S3

Features

It is one of the core or foundational storage services from Amazon that lets AWS account users store files as objects in buckets where Buckets are storage containers.

It stores data across multiple availability zone and enable URL Access for the bucket as well as objects inside it

It offers the ability to configure rules for data lifecycle such as expiration time kinda like of OneDrive links that can expire

It can also be used to host static content, so a website can entirely be hosted inside s3. Note that the nomenclature for such is of the format of https://<bucket-name>.s3-website.<region>.amazonaws.com/<object-name>.<object-extension>

Cross Region Replication of buckets and objects inside the bucket is available for backup and availability across multiple regions, but that requires versioning of source and destination buckets to be enabled as well as an IAM role might to perform the replication between the two buckets is required.

Storage Classes

S3 provides the following storage classes for different use cases:

• Non-Archival Storage Classes

  • S3 Standard: Default storage class, used for frequently accessed data

  • S3 Intelligent-Tiering: Applied on a object and moves those objects to the correct storage class based on usage i.e., moves objects in s3 buckets automatically based on whether it is frequent access or infrequent access. If an object is not accessed for 30 days, IA will move the object into Infrequent access tier, If not accessed for 90 days, Glacier Archive and if not accessed for 180 days, it would be moved to Glacier Deep Archive.

  • S3 Standard-Infrequent Access: For infrequently accessed data with standard resilience i.e., it combines the lower cost of Infrequent access along with resiliency of multiple Availability Zones

  • S3 One Zone-Infrequent Access: Same as above just with one availability Zone

• Archival Storage Classes

  • S3 Glacier Instant Retrieval: Retrieval time is higher i.e, in milliseconds. Doesn't require frequent access, but when access is required, it is required instantly

  • S3 Glacier Flexible Retrieval: Flexible in such a time that it can have configurable retrieval times from minutes to hours. It is recommended for backup and Disaster Recovery

  • S3 Glacier Deep Archive: Deep archive that has retrieval time within 12 hours. It is recommended to hold some data for many years maybe for compliance requirement but cost is more important than retrieval times

S3 Lifecycle Policies

The objects in a bucket can be moved to another storage classes based on the criteria set by the AWS account user. The criteria can be time-based.

It also enables to delete objects based on age. The policies can also factor in versions of a specific object in the bucket, so the policy can set to delete a object that is not current version after a certain period of time

S3 Transfer Acceleration

It is a feature that can be enabled per bucket that allows for faster upload of data using the AWS Edge locations as a part of AWS CloudFront

ACL in S3

Note that Access Control in S3 can be applied through various ways., which can be:

IAM Policies -> S3 bucket and IAM User has to be in the same aws account

Bucket Policies -> Can be used to provide cross account access

Access Control List -> Can be set on bucket and objects in bucket

• READ

  • When applied on bucket, READ ACL allows user to list all objects in the bucket

  • When applied on Object, READ ACL allows user to retrieve the content of objects and object meta-data

• READ_ACP

  • When applied, READ_ACP allows user to read the Access Control Policy

• WRITE

  • When applied, WRITE ACL allows user to write an object (Bucket must have write permission)

• WRITE_ACP

  • When applied, WRITE_ACP ACL allows user user to write ACL of object and bucket.

• FULL_CONTROL

  • It allows all the above permissions

ACL is deployed using Grantee as explained below:

ACL Example:

// Here Type needs to have ID, Group needs to have URI

{
    "Grants": [
        {
            "Grantee": {
                "Type": "CanonicalUser",
                "ID": "AWS_ACCOUNT_ID"
            },
            "Permission": "FULL_CONTROL"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
            },
            "Permission": "WRITE"
        },
        {
            "Grantee": {
                "Type": "AmazonCustomerByEmail",
                "EmailAddress": "exampleuser@example.com"
            },
            "Permission": "READ"
        }
    ],
    "Owner": {
        "ID": "AWS_ACCOUNT_ID"
    }
}

Steps for creating S3 and exercising access control using bucket policy:

Resource Based policy for S3 Buckets