S3 Flashcards
Amazon S3
Amazon S3 allows people to store objects (files) in “buckets” (directories)
- key is full path
- allows for versioning at bucket level
S3 Encryption
- SSE-S3: encrypts S3 objects using keys handled & managed by AWS
- SSE-KMS: leverage AWS Key Management Service to manage encryption keys • SSE-C: when you want to manage your own encryption keys
- Client Side Encryption
S3 SSE
Server Side Encryption - objects are encrypted on the server
S3 KMS
Key Management Store - SSE controlled by KMS and allows for user control + audit trail
S3 SSE-C
SSE using data keys fully managed by the customer outside of AWS
- HTTPS must be used
Client Side Encryption
Encryption is done on the client and the encrypted object is stored on S3
S3 Security
User based - IAM policies (roles)
Resource based - bucket policies across all accounts
S3 Websites
S3 can host static websites and have them accessible on the www
- If you get a 403 (Forbidden) error, make sure the bucket policy allows public reads!
S3 CORS
If a client does a cross-origin request on our S3 bucket, we need to enable the correct CORS headers
S3 MFA-Delete
MFA (multi factor authentication) forces user to generate a code on a device (usually a mobile phone or hardware) before doing important operations on S3
- versioning must be enabled
- only bucket owners can enable/disable MFA-delete
S3 Access Logs
Log S3 activity into another S3
- do not loop your logs into the same bucket
S3 Replication
Cross Region Replication - compliance, lower latency access, replication across accounts
Same Region Replication - log aggregation, live replication between production and test accounts
S3 Pre-Signed URLs
Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT
- valid for 3600 by default
S3 Standard Storage - General Purpose
High Durability across multiple AZ
Big Data analytics, mobile & gaming applications, content distribution
S3 Standard – Infrequent Access (IA)
Suitable for data that is less frequently accessed, but requires rapid access when needed
High Durability across multiple AZ
Disaster Recovery and backups
S3 One Zone - Infrequent Access (IA)
Same as S3 Standard IA instead in a single AZ
S3 Intelligent Tiering
Automatically moves objects between two access tiers based on changing access patterns
Amazon Glacier
Low cost object storage meant for archiving / backup
- Data is retained for the longer term (10s of years)
Glacier Deep Archive
Longer storage than Amazon Glacier
S3 Lifecycle Rules
Transition actions: It defines when objects are transitioned to another storage class • Move objects to Standard IA class 60 days after creation • Move to Glacier for archiving after 6 months
Expiration actions: configure objects to expire (delete) after some time
S3 Multi-Part upload
Upload large file in parallel chunks
S3 Transfer Acceleration
Transfer files to an AWS edge location which will then forward the data to the S3 bucket
S3 Byte-Range Fetches
Parallelize GETs by requesting specific byte ranges
S3 Select & Glacier Select
Retrieve less data using SQL by performing server side filtering
S3 Event Notifications
Events triggered when actions are performed on an S2 bucket
AWS Athena
Serverless service to perform analytics directly against S3 files
Use case: Business intelligence / analytics / reporting, analyze & query
S3/Glacier Object Lock
Prevent object version deletion for a specified amount of time
Helpful for compliance and data retention
S3 - Consistency Model
If a user updates an existing object, it will eventually be consistent meaning you might get an older version of the data
