Section 7: Simple Storage Services (S3) Flashcards
Amazon S3 (Simple Storage Service)
- object based storage
- a bucket is a container for objects
- object = file such as PDF, JPG etc
- REST API (public endpoint) using GET, PUT, POST, SELECT, DELETE to read/modify objects in bucket
- unlimited storage, but max file size of 5TB
- bucket names must be globally unique
- buckets are created within a region
- flat file structure, no hierarchy for objects in the bucket, however you can create a folder and nested folders
- can NOT create nested buckets
- EC2 instances connect using a private address using a S3 Gateway Endpoint
S3 object consists of
S3 Object consists of:
- key (name of the object)
- version ID
- value (actual data)
- metadata
- subresources
- access control information
S3 access control lists (ACLs)
- AWS reccommends using S3 bucket policies or IAM polices rather than ACLs
- can be attached to a bucket or directly to an object
More info - https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
S3 versioning
- versioning means keeping multiple variats of an object in the same bucket
- use versioning to preserve, retrieve and restore every verion of every object stored in your S3 bucket
- Versioning-enabled bucket allow you to recover objects from accidental deletion or overwrite
S3 Multi-Factor Authentication (MFA)
MFA Delete, adds MFA requiement for bucket owners to following operations:
* change the versining state of a bucket
* permanently deleting and object version
* the x-amz-mfa request header must be included
S3 Encryption
- all S3 buckets have encryption configured by default
- all new objects uploaded to S3 are automatically encrypted
- no additional cost and no performance impact
- objects are automatically encrypted using server-side encryption with S3 managed keys (SSE-S3)
- you can enforce encryption with a Bucket Policy, e.g. to use SSE-KMS instead
S3 pre-signed URL
Pre-signed URLs are used to provide short-term access to a private object in your S3 bucket. They work by appending an AWS Access Key, expiration time, and Sigv4 signature as query parameters to the S3 object. There are two common use cases when you may want to use them: Simple, occasional sharing of private files.
S3 Multi-part upload
- uploads objects in parts independanly, in parallel and in any order
- is reccommended for objects of 100MB or larger
- can be used for objects from 5MB to 5TB
- must be used for objects larger than 5GB
S3 server access logging
S3 bucket access logging captures information on all requests made to a bucket, such as PUT, GET, and DELETE actions. Bucket access logging is a recommended security best practice that can help teams with upholding compliance standards or identifying unauthorized access to your data.
S3 Object Lambda
S3 Object Lambda uses Lambda functions to process the output of S3 get requests.
You can use your own functions or use the AWS pre-built functions.
There are pre-built Lambda functions that detect personally identifyable information (PII) such as as names, addresses, dates, credit card umbers, social security numbers etc.
S3 Storage Classes
Ensure to look into this - https://catalog.us-east-1.prod.workshops.aws/workshops/f238037c-8f0b-446e-9c15-ebcc4908901a/en-US/002-services/002-storage/003-s3
S3 Encryption types
- SSE-S3 = use S3’s existing encyrption key for AES-256
- SSE-C = upload your own AES-256 encryption key which S3 uses when it writes objects
- SSE-KMS = use a key generated and managed by AWS KMS
- Client-side = encrypt objects using your own local encryption process before uploading to S3
SSE = server-side encryption
What is the maximum file size allowed in Amazon S3?
5 terabytes (TB)
For compliance reasons, an organization needs to retain data for 7 years. If they need to retrieve data, they have 24 hours to do so. Which Amazon S3 storage class is most cost-effective?
Amazon S3 Glacier Deep Archive
Which Amazon S3 capability uses Amazon CloudFront and enables fast uploads for objects?
Transfer Acceleration
Transfer Acceleration speeds up data uploads by using the CloudFront network.
