In this Amazon S3 Cheat Sheet post, we are covering below topics:
- Versioning, MFA Delete
- Bucket Policies S3 Encryption
- S3 Websites, S3 CORS
- S3 Replication, S3 Pre-signed URL
- S3 Storage Classes, S3 Lifecycle
- S3 Analytic, S3 Select and S3 Glacier Select,
- S3 Transfer Acceleration
- S3 Requester Pays
- S3 Locks – Object Lock, Glacier Vault Lock
Lets start with the Amazon S3 Cheat Sheet:
- Simple storage service
- Object level storage
- Infinite storage
- Buckets – globally unique name and lives in region
- Object – max size 5TB.
- Multi-part uploading – if uploading more than 5 GB
- S3 versioning: enabled at bucket level. It is used to protect against unintended delete and easy rollback.
- S3 Bucket Policies: JSON document policies
Bucket setting for Block Public Access:
- New Access Control List (NACL)
- Any Access Control List (ACL’s)
- New public bucket or access points
S3 Encryption for Objects:
- SSE-S3: AES-256 encryption key. Encryption keys are handled and managed by S3. x-amz-server-side-encryption:”AES 256”
- SSE KMS: Encryption keys are handled and managed by Amazon KMS. User Control and audit trail. X-amz-server-side-encryption:”awskms”
- SSE-C: server–side encryption using data keys fully managed customer outside AWS. HTTPS must be used. Keys must be provided in HTTP headers for every HTTP request mode.
- Client Side Encryption: client library – Amazon S3 & Encryption client. Client must encrypt data before sending to S3 and client must decrypt data themselves when retrieving from s3. Customer fully manages keys and encryption cycle.
S3 Security: 1) User based – IAM policies 2) Resource Based – A) Bucket policies B) Object Access Control List C) Bucket Access Control List
S3 Websites: S3 can hosts static websites and have them accessible over internet.
S3 CORS: Cross Origin Resource Sharing. A web browser based mechanism to allow requests to other origin while visiting main origin. Need to enable CORS header on other origin.
S3 MFA Delete: for MFA delete, S3 versioning should be enabled. 1) To permanently delete the object 2) suspend versioning on bucket. Only bucket owner(root) can enable/disable the MFS delete.
S3 Replication: Must enable versioning in source and destination. Copying is asynchronous. 1) Same Region Replication (SRR) 2) Cross Region Replication (CRR). After activation only, new objects are replication. To replication existing object use S3 Batch replication. For delete operations – can replicate delete markers and deletion with version ID are not replicated.
S3 Pre-signed URL: Users are provided with pre-signed URL to inherit the permissions of person who generated the URL. Valid for default 3600 sec [TIME_BY_SECOND].
- S3 Standard: General Purpose.
- S3 Standard – Infrequent Access (IA): for infrequently used objects.
- S3 One Zone – Infrequent Access (IA): only in one zone.
- S3 Glacier Instant Retrieval: Millisecond Retrieval, minimum storage 90 days.
- S3 Glacier Flexible Retrieval : Formerly knows as S3 Glacier. Minimum storage is 90 days. A) Expedited – 1 to 4 mins B) Standard – 3 to 5 hours C) Bulk – 5 to 12 hours
- S3 Glacier Deep Archive: for long storage and minimum storage is 180 days. A) Standard – 12 hours B) Bulk – 48 hours free.
- S3 Intelligent Tiering: small monthly monitoring and auto-tiering fee. Moves objects automatically between access tier. No retrieval charges.
- Frequent Access Tier: Default
- Infrequent Access Tier : Objects not accessed for 30 days.
- Archive Instant Access Tier: Objects not accessed for 90 days.
- Archive Access Tier: configurable from 90 to 700 days.
- Deep Archive Access Tier: configurable from 180 to 700 days.
S3 Lifecycle Rule: Moving objects between s3 tiering can be automated using S3 lifecycle rules. Transaction Action=Moving object. Expiration Action= Removing objects. Can be used to delete old versions of file.
S3 Analytics: S3 analytics can be setup to help determine when to transition objects from standard to standard IA.
S3 Transfer Acceleration: Increase transfer speed by transferring file to AWS edge location which will forward data to S3. Compatible with multi-part upload.
S3 select and Glacier select: Retrieve less data using SQL by performing server side filtering.
S3 Requester Pays: Requester pays instead of bucket owner. Pays for the cost of request and download from bucket. Requester must be authenticated on AWS,
S3 Glacier Vault Lock: WORM- write once read many. Lock the policy for future update. Helpful for compliance and data retention.
S3 Object Lock: WORM, block an object version deletion for specified amount of time.
- Retention mode – Compliance: can’t be over written or deleted. Retention modes can not be changed.
- Retention mode – Governance: most users can not overwrite, delete or change lock policies. Some users have special permissions to change the retention or delete an object.
- Legal Hold: Protects objects indefinitely, independent from retention period.