S3 Express One Zone can improve data access speeds by 10x and reduce request costs by 50% compared to S3 Standard and scales to process millions of requests per minute for your most frequently accessed datasets.
S3 Express One Zone is ideal for any application where it's important to minimize the latency required to access an object. This can be human-interactive workflows, like video editing, where creative professionals need responsive access to content from their user interfaces. S3 Express One Zone also benefits analytics and machine learning workloads that have similar responsiveness requirements from their data, especially workloads with lots of smaller accesses or large numbers of random accesses. S3 Express One Zone can be used with other AWS services to support analytics and AI/ML workloads, such as Amazon EMR, Amazon SageMaker, and Amazon Athena.
When using S3 Express One Zone, you can interact with your directory bucket in an AWS virtual private cloud (VPC) by using a gateway VPC endpoint. With a gateway endpoint, you can access S3 Express One Zone directory buckets from your VPC without an internet gateway or NAT device for your VPC and at no additional cost.
You can use many of the same S3 APIs and features with directory buckets that you use with general purpose buckets and other storage classes. These include Mountpoint for Amazon S3, server-side encryption with Amazon S3 managed keys (SSE-S3), S3 Batch Operations, and S3 Block Public Access. You can access S3 Express One Zone by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS SDKs.
Overview
To optimize performance and reduce latency, S3 Express One Zone introduces the following new concepts.
Single Availability Zone
The Amazon S3 Express One Zone storage class is designed for 99.95% availability within a single Availability Zone and is backed by the Amazon S3 Service Level Agreement. With S3 Express One Zone, your data is redundantly stored on multiple devices within a single Availability Zone. S3 Express One Zone is designed to handle concurrent device failures by quickly detecting and repairing any lost redundancy. If the existing device encounters a failure, S3 Express One Zone automatically shifts requests to new devices within an Availability Zone. This redundancy helps ensure uninterrupted access to your data within an Availability Zone.
Directory buckets
There are two types of Amazon S3 buckets, S3 general purpose buckets and S3 directory buckets. Directory buckets use only the S3 Express One Zone storage class, which is designed for workloads or performance-critical applications that require consistent single-digit millisecond latency. General purpose buckets are the default Amazon S3 bucket type that is used for the vast majority of S3 use cases. You should choose the bucket type that best fits your application and performance requirements.
Directory buckets organize data hierarchically into directories as opposed to the flat storing structure of general purpose buckets. There aren’t prefix limits for directory buckets and individual directories can scale horizontally.
Endpoints and gateway VPC endpoints
Bucket-management API operations are available through a Regional endpoint and are referred to as Regional endpoint APIs. Examples of Regional endpoint APIs are CreateBucket and DeleteBucket. After you create a directory bucket, you can use Zonal endpoint APIs to upload and manage the objects in your directory bucket. Zonal endpoint APIs are available through a Zonal endpoint. Examples of Zonal endpoint APIs are PutObject and CopyObject.
Session-based authorization
With S3 Express One Zone, you authenticate and authorize requests through a new session-based mechanism, which is optimized to provide the lowest latency. You can use CreateSession to request temporary credentials that provide low latency access to your bucket. These temporary credentials are scoped to a specific S3 directory bucket. Session tokens are used only with Zonal (object-level) operations (with the exception of CopyObject) and are optimized to provide the lowest latency. For more information, see Create session.
Features of S3 Express One Zone
The following S3 features are available for S3 Express One Zone. For a complete list of supported APIs and unsupported features, see How is S3 Express One Zone different?.
Access management and security
With directory buckets, you can use the following features to audit and manage access. By default, directory buckets are private and can be accessed only by users who are explicitly granted access. Unlike general purpose buckets, which can set the access control boundary at the bucket, prefix, or object tag level, the access control boundary for directory buckets is set only at the bucket level. For more information, see AWS Identity and Access Management (IAM) for S3 Express One Zone.
S3 Block Public Access – All S3 Block Public access settings are enabled by default at the bucket level. This default setting can't be modified.
S3 Object Ownership (Bucket owner enforced by default) – Access control lists (ACLs) are not supported for directory buckets. Directory buckets automatically use the bucket owner enforced setting for S3 Object Ownership, which means that ACLs are disabled and the bucket owner automatically owns and has full control over every object in the bucket. This default setting can’t be modified.
AWS Identity and Access Management (IAM) – IAM helps you securely control access to your directory buckets. You can use IAM to grant access to bucket management (Regional) actions and object management (Zonal) APIs through the CreateSession action. For more information, see AWS Identity and Access Management (IAM) for S3 Express One Zone. Unlike object-management actions, bucket management actions cannot be cross-account. Only the bucket owner can perform those actions.
Bucket policies – Use IAM-based policy language to configure resource-based permissions for your directory buckets. You can also use IAM to control access to the CreateSession API which allows you to use the Zonal or object management APIs. You can grant same-account or cross-account access. For more information on S3 Express One Zone permissions and policies, see AWS Identity and Access Management (IAM) for S3 Express One Zone.
IAM Access Analyzer for S3 – Evaluate and monitor your access policies, ensuring that the policies provide only the intended access to your S3 resources.
Logging and monitoring
S3 Express One Zone uses S3 logging and monitoring tools that you can use to monitor and control how your resources are being used.
Amazon CloudWatch metrics – Monitor your AWS resources and applications using CloudWatch to collect and track metrics. S3 Express One Zone uses the same CloudWatch namespace as other Amazon S3 storage classes (AWS/S3) and supports daily storage metrics for directory buckets: BucketSizeBytes and NumberOfObjects. For more information, see Monitoring metrics with Amazon CloudWatch.
AWS CloudTrail logs – AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account by recording actions taken by a user, role, or an AWS service. For S3 Express One Zone, CloudTrail captures regional endpoint APIs (for example, CreateBucket, PutBucketPolicy) as management events. This includes actions taken in the AWS Management Console, AWS CLI, AWS SDKs, and APIs. The eventsource for CloudTrail management events for S3 Express One Zone is s3express.amazonaws.com. For more information, see Amazon S3 CloudTrail events.
Object management
After you create a directory bucket, you can manage your object storage using the S3 console, AWS SDKs, and AWS CLI. The following features are available for object management with S3 Express One Zone.
S3 Batch Operations – Use Batch Operations to perform bulk operations on objects in directory buckets, for example, Copy and Invoke AWS Lambda function. For example, you can use Batch Operations to copy objects between directory buckets and general purpose buckets. With Batch Operations, you can manage billions of objects at scale with a single S3 request using the AWS SDKs or AWS CLI or a few clicks in the Amazon S3 console.
Import – After you create a directory bucket, you can populate your bucket with objects by using the import feature in the Amazon S3 console. Import is a streamlined method for creating Batch Operations jobs to copy objects from general purpose buckets to directory buckets.
Top comments (0)