S3 Storage for DR — Implementation Details
Cross-Region S3 Access
The secondary cluster requires read access to the primary's S3 bucket for DR recovery. This is implemented via IAM policy attached to the secondary's IRSA role:
json
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${var.dr_primary_s3_bucket}",
"arn:aws:s3:::${var.dr_primary_s3_bucket}/*"
]
}Security controls:
Read-only access (no write/delete to primary bucket)
Bucket policy requires
aws:SecureTransport(HTTPS only)Access logged via S3 server access logging or CloudTrail