S3 (Simple Storage Service)
- object-based storage service
- serverless storage in the cloud
- Don’t worry about file systems or disk space
what is object storage?
data storage architecture that manages data as object, as opposed to other storage architectures:
- files systems which manages data as a file and file hierarchy
- block storage which manages data as blocks within sectors and tracks
S3 provides you with unlimited storage. You don’t need to think about the underlying infrastructure. The S3 console provides an interface for you to upload and access your data.
-
S3 Object
Objects contains your data. They are like files. Object may contains of:
– Key - this is the name of the object.
– Value - the data itself made up of a sequence of bytes.
– Version ID - the version of object when versioning enabled. You can store data from 0 Bytes to 5 Terabytes. If files are uploaded before turn on versioning, its version ID will be null.
– Metadata - additional information attached to the object -
S3 Bucket
Buckets hold objects. Buckets can also have folders which in turn hold object.(Buckets -> folders -> objects)
S3 is a universal namespace so bucket names must be unique.
Storage Classes
- Standard
Default. Fast, 99.99% Availability, 11 9’s Durability. Replicated across at least three Availability Zones (AZs) - Intelligent Tiering
Use Machine Learning to analyze your object usage and determine the appropriate storage class. Data is moved to the most cost-effective access tier, without any performance impact or added overhead.
Q: Why don’t we always choose this class?
A: Small monthly monitoring and auto-tiering fee
- Standard Infrequently Accessed(IA)
Still fast. Cheaper if you access files less than once a month. Additional retrieval fee is applied. 50% less than Standard(reduced availability)
It works by storing objects in two access tiers: one tier that is optimized for frequent access and another lower-cost tier that is optimized for infrequent access. - One Zone IA
Still fast. Objects only exist in one AZ. Availability 99.5%. But cheaper than Standard IA by 20% less(reduce availability). Data could get destroyed(when AZ destroyed). Additional retrieval fee is applied. - Glacier
For long-term cold storage. Retrieval of data can take minutes to hours but is very cheap storage. - Glacier Deep Archive
The lowest cost storage class. Data retrieval time is within 12 hours.
Security
All new buckets are PRIVATE when created by default
Logging per request can be turned on a bucket
Log files are generated and saved in a different bucket. (even a bucket in a different AWS account if desired.)
Access control is configured using Bucket Policies an Access Control Lists(ACL)
Access Control Lists
- Legacy feature (but not depreciated.) of controlling access to buckets and objects.
- Simple way of granting access.
Bucket Policies
- Use a policy to define complex rule access.
Encryption
-
Encryption In Transit
Traffic between your local host and S3 is achieved via SSL/TLS -
Server Side Encryption (SSE) - Encryption At Rest
Amazon help you encrypt the object data and S3 Managed Keys.- SSE-AES S3 handles the key, uses AES-256 algorithm.
- SSE-KMS Envelope encryption, AWS KMS and you manage the keys.
- SSE-C Customer provided key
-
Client-Side Encryption
You encryption your own files before uploading them to S3.
Data Consistency
-
New Objects (PUTS)
Read After Write Consistency
When you upload a new S3 object you are able to read immediately after writing. -
Overwrite (PUTS) or Delete Objects (DELETES)
Eventual Consistency
When you overwrite or delete an object it takes time for S3 to replicate version to AZs.
If you want to read immediately, S3 may return you an old copy. You need to generally wait a few seconds before reading.
Cross Region Replication(CRR)
When enabled, any object that is uploaded will be automatically replicated to another region(s).
Provides higher durability and potential disaster recovery for objects.
You must have versioning turned on both the source and destination buckets. You have CRR replicate to another AWS account.
Versioning
- Store all versions of an object in S3
- Once enabled it cannot be disabled, only suspended on the bucket
- Fully integrates with S3 lifecycle rules
- MFA Delete feature provides extra protection against deletion of your data
Lifecycle Management
Automate the process of moving objects to different Storage class of deleting objects all together.
Can be used together with versioning
Can be applied to both current and previous versions
Transfer Acceleration(CDN?)
Fast and secure transfer of files over long distances between our end users and an S3 bucket.
Utilizes CloudFront’s distributed Edge Locations
Instead of uploading to your bucket, user uses a distinct URL for an Edge Location
As data arrives the Edge Location it is automatically routed to S3 over a specially optimized network path. (Amazon’s backbone network)
Presigned URLs
Generate a url which provides you temporary access to an object to either upload download object data. Presigned Urls are commonly used to provide access to private objects.
You can use AWS CLI or AWS SDK to generate Presigned Urls.
aws s3 presign s3://mybjcket/myobject --expires-in 300
# You have a web-application which needs to allow users to download files from a password protected part of your web-app.
# Your web-app generates presigned url which expires after 5 seconds. The user download the file.
MFA(Multi-Factor Authentication) Delete
MFA Delete ensures users cannot delete objects from a bucket unless they provide their MFA code.
MFA Delete can only be enabled under these conditions.
- the AWS CLI must be used to turn on MFA
- the bucket must have versioning turn on
aws s3api put-bucket-versioning \
--bucket bucketname \
--versioning-configuration Status=Enabled,MFADelete=Enabled \
--mfa "your-mfa-serial-number mfa-code"
Only the bucket owner logged in as Root User can Delete objects from bucket.