Amazon S3

Stands for Simple Storage Systems. It stores large objects that may have access permissions.

used in cloud backup
used in streaming video like Netflix
used internally by Amazon to store virtual machines.
Provides 99.99999999% durability
Provides 99.99% availability.

Key concepts:

Buckets=> This is the container of storage. Just like Volumes in a physical filesystems, buckets are volumes in cloud. They have globally unique names. Max 100 buckets configurable per account.
Objects=> Named items stored within a bucket like pictures, videos etc. 1 byte to 5 TB in any format. We can create unlimited objects in a bucket theoretically.
Note: Names within a bucket must be unique. Just like in Windows, 2 files in a same folder can't have the exact same name. This causes indexing problem and is there in buckets too.
Objects in a bucket can only be accessed via: REST/SOAP API calls, via URL, via AWS console. Python offers libraries like boto3 which make API calls to objects and can perform functions on them. This can be configured as a lambda function too.

Access control in S3

by default all Amazon S3 resources configurations are private.
only the resource owner can access the resource.
The resource owner can optionally grant access permissions for others by writing an access policy. An example policy is as follows. This grants listing of bucket objects and Read/Write on them on a bucket called "example-bucket"

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::example-bucket"
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*Object",
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}

by default, when another AWS account uploads an object to your S3 bucket, that account owns the object to your S3 bucket, has access to it, owns it, and can grant other users access to it via ACLs.

Permissions in S3

ACL=> Uses XML to grant access to specific S3 buckets or Objects
user Policies => Use the AWS IAM policy syntax to control access of a specific IAM user in your account. JSON dedfault.
Bucket policies=> Use the AWS IAM policy syntax to control access of a specific S3 bucket in your account. JSON dedfault.

Note: ACLs are not recommended these days because they have finite controls and don't include all S3 permissions.

ARN: Amazon Resource Name. All users, resources etc have an ARN.

PreviousDeep dive into IAM - Part 1 NextRisk Management & Data Controls

Last updated 2 months ago

Was this helpful?

Amazon S3

Stands for Simple Storage Systems. It stores large objects that may have access permissions.

used in cloud backup

used in streaming video like Netflix

used internally by Amazon to store virtual machines.

Provides 99.99999999% durability

Provides 99.99% availability.

Key concepts:

Buckets=> This is the container of storage. Just like Volumes in a physical filesystems, buckets are volumes in cloud. They have globally unique names. Max 100 buckets configurable per account.

Objects=> Named items stored within a bucket like pictures, videos etc. 1 byte to 5 TB in any format. We can create unlimited objects in a bucket theoretically.

Note: Names within a bucket must be unique. Just like in Windows, 2 files in a same folder can't have the exact same name. This causes indexing problem and is there in buckets too.

Objects in a bucket can only be accessed via: REST/SOAP API calls, via URL, via AWS console. Python offers libraries like boto3 which make API calls to objects and can perform functions on them. This can be configured as a lambda function too.

Access control in S3

by default all Amazon S3 resources configurations are private.

only the resource owner can access the resource.

The resource owner can optionally grant access permissions for others by writing an access policy. An example policy is as follows. This grants listing of bucket objects and Read/Write on them on a bucket called "example-bucket"

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::example-bucket"
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*Object",
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}

by default, when another AWS account uploads an object to your S3 bucket, that account owns the object to your S3 bucket, has access to it, owns it, and can grant other users access to it via ACLs.

Permissions in S3

ACL=> Uses XML to grant access to specific S3 buckets or Objects

user Policies => Use the AWS IAM policy syntax to control access of a specific IAM user in your account. JSON dedfault.

Bucket policies=> Use the AWS IAM policy syntax to control access of a specific S3 bucket in your account. JSON dedfault.

Note: ACLs are not recommended these days because they have finite controls and don't include all S3 permissions.

ARN: Amazon Resource Name. All users, resources etc have an ARN.