Amazon S3 Buckets (Simple Storage Service) are used to store objects and flat files in the Cloud. There is unlimited storage available, across 100 buckets, and files can be from 0 bytes to 5TB.
Amazon S3 is one of the oldest services AWS offers and is incredibly flexible with multiple ways to use it.
Analytics / Data Lake
When data goes from ‘hot’, frequently accessed, to ‘cold’, infrequently accessed, it can be moved to Amazon Glacier for a more cost-effective option.
Temporary data storage before being loading into AWS Redshift.
Host a website using Amazon S3 for storage and Route 53 as the DNS.
How data is stored
Each S3 bucket needs a unique name and is formatted as:
Each object consists of:
- Key (the name of the object),
- Value (the data in the file itself made of bytes),
Amazon S3 provides read after write consistently and eventual consistency for updates and deletes. Data is being replicated across at least three Availability Zones (AZs) and may take time to flow through.
S3 storage class options
- The most expensive but most durable and reliable option for ‘hot’ data with 11 9’s of durability.
- Cloud apps, big data analytics, websites, content distribution.
S3: Infrequent Access
- For storing non-critical data that CANNOT be easily reproduced and needs to be retrieved quickly. Costs 50% less because of the reduced availability.
- Disaster recovery, backups.
S3: Infrequent Access – One Zone
- For storing non-critical data that CAN be easily reproduced and needs to be retrieved quickly.
- Useful for secondary backups as objects are only stored in one zone.
- Cheaper than S3:IA as durability is reduced.
- For long-term storage with a 3 – 5 hour retrieval time for ‘cold’ data.
- For long-term storage with a 12 hour retrieval time for ‘cold’ data.
- Documents that need to be kept for compliance reasons for 7+ years.
Amazon S3 is secure by default. Each new bucket and the objects in it are private. To keep objects even more secure use bucket policies, similar to IAM policies and Access Control Lists (ACL).
Presigned URLs are another option to provide security when temporary access is required. A URL is generated via the AWS CLI or SDK to provide temporary access to write or download object data.
The client encrypts the objects and uploads to Amazon S3.
The data is encrypted when written and decrypts when it is being used.
- SSE-AES – S3 handles the key, uses AES-256 algorithm
- SSE-KMS – Envelope encryption via AWS KMS and you manage the keys
- SSE-C – Customer provided key (you manage the keys)
- When versioning is turned on deleted files have a delete tag added which hides the file. To restore the file, delete the tag.
- Each version takes up storage space, so a 1GB file edited three times with versioning on takes up 3GB of space.
- Once turned on versioning can only be suspended, not removed.
- Versions that are deleted on the other hand are actually deleted. Enabling Versioning MFA Delete gives extra protection as it requires MFA before a version can be deleted.
- Cross-Region Replication lets you automatically replicate the contents of a bucket from one region to another.
- Existing files won’t be copied until there’s been a new version, which will also replicate all previous versions and permission.
The Free Tier offers 12 months of free storage. This is more than enough to try out the service as a storage option or creating a static website.
5 GB of standard storage
20,000 GET requests
2,000 PUT requests