S3

Amazon S3, is AWS's blob storage solution offering highly scalable storage with 99.999999999% durability.

Concepts

Buckets are the containers of storage. They're granted DNS names and are accessible over HTTP.
Objects are stored files.

Use cases

Long-term object storage (e.g. media files) fronted by a delivery service.
Backing storage for other services (e.g. EBS).
Static file or website hosting.

Consistency

Read-after-write for newly created objects.
Eventual consistency for put and delete operations on existing objects.

Pre-signed URLs

Objects can be shared by generating ephemeral pre-signed URLs, using that user's security credentials. The URLs encapsulate:

the generating user's security credentials;
a bucket name;
an object key;
the permitted HTTP verb; and
expiration time.

Encryption

Encryption can be performed either client-side or server-side (on S3). Note that in cross-region replication objects will be encrypted with the same keys in the source and destination: the destination's encryption configuration will not apply. The supported encryption schemes are:

Disabled, to store items in cleartext.
SSE-KMS, using S3-managed keys.
AWS-KMS, using a KMS-managed key.

Storage classes

Storage classes determine performance and can be used as a cost management measure.

S3 Standard is the default and is suitable for frequently accessed data.
S3 Intelligent-Tiering allows S3 to move data between frequent and infrequent tiers based on usage.
S3 Standard-IA is used for infrequently accessed data with standard resilience.
S3 One Zone-IA is used for infrequently accessed data with reduced resilience, storing objects in just one AZ.

Securing

Current best practice is to use bucket policy to secure the bucket and ACLs to gate access to objects, avoiding use of ACLs to govern access to the bucket itself. The least permissive policy wins in the event of an overlap.

Note that the role's applied IAM policy also applies; ensure permissions are granted in both policies.

Bucket policy

Bucket policy allows specifying which actions are allowed or denied for specific security principals. They're assigned at the bucket level.

ACLs

An ACL can be used to control access at both the bucket and object levels. The following types of rule exist:

Bucket-level:
- List objects
- Write objects
- Read bucket permissions
- Write bucket permissions
Object-level:
- Read object
- Read object permissions
- Write object

Lifecycle policies

Lifecycle policies allow objects in a bucket to be transitioned (or expired/deleted) based on customer-set criteria based on object attributes such as tags. Some common use cases include:

Pruning objects older than a specified age.
Retaining a number of previous versions of objects based on upload date.

Versioning

Versioning allows a bucket to retain historical versions of files. These different versions are accessible by specifying the versionId parameter when requesting an object.

Object deletion creates a deletion marker from which the object can be restored. The deletion marker can be deleted in order to fully purge the object version. overwriting an object creates a new version with a new versionId.

Cross-region replication

Cross-region replication can be configured between two buckets. When this is configured note that objects will be encrypted with the same keys as are used on the source, regardless of whether this configuration matches the destination bucket's configuration.