AWS Associate Architect Certification Training | Amazon S3 Introduction

Video source: Station B "AWS Certified Solution Architect Assistant Level SAA-C03"

Organize the teacher's course content and test notes while studying, and share them with everyone. Any infringement will be deleted. Thank you for your support!

Attach a summary post: AWS Assistant Architect Certification Training | Summary

S3 Overview

Section introduction

Amazon S3 is one of the main building blocks of AWS
It's advertised as "infinitely scaling" storage
Many websites use Amazon S3 as a backbone
Many AWS services use Amazon S3 as an integration as well
We'll have a step-by-step approach to S3

Amazon S3 Use cases

Backup and storage
Disaster Recovery
Archive
Hybrid Cloud storage
Application hosting
Media hosting
Data lakes & big data analytics
Software delivery
Static website

Amazon S3 - Buckets

Amazon S3 allows people to store objects (files) in "buckets" (directories)
Buckets must have a globally unique name (across all regions all accounts)
Buckets are defined at the region level
S3 looks like a global service but buckets are created in a region
Naming conventionNo uppercase, No underscore3-63 characters longNot an IPMust start with lowercase letter or number Must NOT start with the prefix xn--S3 Bucket Must NOT end with the suffix -s3alias

Amazon S3 - Objects

Objects (files) have a Key
The key is the FULL path:s3://my-bucket/my_file.txts3://my-bucket/my_folder1/another_folder/my_file.txt
The key is composed of prefix + object names3://my-bucket/my_folder1/another_folder/my_file.txt
There's no concept of "directories" within buckets (although the UI will trick you to think otherwise)
Just keys with very long names that contain slashes ("/")
Object values are the content of the body:Max. Object Size is 5TB (5000GB)lf uploading more than 5GB, must use "multi-part upload"
Metadata (list of text key / value pair - system or user metadata)
Tags (Unicode key / value pair - up to 10) - useful for security / lifecycle
Version ID (if versioning is enabled)

S3 Security Bucket Policy

Amazon S3 - Security

User-BasedIAM Policies - which API calls should be allowed for a specific user from IAM
Resource-BasedBucket Policies - bucket wide rules from the S3 console - allows cross account Object Access Control List (ACL) - finer grain (can be disabled)Bucket Access Control List (ACL) - less common (can be disabled)
Note: an IAM principal can access an S3 object ifThe user IAM permissions ALLOW it OR the resource policy ALLOWS it AND there's no explicit DENY
Encryption: encrypt objects in Amazon S3 using encryption keys

S3 Bucket Policies

JSON based policiesResources: buckets and objects Effect: Allow/DenyActions: Set of API to Allow or Deny Principal: The account or user to apply the policy to
Use S3 bucket for policy to:Grant public access to the bucket Force objects to be encrypted at uploadGrant access to another account (Cross Account)

Example: Public Access - Use Bucket Policy

Example: User Access to S3 - IAM permissions

Example: EC2 instance access - Use IAM Roles

Advanced: Cross-Account Access - Use Bucket Policy

Bucket settings for Block Public Access

These settings were created to prevent company data leaks
If you know your bucket should never be public, leave these on
Can be set at the account level

S3 Website Overview

Amazon S3 - Static Website Hosting

S3 can host static websites and have them accessible on the Internet
The website URL will be (depending on the region)http://bucket-name.s3-website-aws-region.amazonaws.comORhttp://bucket-name.s3-website.aws-region.amazonaws.com
If you get a 403 Forbidden error, make sure the bucket policy allows public reads!

Versioning

Amazon S3 - Versioning

You can version your files in Amazon S3
It is enabled at the bucket level
Same key overwrite will change the "version": 1, 2, 3...
It is best practice to version your bucketsProtect against unintended deletes (ability to restore a version)Easy roll back to previous version
Notes:Any file that is not versioned prior to enabling versioning wil have version "null"Suspending versioning does not delete the previous versions

S3 Replication

Amazon S3 - Replication (CRR & SRR)

Must enable Versioning in source and destination buckets
Cross-Region Replication (CRR)
Same-Region Replication(SRR)
Buckets can be in different AWS accounts
Copying is asynchronous
Must give proper IAM permissions to S3
Use cases:CRR - compliance, lower latency access, replication across accountsSRR - log aggregation, live replication between production and test accounts

S3 Replication Notes

Amazon S3 - Replication (Notes)

After you enable Replication, only new objects are replicated
Optionally, you can replicate existing objects using S3 Batch Replication Replicates existing objects and objects that failed replication
For DELETE operationsCan replicate delete markers from source to target (optional setting)Deletions with a version ID are not replicated (to avoid malicious deletes)
There is no "chaining" of replicationlf bucket 1 has replication into bucket 2, which has replication into bucket 3Then objects created in bucket 1 are not replicated to bucket 3

S3 Storage Classes Overview

S3 Storage Classes

Amazon S3 Standard - General Purpose
Amazon S3 Standard - Infrequent Access (IA)
Amazon S3 One Zone - Infrequent Access
Amazon S3 Glacier Instant Retrieval
Amazon S3 Glacier Flexible Retrieval
Amazon S3 Glacier Deep Archive
Amazon S3 Intelligent Tiering
Can move between classes manually or using S3 Lifecycle configurations

S3 Durability and Availability

Durability:High durability (99.999999999%, 119's) of objects across multiple AZIf you store 10,000,000 objects with Amazon S3, you can on average expect to incur a loss of a single object once every 10,000 yearsSame for all storage classes
Availability:Measures how readily available a service isVaries depending on storage classExample: S3 standard has 99.99% availability = not available 53 minutes a year

S3 Standard - General Purpose

99.99% Availability
Used for frequently accessed data
Low latency and high throughput
Sustain 2 concurrent facility failures
Use Cases: Big Data analytics, mobile & gaming applications, content distribution...

S3 Storage Classes - Infrequent Access

For data that is less frequently accessed, but requires rapid access when needed
Lower cost than S3 Standard
Amazon S3 Standard-Infrequent Access (S3 Standard-lA)99.9% AvailabilityUse cases: Disaster Recovery, backups
Amazon S3 One Zone-Infrequent Access (S3 One Zone-lA)High durability (99.999999999%) in a single AZ; data lost when AZ is destroyed 99.5% AvailabilityUseCases: Storing secondary backup copies of on-premise data, or data you can recreate

Amazon S3 Glacier Storage Classes

Low-cost object storage meant for archiving / backup
Pricing: price for storage + object retrieval cost
Amazon S3 Glacier Instant Retrieval Millisecond retrieval, great for data accessed once a quarter Minimum storage duration of 90 days
Amazon S3 Glacier Flexible Retrieval (formerly Amazon S3 Glacier):Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk( 5 to 12 hours) - free Minimum storage duration of 90 days
Amazon S3 Glacier Deep Archive - for long term storage:Standard (12 hours), Bulk (48 hours)Minimum storage duration of 180 days

S3 Intelligent-Tiering

Small monthly monitoring and auto-tiering free
Moves objects automatically between Access Tiers based on usage
There are no retrieval charges in S3 Intelligent-Tiering
Frequent Access tier (automatic): default tier
Infrequent Access tier (automatic): objects not accessed for 30 days
Archive Instant Access tier (automatic): objects not accessed for 90 days
Archive Access tier (optional): configurable from 90 days to 700+ days
Deep Archive Access tier (optional): config. from 180 days to 700+ days