Please enable JavaScript.
Coggle requires JavaScript to display documents.
Bucket S3 - Coggle Diagram
Bucket S3
S3 - Encryption
SSE - S3
- Manage by AWS
- Server side
- You must put a header: "aws-amz-server-side-encryption: AES256"
- Enabled by default
- AES-256
SSE - KMS
- AWS KMS
- user control + audit key usage using CloudTrail
- Server-side
- You must put a header: "aws-amz-server-side-encryption: aws:km"
Limitations
- There is a quote request per second (region)
- You can impacted the KMS limits
- When you upload the data, you use GenerateDataKey KMS API
- When you download, you call Decrypt KMS API
SSE-C
- Server-side
- Manage by the client
- AWS not storage the key
- HTTPS must be used
- The key must be passed in the header for every request
Client-side Encryption
- Use client library such as Amazon S3 Client-Side Encryption Library
- Encry. before send to the S3
- Decrypt when retrieve the data
- Customer manage the keys
Encryption in transit (or in flight)
- SSL/TLS
- HTTP not encry.
- HTTPS encry. in flight
Force
- You can block the HTTP using the policy
S3 Storage Classes
Standard - General Purpose
- 99% Availa.
- Frequent access data
- loss latency
- Use-case: Big Data, mobile & gaming and content distribution
Infrequent Access
- Less frequent access, but requires rapid access when needed
- Lower cost than standard
Infrequent Access (IA)
- 99% Availa.
- Use-case: DR (disaster recovery)
One Zone Infrequent Access (One Zone IA)
- 99% durability
- It's single AZ
- 99.5% Availa.
- Storing second backup or data you can recreate
Glacier Storage Classes
- Loss cost
- For archiving and backup
- Price for the storage + object retrieval cost
Glacier Instant Retrieval
- Milliseconds to retrieval
- 90 days
Glacier Flexible Retrieval
- Expedited (1 to 5m)
- Standard (3 to 5h)
- Bulk (5 to 12h)
- Minimum storage 90 days
Glacier Deep Archive
- Standard (12h)
- Bulk (48h)
- Long term
- 180 days
Intelligent Tiering
- Move objects for you
- Small monthly and auto tiering
- default tier
- infrequent access (30 days)
- Instant access (90 days)
- Archive (90 to 700+ days)
- Deep archive (180 to 700+ days)
- You can check a table in the AWS with all the comparations
Uses-Case
- It's a store file
- Perfect for DR (disaster recovery)
- Archive
- Data lakes and Big data
- Software delivery
- Hybrid cloud storage
- Static Websites
Characters
- The bucket name must have a unique name
- The bucket is a region (not globally)
- Thre is some restrictions about the name
- The bucket can store objects
Objects
- Key is the full path
- Max obj is 5TB
- If the file is more tahn 5GB you need to use multi-part upload
- The object can have metadata
- The objects can have version ID
Security
- You can set the security by the user with IAM policies
- You can set the security by resource setting the policy directly
- Allows Cross Account
- Obj ACL
- Bucket ACL
- Encryption
- You can give the permission by user (IAM), bucket (IAM) or EC2 (IAM ROLE)
Policies
- JSON files
- Action (s3)
- Effect (Allow or Deny)
- Resource (S3 key - path + file name)
- You can use policy generator to create the policies
Block public Access
- prevent leaks
- It's always on
- You disable it when you have an IAM policy
Static Website Hosting
- static website
- if you get 403 forbidden it means that you need to check the policy
Versioning
- You can version the bucket
- It's enabled in the bucket level
- It's like git
- You can restore the old file if you deleted it
- You are going to have 1, 2, and 3 versions
- Suspending the versioning it does not mean that you are going to delete all the file versions
Replication
- You can copy files in different buckets and AWS accounts
- You can use CRR (Cross Region Replication)
- You can use SRR (Same Regions Replication)
- The copy is done async with IAM permission
- If you want to copy old files you need to use S3 Batch Replication
- After you set the replication, only the new files are going to copy
- You can replicate delete
S3 - Moving between Storage Class
- Moving between storages
- it can be any storage
- move info to standard IA
- Archieve Glacier or Glacier Deep Archieve
- The move can be set using Lifecycle rules
LifeCycle Rules
- You can create transition actions (move)
- Move to Standard IA 60 days after creation
- move Glacier after 6 months
- You can configure expired
- Delete versions
- You cna delete after 365 days
- You can delete multi-parts
Storage Class Analyses
- It's not going to work with One-Zone or Glacier
- 24 to 48 to start seeing the reports
S3 - Event Notifications
- You generate thumbnails of images based on events (create, update and etc)
- seconds, mins or longer to response
- You can send the notifications to SNS, SQS and lambdas
- It uses Amazon Event Bridge as well
S3 Performance
- Scale 100 to 200 ms
- At least 3500 put, copy, post and delete
- or 5500 get/head requests per second
- no limits to the number of prefix
Multi-Part Upload
- recommended > 100MB
- you must use it file >5GB
- Divide in parts
- Send parallel to s3
S3 Transfer Acceleration
- Increase the speed
- You send to edge location first and after go to the s3 bucket
- 200 edge locations
- it's more fast
S3 Read Performance
- Parallelize gets requests byte ranges
- better for failures
- speed up downloads
- can be used to retrieve only partial data (for example the head of the file)
S3 - Select & Glacier Select
- Retrieve less data using SQL by server-side filtering
- It's filter
- Only get the data that you want
S3 User defined object metadata & s3 tags
- When you create a object you can create meta-data
- Meta-data is key-value
- You can store any info about the object (like type, size and etc)
- This data can be retrieve when download the object
Tags
- usuful for analysis
- key-value as well
- You can't search the object metadata or tags. To do so, you need to send these infos to DB (table) and analysis it using queries
S3 Default Encry. vs Bucket Policies
- SSE-S3 - It's default
- you can force encryption using policy and refuse any api call without encry. header
- Bucket policies are evaluated before default encry.