S3 Flashcards
Amazon S3
Amazon S3 allows people to store objects (files) in “buckets” (directories)
- key is full path
- allows for versioning at bucket level
S3 Encryption
- SSE-S3: encrypts S3 objects using keys handled & managed by AWS
- SSE-KMS: leverage AWS Key Management Service to manage encryption keys • SSE-C: when you want to manage your own encryption keys
- Client Side Encryption
S3 SSE
Server Side Encryption - objects are encrypted on the server
S3 KMS
Key Management Store - SSE controlled by KMS and allows for user control + audit trail
S3 SSE-C
SSE using data keys fully managed by the customer outside of AWS
- HTTPS must be used
Client Side Encryption
Encryption is done on the client and the encrypted object is stored on S3
S3 Security
User based - IAM policies (roles)
Resource based - bucket policies across all accounts
S3 Websites
S3 can host static websites and have them accessible on the www
- If you get a 403 (Forbidden) error, make sure the bucket policy allows public reads!
S3 CORS
If a client does a cross-origin request on our S3 bucket, we need to enable the correct CORS headers
S3 MFA-Delete
MFA (multi factor authentication) forces user to generate a code on a device (usually a mobile phone or hardware) before doing important operations on S3
- versioning must be enabled
- only bucket owners can enable/disable MFA-delete
S3 Access Logs
Log S3 activity into another S3
- do not loop your logs into the same bucket
S3 Replication
Cross Region Replication - compliance, lower latency access, replication across accounts
Same Region Replication - log aggregation, live replication between production and test accounts
S3 Pre-Signed URLs
Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT
- valid for 3600 by default
S3 Standard Storage - General Purpose
High Durability across multiple AZ
Big Data analytics, mobile & gaming applications, content distribution
S3 Standard – Infrequent Access (IA)
Suitable for data that is less frequently accessed, but requires rapid access when needed
High Durability across multiple AZ
Disaster Recovery and backups
S3 One Zone - Infrequent Access (IA)
Same as S3 Standard IA instead in a single AZ
S3 Intelligent Tiering
Automatically moves objects between two access tiers based on changing access patterns
Amazon Glacier
Low cost object storage meant for archiving / backup
- Data is retained for the longer term (10s of years)
Glacier Deep Archive
Longer storage than Amazon Glacier
S3 Lifecycle Rules
Transition actions: It defines when objects are transitioned to another storage class • Move objects to Standard IA class 60 days after creation • Move to Glacier for archiving after 6 months
Expiration actions: configure objects to expire (delete) after some time
S3 Multi-Part upload
Upload large file in parallel chunks
S3 Transfer Acceleration
Transfer files to an AWS edge location which will then forward the data to the S3 bucket
S3 Byte-Range Fetches
Parallelize GETs by requesting specific byte ranges
S3 Select & Glacier Select
Retrieve less data using SQL by performing server side filtering
