![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/S3-1.jpg\")
<\/p>\nSimple Storage Service (S3) is a global object storage platform that can be used to store objects in the form of text files, photos, audio, movies, large binaries, or other object types.<\/p>\n
<\/p>\n
<\/p>\n
S3 Fundamentals<\/span><\/p>\n <\/p>\n Every object stored in S3 has an associated storage class \u2014 also called a storage tier. Storage classes can be adjusted either manually or automatically using lifecycle policie<\/strong>s. All storage classes have 99.999999999% (11 nines) durability.<\/p>\n Storage classes determine the cost<\/strong> of storage, the availability, durability, and latency for object retrieval.<\/p>\n The current classes for S3 object storage are:<\/p>\n Standard <\/span><\/p>\n Intelligent-Tiering <\/span><\/p>\n Standard Infrequent Access (Standard-IA) <\/span><\/p>\n One Zone-IA <\/span><\/p>\n Glacier<\/span><\/p>\n Glacier Deep Archive<\/span><\/p>\n <\/p>\n Glacier Terminology<\/strong><\/p>\n Archive<\/em><\/p>\n Vault<\/em><\/p>\n Vault Lock <\/em><\/p>\n <\/p>\n Lifecycle rules Storage classes can be controlled via lifecycle rules, which allow for the automated transition of objects between storage classes, or in certain cases allow for the expiration of objects that are no longer required. Rules are added at a bucket level and can be enabled or disabled based on business requirements.<\/p>\n <\/p>\n Bucket authorization<\/span> within S3 is controlled using identity policies<\/strong> on AWS identities, as well as bucket policies in the form of resource policies on the bucket and bucket or object ACLs.<\/p>\n <\/p>\n Uploads<\/span> to S3 are generally done using the S3 console, the CLI, or directly using the APIs. Uploads either use a single operation (known as a single PUT upload) or multipart upload.<\/p>\n <\/p>\n Versioning<\/span><\/p>\n Versioning can be enabled on an S3 bucket. Once enabled, any operations that would otherwise modify<\/strong> objects generate new versions<\/strong> of that original object. Once a bucket is version-enabled, it can never<\/strong> be fully switched off<\/strong> \u2014 only suspended<\/strong>. MFA Delete<\/strong> is a feature designed to prevent accidental deletion of objects. Once enabled, a one-time password is required to delete an object version or when changing the versioning state of a bucket.<\/p>\n <\/p>\n S3 cross-region replication<\/span> (S3 CRR) is a feature that can be enabled on S3 buckets allowing one-way replication of data from a source bucket to a destination bucket in another region.<\/p>\n By default, replicated objects keep their:<\/p>\n Replication configuration is applied to the source bucket, and to do so requires versioning<\/strong> to be enabled<\/strong> on both buckets<\/strong>. Replication requires an IAM role<\/strong> with permissions<\/strong> to replicate objects. With the replication configuration, it is possible to override the storage class and object permissions as they are written to the destination.<\/p>\n Excluded from Replication<\/p>\n <\/p>\n Hosting websites<\/span><\/p>\n Amazon S3 buckets can be configured to host websites<\/span>. Content can be uploaded to the bucket and when enabled, static web hosting will<\/strong> provide a unique endpoint URL that can be accessed by any web browser. S3 buckets can host many types of content, including:<\/p>\n S3 can be used to host front-end<\/strong> code for serverless<\/strong> applications or an offload location for static content. CloudFront can also be added to improve the speed and efficiency of content delivery for global users or to add SSL for custom domains.<\/p>\n Route 53 and alias records can also be used to add human-friendly names to buckets.<\/p>\n Cross-Origin Resource Sharing (CORS)<\/span> <\/p>\n AWS Storage Gateway<\/span><\/p>\n Connects local data center software appliances to cloud-based storage, such as Amazon S3. We can use it for hybrid cloud backup, archiving and disaster recovery, tiered storage, application file storage, and data processing workflows.<\/p>\n File Gateway<\/span><\/p>\n Volume Gateway<\/span><\/p>\n – Gateway-Cached Volumes<\/em><\/p>\n – Gateway-Stored Volumes<\/em><\/p>\n Tape Gateway<\/span><\/p>\n <\/p>\n Encryption<\/span><\/p>\n Data between a client and S3 is encrypted in transit<\/strong>. Encryption at rest<\/strong> can be configured on a per-object<\/strong> basis.<\/p>\n Bucket Default Encryption<\/span> <\/p>\n A presigned URL<\/span> can be created by an identity in AWS, providing access to an object using the creator’s access permissions. When the presigned URL is used, AWS verifies the creator’s<\/strong> access to the object \u2014 not yours<\/strong>. The URL is encoded with authentication built in and has an expiry time<\/strong>.<\/p>\n Presigned URLs can be used to download<\/strong> or upload<\/strong> objects.<\/p>\n Any identity can create a presigned URL \u2014 even if that identity doesn’t<\/strong> have access to the object.<\/p>\n Example presigned URL scenarios:<\/p>\n When using presigned URLs, you may get an error. Some common situations include:<\/p>\n Simple Storage Service (S3) is a global object storage platform that can be used to store objects in the form of text files, photos, audio, movies, large binaries, or other object types.<\/p>\n","protected":false},"author":1,"featured_media":2695,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[77],"tags":[],"_links":{"self":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2692"}],"collection":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/comments?post=2692"}],"version-history":[{"count":15,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2692\/revisions"}],"predecessor-version":[{"id":3335,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2692\/revisions\/3335"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media\/2695"}],"wp:attachment":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media?parent=2692"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/categories?post=2692"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/tags?post=2692"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n<\/span><\/p>\n![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/InteligentTiering.jpg\")
\nObjects smaller than 128 KB cannot be transitioned into INTELLIGENT TIERING. Objects must be in the original storage class for a minimum of 30<\/strong> days before transitioning them to either of the IA storage tiers. Instead of transitioning between tiers, objects can be configured to expire<\/strong> after certain time periods. At the point of expiry, they are deleted<\/strong> from the bucket.
\nObjects can be archived into Glacier using lifecycle configurations. The objects remain inside S3, managed from S3, but Glacier is used for storage. Objects can be restored into S3 for temporary periods of time \u2014after which, they are deleted. If objects are encrypted, they remain encrypted<\/strong> during their transition to Glacier or temporary restoration into S3.<\/p>\n![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/BucketPolicy.jpg\")
\nFinal authorization is a combination of all applicable policies. Priority order is (1) Explicit Deny, (2) Explicit Allow, (3) Implicit Deny.<\/p>\n![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/SinglePutUpload.jpg\")
\nLimit of 5 GB<\/strong>, can cause performance issues, and if the upload fails the whole upload fails<\/p>\n![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/MultipartUpload.jpg\")
\nAn object is broken up into parts (up to 10,000), each part is 5 MB to 5 GB, and the last part can be less (the remaining data)
\nMultipart upload is faster (parallel uploads), and the individual parts can fail and be retried individually. AWS recommends multipart for anything over 100 MB<\/strong>, but it’s required for anything beyond 5 GB.<\/p>\n
\nWith versioning enabled, an AWS account is billed for all versions<\/strong> of all objects<\/strong>. Object deletions by default don’t<\/strong> delete an object \u2014 instead, a delete marker<\/strong> is added to indicate the object is deleted (this can be undone). Older versions of an object can be accessed<\/strong> using the object name and a version ID<\/strong>. Specific<\/strong> versions can be deleted<\/strong>.<\/p>\n![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/Versioning.jpg\")
<\/p>\n\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/CRR.jpg\")
<\/p>\n\n
\n
\nCORS is a security measure allowing a web application running in one domain to reference resources in another.<\/p>\n![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/CORS.jpg\")
<\/p>\n\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/FileGateway.jpg\")
<\/p>\n\n
\n
\n
\n
\nObjects are encrypted in S3, not buckets. Each PUT operation needs to specify encryption (and type) or not. A bucket default captures any PUT operations where no encryption method\/directive is specified. It doesn’t enforce what type can and can’t be used. Bucket policies can enforce.<\/p>\n\n
\n