S3 (Simple Storage Service) is used to store objects and flat files in 'buckets' in the Cloud.
There is unlimited storage available, across 100 buckets, and files can be from 0 bytes to 5TB.
S3 is one of the oldest services AWS offers and is incredibly flexible with multiple ways to use it.
- Uncouple storage and compute to scale either up or down as needed using Amazon Athena as the query service over the top and AWS Glue as a data catalogue.
- When data goes from 'hot', frequently accessed, to 'cold', infrequently accessed, it can be moved to Amazon Glacier for a more cost-effective option.
- Temporary data storage before being loading into AWS Redshift.
- Host a website using S3 for storage and Route 53 as the DNS.
Each bucket needs a unique name and is formatted as:
Each object consists of:
- Key (the name of the object),
- Value (the data in the file itself made of bytes),
Amazon S3 provides read after write consistently and eventual consistency for updates and deletes. This is because data is being replicated across at least three Availability Zones (AZs) and may take time to flow through.
- The most expensive but most durable and reliable option for 'hot' data with 11 9's of durability.
- Cloud apps, big data analytics, websites, content distribution.
- For storing non-critical data that CANNOT be easily reproduced and needs to be retrieved quickly. Costs 50% less because of the reduced availability.
- Disaster recovery, backups.
- For storing non-critical data that CAN be easily reproduced and needs to be retrieved quickly.
- Useful for secondary backups as objects are only stored in one zone.
- Cheaper than S3:IA as durability is reduced.
- For long-term storage with a 3 - 5 hour retrieval time for 'cold' data.
- For long-term storage with a 12 hour retrieval time for 'cold' data.
- Documents that need to be kept for compliance reasons for 7+ years.
S3 is secure by default. Each new bucket and the objects in it are private. To keep objects even more secure use bucket policies, similar to IAM policies and Access Control Lists (ACL).
Presigned URLs are another option to provide security if temporary access to an object is required. A URL is generated via the AWS CLI and SDK which can then be used to provide temporary access to write or download object data.
The client encrypts the objects and uploads to Amazon S3.
The data is encrypted when written and decrypts when it is being used.
- SSE-AES - S3 handles the key, uses AES-256 algorithm
- SSE-KMS - Envelope encryption via AWS KMS and you manage the keys
- SSE-C - Customer provided key (you manage the keys)
When versioning is turned on deleted files have a delete tag added which hides the file.
Deleted files have a delete tag added which hides the file. To restore the file, delete the tag.
Each version takes up storage space, so a 1GB file edited 3 times with versioning on takes up 3GB of space.
Once turned on versioning can only be suspended, not removed.
Versions that are deleted on the other hand are actually deleted. Enabling Versioning MFA Delete gives extra protection as it requires MFA before a version can be deleted.
Cross-Region Replication lets you automatically replicate the contents of a bucket from one region to another.
Existing files won’t be copied until there’s been a new version, which will also replicate all previous versions and permissions.
To get started with S3, the Free Tier offers 12 months of free storage. If you exceed the limits the standard rates apply.
5 GB of Standard Storage
20,000 Get Requests
2,000 Put Requests
This post first appeared on helenanderson.co.nz