Set up S3 CUR Bucket replication

Create S3 bucket in Governance account for aggregated CUR data

These actions should be done in Governance account.

  1. Create S3 bucket with enabled versioning in the region where QuickSight available Create S3 bucket
  2. Open S3 bucket and apply following S3 bucket policy with replacing respective placeholders {PayerAccountA}, {PayerAccountB} and {BucketName}. You can add more payer accounts to the policy if needed
{
"Version": "2008-10-17",
"Id": "PolicyForCombinedBucket",
"Statement": [
    {
        "Sid": "Set permissions for objects",
        "Effect": "Allow",
        "Principal": {
            "AWS": ["{PayerAccountA}","{PayerAccountB}"]
        },
        "Action": [
            "s3:ReplicateObject",
            "s3:ReplicateDelete"
        ],
        "Resource": "arn:aws:s3:::{BucketName}/*"
    },
    {
        "Sid": "Set permissions on bucket",
        "Effect": "Allow",
        "Principal": {
            "AWS": ["{PayerAccountA}","{PayerAccountB}"]
        },
        "Action": [
            "s3:List*",
            "s3:GetBucketVersioning",
            "s3:PutBucketVersioning"
        ],
        "Resource": "arn:aws:s3:::{BucketName}"
    },
    {
        "Sid": "Set permissions to pass object ownership",
        "Effect": "Allow",
        "Principal": {
            "AWS": ["{PayerAccountA}","{PayerAccountB}"]
        },
        "Action": [
            "s3:ReplicateObject",
            "s3:ReplicateDelete",
            "s3:ObjectOwnerOverrideToBucketOwner",
            "s3:ReplicateTags",
            "s3:GetObjectVersionTagging",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::{bucket name}/*"
    }
]
}

This policy supports objects encrypted with either SSE-S3 or not encrypted objects. For SSE-KMS encrypted objects additional policy statements and replication configuration will be needed: see https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html

Set up S3 bucket replication from each Payer (Management) account to S3 bucket in Governance account

This step should be done in each payer (management) account

  1. Open S3 bucket with CUR
  2. On Properties tab under Bucket Versioning section click Edit and set bucket versioning to Enabled
  3. On Management tab under Replication rules click on Create replication rule.
  4. Specify rule name Specify rule name
  5. Select Specify a bucket in another account and provide Governance account id and bucket name in Governance account
  6. Select Change object ownership to destination bucket owner checkbox
  7. Select Create new role under IAM Role section Specify rule name
  8. Leave rest of the settings by default and click Save

Copy existing objects from CUR S3 bucket to S3 bucket in Governance account

This step should be done in each payer (management) account

  1. Sync existing objects from CUR S3 bucket to S3 bucket in Governance account
aws s3 sync s3://{curBucketName} s3://{GovernanceAccountBucketName} --acl bucket-owner-full-control

After performing this step in each payer (management) account S3 bucket in Governance account will contain CUR data from all payer accounts under respective prefixes.