S3

Features

It is one of the core or foundational storage services from Amazon that lets AWS account users store files as objects in buckets where Buckets are storage containers.

It stores data across multiple availability zone and enable URL Access for the bucket as well as objects inside it

It offers the ability to configure rules for data lifecycle such as expiration time kinda like of OneDrive links that can expire

It can also be used to host static content, so a website can entirely be hosted inside s3. Note that the nomenclature for such is of the format of https://<bucket-name>.s3-website.<region>.amazonaws.com/<object-name>.<object-extension>

Cross Region Replication of buckets and objects inside the bucket is available for backup and availability across multiple regions, but that requires versioning of source and destination buckets to be enabled as well as an IAM role might to perform the replication between the two buckets is required.

Note even though the bucket can be present in an availability zone, its name has to be globally unique

Object locking in S3 is supported where the data cannot be deleted, rewritten, or tampered with. It follows WORM philosophy of Write Once and Read Many, particularly useful to establish the inherent trust in data by an unchangeable permanent copy of data for auditing or record-keeping to meet compliance or regulatory requirements. They are a special choice to prove integrity of data when an organization is hit by ransomware attacks. The objects cannot be tampered, either for a set period (retention) or indefinitely until the lock is removed.

Storage Classes

S3 provides the following storage classes for different use cases:

Non-Archival Storage Classes
- S3 Standard: Default storage class, used for frequently accessed data
- S3 Intelligent-Tiering: Applied on a object and moves those objects to the correct storage class based on usage i.e., moves objects in s3 buckets automatically based on whether it is frequent access or infrequent access. If an object is not accessed for 30 days, IA will move the object into Infrequent access tier, If not accessed for 90 days, Glacier Archive and if not accessed for 180 days, it would be moved to Glacier Deep Archive.
- S3 Standard-Infrequent Access: For infrequently accessed data with standard resilience i.e., it combines the lower cost of Infrequent access along with resiliency of multiple Availability Zones
- S3 One Zone-Infrequent Access: Same as above just with one availability Zone
Archival Storage Classes
- S3 Glacier Instant Retrieval: Retrieval time is higher i.e, in milliseconds. Doesn't require frequent access, but when access is required, it is required instantly
- S3 Glacier Flexible Retrieval: Flexible in such a time that it can have configurable retrieval times from minutes to hours. It is recommended for backup and Disaster Recovery
- S3 Glacier Deep Archive: Deep archive that has retrieval time within 12 hours. It is recommended to hold some data for many years maybe for compliance requirement but cost is more important than retrieval times

S3 Lifecycle Policies

The objects in a bucket can be moved to another storage classes based on the criteria set by the AWS account user. The criteria can be time-based.

It also enables to delete objects based on age. The policies can also factor in versions of a specific object in the bucket, so the policy can set to delete a object that is not current version after a certain period of time

S3 Transfer Acceleration

It is a feature that can be enabled per bucket that allows for faster upload of data using the AWS Edge locations as a part of AWS CloudFront

Note that S3 supports bucket as well as objects level logging to know about the details of when they were accessed, who accessed them etc using AWS CloudTrail

ACL in S3

Note that Access Control in S3 can be applied through various ways., which can be:

IAM Policies -> S3 bucket and IAM User has to be in the same aws account

Bucket Policies -> Can be used to provide cross account access

Access Control List -> Can be set on bucket and objects in bucket

READ
- When applied on bucket, READ ACL allows user to list all objects in the bucket
- When applied on Object, READ ACL allows user to retrieve the content of objects and object meta-data
READ_ACP
- When applied, READ_ACP allows user to read the Access Control Policy
WRITE
- When applied, WRITE ACL allows user to write an object (Bucket must have write permission)
WRITE_ACP
- When applied, WRITE_ACP ACL allows user user to write ACL of object and bucket.
FULL_CONTROL
- It allows all the above permissions

ACL is deployed using Grantee as explained below:

ACL Example:

// Here Type needs to have ID, Group needs to have URI

{
    "Grants": [
        {
            "Grantee": {
                "Type": "CanonicalUser",
                "ID": "AWS_ACCOUNT_ID"
            },
            "Permission": "FULL_CONTROL"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
            },
            "Permission": "WRITE"
        },
        {
            "Grantee": {
                "Type": "AmazonCustomerByEmail",
                "EmailAddress": "exampleuser@example.com"
            },
            "Permission": "READ"
        }
    ],
    "Owner": {
        "ID": "AWS_ACCOUNT_ID"
    }
}

Kindly read through the AWS KMS service before reading down.

Steps for creating S3 and exercising access control using bucket policy:

Resource Based policy for S3 Buckets

Note that Each IAM entity (user, group, or role) has a defined aws:userid variable. This variable is required for use within the bucket policy to specify the role or user as an exception in a conditional element. An assumed-role’s aws:userId value is defined as UNIQUE-ROLE-ID:ROLE-SESSION-NAME (for example, AROAEXAMPLEID:userdefinedsessionname)

PreviousAmazon FSx NextAWS Databases Services

Last updated 3 months ago