Control: AWS > PCI v3.2.1 > S3 > 3 S3 buckets should have cross-region replication enabled

This control checks whether S3 buckets have cross-region replication enabled.

PCI DSS does not require data replication or highly available configurations. However, this check aligns with AWS best practices for this control.

In addition to availability, you should consider other systems hardening settings.

Remediation

Open the Amazon S3 console.
Choose the S3 bucket that does not have cross-region replication enabled.
Choose Management, then choose Replication.
Choose Add rule. If versioning is not already enabled, you are prompted to enable it.
Choose your source bucket - Entire bucket.
Choose your destination bucket. If versioning is not already enabled on the destination bucket for your account, you are prompted to enable it.
Choose an IAM role. For more information on setting up permissions for replication, see the Amazon Simple Storage Service Developer Guide.
Enter a rule name, choose Enabled for the status, then choose Next.
Choose Save

PCI requirement(s): 2.2

Resource Types

This control targets the following resource types:

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketCrossRegionReplicationEnabled

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketCrossRegionReplicationEnabled") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketCrossRegionReplicationEnabled'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketCrossRegionReplicationEnabled"