Simple Storage Service (S3)
Security
Object storage in AWS is encrypted in transit by default, but not at rest.
Encryption at Rest
- Client side: Strictest form of encryption — requires client to manage the encryption/decryption process.
- SSE-C:
- S3 manages everything but the keys — not stored in S3 — which must be provided in every PUT/GET.
- SSE-S3
- S3 manages everything including keys, which are present in the bucket in an encrypted format; IAM users with S3 access don’t require keys to access and decrypt.
- SSE-KMS
- S3 performs encryptions using KMS, IAM users with both S3 and KMS access can decrypt.
Storage
AWS S3 provides 11 9s of durability across all storage tiers, except the one zone tier with 99.5% durability, with availability varying across storage tiers.
- Durability: 99.x9s% durability across all storage tiers
- Except in One Zone Tier where availability drops to 99.5%
- PUTS per Second: 3500
- Buckets per account: 100
Storage Tiers
- Standard
- IA
- Requires Rapid retrieval (w/in seconds)
- 99.9% availability
- One Zone IA
- 99.5% availability
- Only one AZ
- Intelligent Tiering
- Glacier
- Retrieval Time mins-hrs, configurable
- Deep Glacier
- Retrieval Time w/in 12 hrs
- Retention period 7-10 years
Upload
Transfer Acceleration
- Upload to Cloudfront edge location; then propagate to bucket in associated region
Multipart Upload
- recommended at 100MB; required at 5GB
Cross Region Replication
- Only one way - origin/destination bucket
Migration to S3 via Upload
Gateways
Full alternative or supplement to on-premise storage.
- File Gateway
- Storing/retrieving files via NFS/SMB Protocol
**Volume Gateway**
- Stored as Elastic Block Store Snapshots
- Cached retain only part of data set (recently accessed); entire data set is in S3.
- Stored retain data set; data set backed up for DR.
Replication of Objects
Does not retroactively replicate objects.
Overview:
- Charges apply per GB retrieval: IA/OZIA/Glacier/Deep Glacier
- Migrating to S3
- Tiers of S3