (trust-policy.json):
{
  "Version": "2012-10-17",
  "Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "s3.amazonaws.com" },
"Action": "sts:AssumeRole"
} ] }
  1. Create the role:
aws iam create-role --role-name S3ReplicationRole --assume-role-policy-document file://trust-policy.json
  1. Attach the S3 replication policy (replication-policy.json):
{
  "Version": "2012-10-17",
  "Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-logs-bucket-123456789"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Resource": [
"arn:aws:s3:::my-logs-bucket-123456789/*",
"arn:aws:s3:::my-logs-bucket-replica-123456789/*"
]
} ] }
  1. Attach the policy to the role:
aws iam put-role-policy --role-name S3ReplicationRole --policy-name S3ReplicationPolicy --policy-document file://replication-policy.json

Step 4: Configure Replication on the Source Bucket

{
  "Role": "arn:aws:iam::123456789012:role/S3ReplicationRole",
  "Rules": [
{
"ID": "ReplicateAllLogs",
"Status": "Enabled",
"Priority": 1,
"Filter": { "Prefix": "logs/" },
"Destination": {
"Bucket": "arn:aws:s3:::my-logs-bucket-replica-123456789",
"StorageClass": "STANDARD"
}
} ] }

Save as replication-config.json.


Step 5: Apply the Replication Config

aws s3api put-bucket-replication --bucket my-logs-bucket-123456789 --replication-configuration file://replication-config.json

Step 6: Test Replication

  1. Upload a new file to the source bucket:
echo "Replication test" > test-replication.txt
aws s3 cp test-replication.txt s3://my-logs-bucket-123456789/logs/
  1. Check the destination bucket after ~1 minute:
aws s3 ls s3://my-logs-bucket-replica-123456789/logs/ --region eu-west-1

Expected Output:


2023-10-01 12:00:00         18 test-replication.txt


4. ? Production-Ready Best Practices


? Security

  • Least privilege IAM roles: Only grant s3:ReplicateObject to the replication role.
  • Enable S3 Block Public Access on both source and destination buckets.
  • Use VPC endpoints for replication to avoid public internet exposure.
  • Enable S3 Object Lock for compliance (e.g., WORM—Write Once, Read Many).

? Cost Optimization

  • Use Intelligent-Tiering for unpredictable access patterns (avoids overpaying for Standard).
  • Avoid Standard-IA for short-lived data (30-day minimum charge).
  • Monitor StorageClassAnalysis to identify misplaced objects: bash aws s3api put-bucket-analytics-configuration --bucket my-bucket --id "MoveToGlacier" --analytics-configuration file://analytics-config.json
  • Delete incomplete multipart uploads (they incur storage costs): bash aws s3api put-bucket-lifecycle-configuration --bucket my-bucket --lifecycle-configuration '{
    "Rules": [{
    "ID": "DeleteIncompleteUploads",
    "Status": "Enabled",
    "AbortIncompleteMultipartUpload": { "DaysAfterInitiation": 7 }
    }] }'

? Reliability & Maintainability

  • Tag buckets and objects for cost allocation and lifecycle rules: bash aws s3api put-object-tagging --bucket my-bucket --key "logs/2023-10-01.log" --tagging 'TagSet=[{Key=Environment,Value=Prod}]'
  • Use Prefix in lifecycle rules to target specific folders (e.g., logs/).
  • Test replication with S3 Batch Operations to backfill existing objects: bash aws s3control create-job --account-id 123456789012 --operation '{
    "S3ReplicateObject": {} }' --report '{
    "Bucket": "arn:aws:s3:::my-replication-report-bucket",
    "Prefix": "replication-job-report",
    "Format": "Report_CSV_20180820" }' --manifest '{
    "Spec": {
    "Format": "S3BatchOperations_CSV_20180820",
    "Fields": ["Bucket", "Key"]
    },
    "Location": {
    "ObjectArn": "arn:aws:s3:::my-manifest-bucket/manifest.csv",
    "ETag": "etag-from-manifest-file"
    } }' --priority 10

? Observability

  • Monitor replication lag with CloudWatch metrics:
  • ReplicationLatency (time between upload and replication).
  • BytesPendingReplication (objects stuck in queue).
  • Set up S3 Event Notifications for failed replications: bash aws s3api put-bucket-notification-configuration --bucket my-bucket --notification-configuration '{
    "EventBridgeConfiguration": {} }'
  • Use S3 Inventory to track object storage classes and replication status: bash aws s3api put-bucket-inventory-configuration --bucket my-bucket --id "WeeklyInventory" --inventory-configuration '{
    "Destination": {
    "S3BucketDestination": {
    "Bucket": "arn:aws:s3:::my-inventory-bucket",
    "Prefix": "inventory-reports",
    "Format": "CSV"
    }
    },
    "IsEnabled": true,
    "Filter": { "Prefix": "logs/" },
    "Id": "WeeklyInventory",
    "IncludedObjectVersions": "Current",
    "Schedule": { "Frequency": "Weekly" },
    "OptionalFields": ["Size", "StorageClass", "ReplicationStatus"] }'


5. ⚠️ Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Not enabling versioning Lifecycle rules fail silently. Always enable versioning before applying lifecycle policies.
Using Standard-IA for short-lived data Paying 30-day minimum charge for 1-day files. Use Intelligent-Tiering or Standard for <30-day data.
Forgetting to test replication Objects never appear in destination bucket. Upload a test file and verify replication within 5 minutes.
Replicating to the same region (CRR vs. SRR mixup) Accidentally replicating within us-east-1 instead of eu-west-1. Double-check destination bucket region.
Not setting up IAM permissions correctly AccessDenied errors in replication. Use the exact IAM policy from the AWS docs.
Deleting objects in source deletes them in destination Accidental deletions propagate. Enable MFA Delete or use S3 Object Lock for critical data.


6. ? Exam/Certification Focus (SAA-C03)


Typical Question Patterns

  1. "Which S3 storage class is best for long-term backups accessed once a year?"
  2. Glacier Deep Archive (cheapest, 12+ hour retrieval).
  3. Glacier Flexible Retrieval (faster but more expensive).
  4. Standard-IA (too expensive for rare access).

  5. "How do you ensure objects are replicated to another region for disaster recovery?"

  6. Enable CRR (Cross-Region Replication) with versioning.
  7. Use S3 Transfer Acceleration (speeds up uploads, doesn’t replicate).
  8. Enable S3 Versioning alone (only protects against accidental deletions).

  9. "A company wants to delete logs after 90 days. What’s the most cost-effective way?"

  10. Lifecycle policy: StandardGlacier (30 days) → Expiration (90 days).
  11. Manually delete logs (error-prone, not scalable).
  12. Use Standard-IA for 90 days (30-day minimum charge = overpaying).

⚠️ Trap Distinctions

Concept Key Difference Exam Trap
CRR vs. SRR CRR = cross-region, SRR = same-region. SRR won’t protect against regional outages.
Lifecycle Transitions StandardStandard-IA (30 days min) vs. StandardGlacier (no min). Don’t use Standard-IA for <30-day data.
Replication Requirements Versioning must be enabled on both buckets. If versioning is off, replication fails silently.
S3 Object Lock WORM (Write Once, Read Many) for compliance. Not the same as versioning—prevents deletions.


7. ? Hands-On Challenge (With Solution)


Challenge

"You have a bucket (my-app-logs) with 10,000 log files. You need to: 1. Move logs older than 30 days to Glacier Flexible Retrieval.



ADVERTISEMENT