Overview
- Object values are the content of body:
- Max Object Size 5TB (5000GB)
- If uploading more than 5GB, must use "multi-part upload"
- Metadata (list of text key /value pairs)
- Tags (to to 10)
- Version ID
Versioning
- It is enabled at bucket level
- Same key overwrite willincrement the version : 1,2,3...
- It is best practice to version your buckets
- Any file that is not versioned prior to enabling versioning will have version "null"
- Suspending versioning does not delete the previous versions
- HTTPS is mandatory for SSE-C
Security
- User based
- IAM polices - which API calls should be allowed for a specific user from IAM console
- Resource based
- Bucket Policies - bucket wide rules from the S3 console - allows cross account
- Object Access Control (ACL) - finer grain
- Bucket Access Control List (ACL) - less common
- The user IAM permissions allow it OR the resource policy ALLOWS it
- AND there's no explicit DENY
- Networking
- Supports VPC Endpoints (for instances in VPC without www internet)
- Logging and Audit
- S3 Access Logs can be stored in other s3 bucket
- API calls can be logged in AWS CloudTrail
- User security
- MFA Delete: MFA can be required in versioned bucekts to delete objects
- Pre-singed URLs: URLs that are valid only for a limited time
Replication (CRR & SRR)
- Must enable versioning in source and destination
- Cross Region Replication (CRR)
- Same Region. Replication (SRR)
- Buckets can be in different accounts
- Copying is asynchronous
- Must give proper IAM permissions to S3
- CRR - Use case: compliance, lower latency access, replication across acounts
- SRR - Use case: log aggregation, live replication between production and test accounts
- After activating, only new objects are replicated
- For DELETE operations:
- Can Replicate delete markers from source to target (optional setting)
- Deletions with a version ID are not replicated (to avoid mailcious deletes)
- There is no "chaining" of replication
- If bucket 1 has replication into bucket 2, which has replication into bucket 3
- Then objects create in bucket 1 are not replicated to bucket 3
Consistency Model
- Strong consistency as 12th 2020
- After a:
- successful write of a new object (new PUT)
- or an overwrite or delete of an existing object (overwrite PUT or DELETE)
- ...any:
- subsequent read request immediately receives the latest version of the object
- subsequent list request immediately reflects changes
- Available at no additional cost, without any performance impact
MFA - DELETE
- MFA forces user to gerate a code on a device before doing important operations on S3
- To use MFA-DELETE, enable Versioning on the S3 bucket
- Only the bucket onwer (root account) can enable/disable MFA-DELETE
- MFA-DELETE currently can only be enabled using CLI
- You will need MFA to
- permantly delete an object version
- suspend versioning on the bucket
- You won't need MFA for
- enabling versioning
- listing deleted version
- Glacier min storage duration: 90 days
- Deep Archive: 180 days
Amazon Glacier - 3 retrieval options
- Expedited (1 to 5 mins)
- Standard (3 to 5 hours)
- Bulk (to to 12 hours)
- Minimum storage duration of 90 days
Amazon Glacier Deep Archive - for long term storage - cheaper:
- Standard (12 hours)
- Bulk (48 hours)