AWS S3

Amazon Simple Storage Service (S3) is an object storage service offering industry-leading scalability, data availability, security, and performance.

Key Facts

S3 offers 99.999999999% (11 9's) durability and stores data across multiple Availability Zones.

Key Concepts

Buckets

Containers for objects. Bucket names must be globally unique across all AWS accounts.

Objects

Files stored in S3, consisting of:

Key: The unique identifier (file path)
Value: The data (up to 5TB)
Metadata: Additional information about the object
Version ID: If versioning is enabled

Regions

Buckets are created in specific AWS regions. Choose a region close to your users for lower latency.

Storage Classes

Class	Use Case	Availability
S3 Standard	Frequently accessed data	99.99%
S3 Intelligent-Tiering	Unknown access patterns	99.9%

Class	Use Case	Availability
S3 Standard-IA	Infrequent access	99.9%
S3 One Zone-IA	Infrequent, single AZ	99.5%

Class	Use Case	Retrieval Time
S3 Glacier Instant	Archive with instant access	Milliseconds
S3 Glacier Flexible	Archive storage	Minutes to hours
S3 Glacier Deep Archive	Long-term archive	12-48 hours

Storage Class Lifecycle

Bucket Policies

Control access at the bucket level:

bucket-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Security Warning

Be extremely careful with public bucket policies. Use AWS Access Analyzer to review bucket access before enabling public access.

Versioning

Keep multiple versions of objects:

Enable Versioning

aws s3api put-bucket-versioning \
  --bucket my-bucket \
  --versioning-configuration Status=Enabled

Once enabled, versioning cannot be disabled—only suspended. All versions are billed as separate objects.

Benefits:

Recover from accidental deletions
Keep history of object changes
Works with lifecycle policies

Lifecycle Rules

Automate object transitions and deletions:

lifecycle-rule.json

{
  "Rules": [
    {
      "ID": "ArchiveOldLogs",
      "Status": "Enabled",
      "Filter": {
        "Prefix": "logs/"
      },
      "Transitions": [
        {
          "Days": 30,
          "StorageClass": "STANDARD_IA"
        },
        {
          "Days": 90,
          "StorageClass": "GLACIER"
        }
      ],
      "Expiration": {
        "Days": 365
      }
    }
  ]
}

Encryption

AWS manages the encryption keys automatically. Simplest option.

Enable Default Encryption (SSE-S3)

aws s3api put-bucket-encryption \
  --bucket my-bucket \
  --server-side-encryption-configuration '{
    "Rules": [{
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "AES256"
      }
    }]
  }'

Use AWS KMS to manage encryption keys. Provides audit trail via CloudTrail.

Enable Default Encryption (SSE-KMS)

aws s3api put-bucket-encryption \
  --bucket my-bucket \
  --server-side-encryption-configuration '{
    "Rules": [{
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms",
        "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/abc123"
      }
    }]
  }'

Customer provides their own encryption keys. Keys are not stored by AWS.

With SSE-C, you must provide the key with every request. Losing the key means losing access to your data.

Cross-Region Replication

Replicate objects to another region for disaster recovery or compliance:

replication-config.json

{
  "Role": "arn:aws:iam::123456789012:role/replication-role",
  "Rules": [
    {
      "Status": "Enabled",
      "Priority": 1,
      "Filter": {},
      "Destination": {
        "Bucket": "arn:aws:s3:::destination-bucket",
        "StorageClass": "STANDARD"
      }
    }
  ]
}

Versioning must be enabled on both source and destination buckets for replication.

Static Website Hosting

Host static websites directly from S3:

Enable Website Hosting

aws s3 website s3://my-bucket/ \
  --index-document index.html \
  --error-document error.html

Website URL format: http://bucket-name.s3-website-region.amazonaws.com

HTTPS Support

Use CloudFront in front of S3 for HTTPS and custom domain support.

Presigned URLs

Generate temporary URLs for private objects:

Generate Presigned URL

# Valid for 1 hour (3600 seconds)
aws s3 presign s3://my-bucket/my-object.txt --expires-in 3600

Best Practices

Security

Block public access by default
Enable versioning for important data
Use bucket policies and IAM policies together
Enable server-side encryption
Enable access logging

Performance

Use multipart upload for large files (>100MB)
Use S3 Transfer Acceleration for global uploads
Use CloudFront for content delivery
Use appropriate storage classes

Cost Optimization

Use lifecycle policies to transition old data
Monitor with S3 Storage Lens
Delete incomplete multipart uploads
Use S3 Intelligent-Tiering for unknown patterns

Next Steps

S3 CLI Reference

Complete CLI commands for S3

Lambda

Serverless compute

S3 CLI Reference

Lambda

On this page