Back to: AWS-Basics-Advanced
0
1. What is Amazon S3?
Amazon S3 (Simple Storage Service) is an object storage service provided by AWS to store and retrieve any amount of data, from anywhere, at any time.
Key Characteristics
- Object-based storage (not block or file system)
- Highly durable (99.999999999% – 11 9’s)
- Scalable and cost-effective
- Used for backups, logs, images, videos, ML datasets, static websites
2. Basic Terminology in S3
Bucket
- A bucket is a top-level container in S3
- All objects are stored inside a bucket
- Bucket name must be globally unique
Example:
my-company-logs-bucket
Object
- An object is the actual file stored in S3
- Object = File + Metadata + Object Key
Object Key
- The full path of the object inside the bucket
Example:
logs/2025/app.log
3. Creating an S3 Bucket (Step-by-Step)
Step 1: Open S3 Console
- Go to AWS Console → S3 → Create bucket
Step 2: Configure Bucket Details
- Bucket name:
my-demo-s3-bucket-123 - Region:
ap-south-1(Mumbai)
Step 3: Object Ownership
- ACLs disabled (recommended)
- Bucket owner enforced
Step 4: Block Public Access
- Keep all public access blocked (best practice)
Step 5: Create Bucket
4. Uploading Objects to S3
Ways to Upload
- AWS Console
- AWS CLI
- SDK (Python / Java / Go)
Example using AWS CLI
aws s3 cp test.txt s3://my-demo-s3-bucket-123/test.txt
5. S3 Storage Classes
S3 provides different storage classes based on access frequency.
| Storage Class | Use Case |
|---|---|
| S3 Standard | Frequently accessed data |
| S3 Intelligent-Tiering | Unknown access patterns |
| S3 Standard-IA | Infrequent access |
| S3 One Zone-IA | Non-critical data |
| S3 Glacier | Archival |
| S3 Glacier Deep Archive | Long-term archive |
6. S3 Versioning
What is S3 Versioning?
S3 Versioning keeps multiple versions of the same object in a bucket instead of overwriting it.
If an object is:
- Updated → A new version is created
- Deleted → A delete marker is added (object is not permanently removed)
Why Versioning is Important?
- Protects against accidental deletion
- Helps in rollback and recovery
- Mandatory for CRR, SRR, Object Lock, MRAP
✅ Steps to Enable S3 Versioning
- Open AWS Console → S3
- Click on your bucket name
- Go to Properties tab
- Scroll to Bucket Versioning
- Click Edit → Enable → Save changes
📌 Important: Once enabled, versioning cannot be disabled (only suspended).
Example Scenario
file.txt → Version ID: v1
file.txt → Version ID: v2
Delete file.txt → Delete Marker
You can restore v1 or v2 anytime.
7. S3 Object Lock
What is S3 Object Lock?
S3 Object Lock prevents objects from being deleted or overwritten for a defined period of time.
Used mainly for:
- Compliance requirements
- Financial data
- Audit and security logs
Prerequisites
- Bucket must have versioning enabled
- Object Lock must be enabled during bucket creation
- Cannot be disabled once enabled
✅ Steps to Create a Bucket with Object Lock
- Go to AWS Console → S3 → Create bucket
- Enter bucket name and region
- Expand Advanced settings
- Enable Object Lock
- Acknowledge warning
- Create bucket
Object Lock Modes
1️⃣ Governance Mode
- Users with special IAM permission can delete objects
- Used for internal controls
2️⃣ Compliance Mode
- No one, including root user, can delete objects
- Used for regulatory compliance
✅ Steps to Apply Object Lock on an Object
- Upload an object to the bucket
- Select the object → Actions → Edit retention
- Choose:
- Governance or Compliance
- Retain until date OR Legal Hold
- Save changes
8. Cross-Region Replication (CRR)
What is Cross-Region Replication?
CRR automatically copies objects from a source bucket to a destination bucket in another AWS region.
Why CRR is Used?
- Disaster recovery
- Compliance
- Global availability
Prerequisites
- Versioning enabled on both buckets
- Buckets must be in different regions
- IAM role for replication
Architecture
Source Bucket (ap-south-1)
|
| Replication Rule
v
Destination Bucket (us-east-1)
✅ Steps to Configure Cross-Region Replication
- Enable versioning on source and destination buckets
- Open Source bucket → Management tab
- Click Create replication rule
- Rule name:
crr-rule-1 - Choose Apply to all objects (or prefix based)
- Select Destination bucket (different region)
- Create or select IAM replication role
- Save the rule
📌 Only new objects are replicated automatically.
9. Same-Region Replication (SRR)
Definition
Replicates objects within the same AWS region.
Use Case
- Log aggregation
- Different storage classes
- Data separation
10. S3 Multi-Region Access Points (MRAP)
What is MRAP?
S3 Multi-Region Access Point (MRAP) provides a single global endpoint to access multiple S3 buckets across regions.
AWS automatically routes traffic to the nearest healthy bucket.
Why MRAP is Needed?
- Active–Active architecture
- Lowest latency access
- Automatic regional failover
How MRAP Works
Client
|
| Global Endpoint
v
MRAP
| |
Bucket-A Bucket-B
(ap-south-1) (us-east-1)
Prerequisites
- At least two buckets in different regions
- Versioning enabled
- Replication (CRR or SRR)
✅ Steps to Create MRAP
- Go to AWS Console → S3 → Multi-Region Access Points
- Click Create MRAP
- Provide MRAP name
- Add buckets from different regions
- Choose replication configuration
- Create MRAP
How Applications Use MRAP
https://<mrap-name>.accesspoint.s3-global.amazonaws.com
Applications do not need region-specific logic.
11. S3 Security Best Practices
Bucket Policies
- JSON-based access control
IAM Policies
- Fine-grained permissions
Encryption
- SSE-S3
- SSE-KMS
- Client-side encryption
Example Bucket Policy
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: “*”,
“Action”: “s3:GetObject”,
“Resource”: “arn:aws:s3:::my-bucket/*”
}
]
}
12. S3 Lifecycle Policies
Definition
Automatically move objects between storage classes or delete them.
Example
- After 30 days → Standard-IA
- After 90 days → Glacier
- After 365 days → Delete
13. Real-Time Use Cases
- Application logs storage
- Data lake for ML
- Backup & restore
- Static website hosting
- Cross-region DR