S3 TE note

1.s3 security

3 type

ACL

click to edit

.Primary usage: t defines which AWS accounts s are granted basic read /write access

IAM policies

bucket policie

Policies can be attached to users, groups, or Amazon S3 buckets, enabling centralized management of permissions.

With bucket policies, you can grant users within your AWS account or another AWS account access to your Amazon S3 resources.

IAM policies: With IAM policies, you can only grant users within your own AWS account permission to access your Amazon S3 resources.

and the type of access.

To add add or deny permissions across some or all of the objects within a single bucket.

object lifecycle ?

click to edit

For example : if you are uploading periodic logs to your bucket, your application might need these logs for a week or a month after creation, and after that you might want to delete them.

Some documents are frequently accessed for a limited period of time.

After that, you might not need real-time access to these objects, but your organization might require you to archive them for a longer period and then optionally delete them.

Digital media archives, financial and healthcare records, raw genomics sequence data, long-term database backups, and data that must be retained for regulatory compliance are some of the kinds of objects that you might upload to Amazon S3 primarily for archival purposes

S3 used case

media

photo, video, music

Glacier

archival

Media file: photo

replacement solution or backup tape library

retrival time -hour

but if you pay for expedited retrieval, can take 1 to 5 minutes

why ? because the object need to be restore before retrieve

very low cost

S3 logging

server access logging

1.PRovide record for request make to bucket

For security and auditing

Disable by default

Target bucket : where the log will be delivered

source and target bucket can be same

source and target bucket should be in same region

You can select prefix to identify the log

Info provided

Name of the bucket

Requester

Time

Action

request status

can dump multiple source to target bucket

Best effort

record are delivered within few hour of time

resource based policy

resource based policy( M: same like router ACL)

apply to AWS resources

Apply to AWS resource

Manage access to object and bucket

Each bucket and object has ACL

when request arrive on S3, it check the ACL and see if ACL grant the Access

IS THE ONLY WAY that grant access for object that not own by bucket owner

click to edit

3 ways to upload

life cycle