S3 & Glacier
S3¶
General Info¶
Object storage
Features¶
| Feature | Description |
|---|---|
| Regionality |
|
| Data Consistency |
|
| MFA Delete |
|
| Versioning |
|
| S3 Transfer Acceleration | Speeds up transfers to S3 |
| Limits |
|
Naming¶
| Use Case | Naming | Example |
|---|---|---|
| Direct bucket access | bucket name after FQDN (path-style) | https://s3.us-east-2.amazonaws.com/testBucket/images |
| Website hosting | bucket name part of FQDN (virtual-hosted-style) | https://testBucket.s3.us-east-2.amazonaws.com/images |
Storage Classes¶
| Class | Description | Availability | Durability |
|---|---|---|---|
| S3 Standard | Frequently accessed data | 99.99 |
11 9s |
| S3 Intelligent-Tiering |
|
99.99 |
11 9s |
| S3 Standard-IA |
|
99.9 |
11 9s |
| S3 One Zone-IA |
|
99.5 |
11 9s |
| Glacier |
|
99.99 |
11 9s |
| Glacier Deep Archive | 12-48 hours latency | 99.99 |
11 9s |

Access Control¶
The account (not user) that creates objects/buckets owns them, even if the bucket is hosted by a different account
Contexts¶
| Context | Description |
|---|---|
| User needs to have permission | Using identity policies (or user is the root of an account) |
| For bucket operations: bucket needs to have permission |
|
| For object operations: User has to have permission (or be root) |
|
Grant Access¶
| Option | Description |
|---|---|
| IAM Policies |
|
| S3 ACLs |
|
| S3 Bucket policies |
|
| Query String Auth |
|
| Conditions |
|
<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Owner>
<ID>*** Owner-Canonical-User-ID ***</ID>
<DisplayName>owner-display-name</DisplayName>
</Owner>
<AccessControlList>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="Canonical User">
<ID>*** Owner-Canonical-User-ID ***</ID>
<DisplayName>display-name</DisplayName>
</Grantee>
<Permission>FULL_CONTROL</Permission>
</Grant>
</AccessControlList>
</AccessControlPolicy>
// Allows full read permissions to anonymous users
{
"Version":"2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::my-bucket/*"]
}
]
}
Policy Precedence¶

- Decisions ALWAYS default to
DENY- If no method specifies an
ALLOW—>DENYby default
- If no method specifies an
- An EXPLICIT
DENYALWAYS override anALLOW - Only if no method specify a
DENY&& 1+ methods specify anALLOW—>ALLOW - S3 bucket policies has precedence over IAM policy
- Example
- IAM policy grants access to an object
- S3 bucket policy denies access to that object
- No S3 ACL
- —> access denied (S3 bucket policy win)
- Example
- 1 bucket policy deny all ops to all users (EXPLICIT DENY)
- 1 bucket policy allowing one specific user to upload
- -> EXPLICIT DENY ALWAYS OVERRIDE AN ALLOW
Encryption¶
Server Side¶
SSE-S3 |
AWS S3-managed Keys |
|
SSE-KMS |
AWS KMS-managed Keys |
|
SSE-C |
Customer-provided Keys |
|
DSSE-KMS |
Dual-layer encryption with keys stored in KMS |
|
Client Side¶
CSE-KMS |
AWS KMS-managed Customer Master Key |
CSE-C |
Client-side Master Key |

Monitoring¶
- CloudTrail by default records bucket-level actions
- Can enable CloudTrail logging of object-level actions by setting that property on a bucket in S3 (can choose read/write)
- Server access logging: separate audit log, configured per-bucket, that stores events in a bucket
- A Guide to S3 Logging
Specific Setups¶
- Force TLS
- Add bucket policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRequests", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::your-s3-bucket/*" }, { "Sid": "ForceSSLRequests", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::your-s3-bucket/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] } - Pre-signed URLs
-
- Give temporarily access to a specific object (since by default buckets are private)
- Anyone who has access to a pre-signed URL will have access to the object
- The illustrated guide to S3 pre-signed URLs
- Must provide
- Security credentials (must have the right permissions to access the S3 object)
- Bucket name
- Object key
- Expiration (default
3600s, can be up to7d)
$ aws s3 presign s3://<bucket>/file.txt --expires-in 300 - Block Public Access
-
Applied to specific buckets, or all buckets in an account
BlockPublicAclsCan't create new public bucket or object ACLs IgnorePublicAclsExisting (and new) public ACLs are ignored BlockPublicPolicyCan't create public bucket policies RestrictPublicBucketsBlocks all anonymous and cross-account access to a bucket - Cross region replication
-
- Replicates objects from one region to another in an asynchronous fashion
- Features
- You can replicate objects from a source bucket to only one destination
- After S3 replicates an object, the object cannot be replicated again
- Enabling cross-region replication does not copy existing objects by default → need to manually copy existing objects
- Uses SSL by default (no need for policy)
- Conditions
- Versioning must be enabled in both source and destination
- The replication role gives all the necessary permissions to replicate and access the objects on the source bucket
- If the destination bucket is owned by a different AWS account, the account owner of the destination must grant the required permission to store the replicated objects
- It is also possible to change object ownership during replication to the destination bucket
- If the owner of the source bucket does not have permissions on the stored objects, the
readandread_acppermissions should be granted (via ACL) - Bucket owner must have permissions to access objects (ACLs) to perform the replication
- What replicated
- New objects created after the replication is activated
- Old objects will not be replicated unless they are changed after the replication was activated
- Unencrypted objects
- Objects encrypted using
SSE-S3andSSE-KMS(noSSE-C) - Object metadata, ACL updates, existing tags, and lock retention information
- Only object in the source bucket for which the bucket owner has permission to read objects and read ACLs
- If you perform a
deleteoperation to mark the object as deleted, this marker will be replicated
- New objects created after the replication is activated
- Not replicated
- Objects created before the CRR was enabled
- Objects created with SSE-C, or customer-provided encryption keys
- Objects deleted through a
deleteoperation with a version ID specified (particular object version) → prevents malicious deletion of data

Glacier¶
Use cases¶
- Files stored as
Archives, Archives stored inVaults - Data Retrieval requires job initiation then getting the output from the job
Characteristics¶
- Data Storage
-
- Automatically encrypts data (
AES-256) - Regular data integrity checks
- Only your account can access data
- Can use IAM to specify which users within the account have rights to operate on a given
Vault
- Automatically encrypts data (
- Archive
-
- Stores data <40TB
- Each assigned a unique ID
- Automatically encrypted
- Immutable (after creation can't be modified)
- Vault
-
- Container for
Archives(can storeinfinitenumber) - Max 1000
Vaultsper region
- Container for
- Vault Lock Policies
-
- A vault access policy that can be locked to prevent changes to it
- configure and enforce compliance controls for individual Glacier Vaults (~ IAM policy)
- Use cases
- configure
WORM(write once read many) archives - create data retention policies
- configure
- 2 steps to configure
- initiate the lock by attaching a vault lock policy to the vault (sets the lock to an "in-progress" state)
- you then have 24h to validate the lock policy
- once validated, lock policies are immutable
- A vault access policy that can be locked to prevent changes to it