Amazon S3 powers the biggest websites in the world. Amazon S3 is one of the most important building blocks of AWS.
It is advertised as an “infinitely scaling” storage so we don’t need to provision its size in advance.
Many websites in the world use Amazon S3 as a backbone, so we’ll see how we can deploy websites on Amazon S3.
Amazon S3 Buckets
S3 is a service that allows us to store objects (files) into buckets or directories and each bucket must have a globally unique name.
The buckets are defined at the region level, so even though S3 is a global service, buckets are regional resources,
There is a naming convention that includes no upper case, no underscore, 3 to 63 characters long, it should not be an IP, and it must start with a lowercase letter or a number.
In these S3 buckets, we need to create objects and objects are files, they must have a key.
What is a key?
It is the full path to that file.
The Object contains a key, value, metadata, version ID.
Your files in Amazon S3 can be versioned but it has to be enabled first at the bucket level. So that means that if you upload a file version with the same key then it will create a new version of that file.
It is the best practice to version your buckets in Amazon S3 in order to be able to have all the file versions for a while because you can get protected against unintended deletes of the previous version.
And also, you can easily roll back to any previous versions you wanted.
Any file that is not versioned prior to enabling versioning will have the version null.
If you suspend versioning in your bucket, it does not delete the previous versions, only it will just make sure that the future files do not have a version assigned to them.
Amazon S3 Encryption for your objects
The idea is that you upload objects onto Amazon S3 and these are servers of AWS so you may want to make sure that these objects are not accessible
for example, if someone gets into the Amazon servers or you wanna make sure you get to adhere to some security standards set up by your company.
So as such, Amazon gives you four methods to encrypt objects in Amazon S3.
The first one is called SSE S3
This is to encrypt S3 objects, using keys handled and managed by AWS.
The second one is SSE-KMS to leverage AWS key management service to manage your encryption keys.
The third one is SSE-C when you manage your own encryption keys and finally client-side encryption.
Amazon S3 security
It’s very complex but there is User-Based Security.
So our IAM users have IAM policies, and they authorize which API calls should be allowed and if our user is authorized through IAM policy.
Then we have resource-based security
Their bucket-wide rules that we can set in the S3 console and what they do is that they will say what principals can and cannot do on our S3 bucket. And this enables us to do cross-account access to our S3 buckets.
Then we have object ACL, which is finer grain, where we set at the object level the access rule and then finally bucket ACL.
An IAM principal, so it can be a user, a role, can access an S3 object if the IAM permissions allow it, so that means that you have an IAM policy attached to that principle that allows access to your S3 bucket, or if the resource policy, so usually your S3 bucket policy, allows it.
And you need to make sure there is no explicit deny. So if your user through IAM is allowed to access your S3 bucket but your bucket policy is explicitly denying your user access to it, then you will not be able to access it.
The multifactor authentication is MFA. In which case, if you want to delete a specific version of objects in your buckets, then you can enable MFA Delete and we will need to be authenticated with MFA to be able to delete the objects.
pre-signed URLs are that when we open that file and there is a very long URL, which is a URL that’s signed with some credentials from AWS and it’s valid only for a limited time.
And the use case for it, for example, is to download a premium video from the service if the user is logged in and has purchased that video.
Whenever you see the access of certain files to certain users for a limited amount of time, think of pre-signed URLs.
Amazon S3 can host websites
S3 can host static websites and have them accessible on the World Wide Web, and the website URLs will be very simple.
If you enable it for a website but don’t set a bucket policy that allows public access to your buckets, you will get a 403 forbidden error.
We can make requests from the web browser from the first URL to the second URL because this is the same origin. But if you visit, for example, www.example.com and then you’re asking your web browser to make a request to www.anotherexample.com, this is what’s called a cross-origin request.
Your web browser will block it unless you have the correct CORS headers.
So now that we know what is the same origin and what is a different origin, we know that the request will not be fulfilled unless the other origin allows for the request using the CORS Headers.
Conclusion of Amazon S3
Cloud storage is a critical component of cloud computing because it holds the information used by applications. Big data analytics, data warehouses, Internet of Things (IoT), databases, and backup and archive applications all rely on some form of data storage architecture.
Cloud storage is typically more reliable, scalable, and secure than traditional on-premises storage systems. AWS offers a complete range of cloud storage services to support both application and archival compliance requirements. This whitepaper provides guidance for understanding the different storage services and features available in the AWS Cloud.