AWS Certified Architect Associate S3 Study Sheet


Amazon S3 is durable, scalable Cloud object Storage based on key-value pair . Number of objects you can store is unlimited; largest object size is 5 TB; largest single PUT is 5 GB.

A Bucket is a logical container for objects stored on S3; simple flat folder with no system hierarchy. ( however there is a logical hierarchy, like [ Folder/File ] Objects in AWS S3 buckets are automatically replicated on multiple devices in multiple facilities within a region.  100 buckets per account by default. Buckets have unique names. Can be 63 characters. Prefixes and delimiters may be used in key names. Data is managed as objects using an API; buckets can host STATIC web content only. S3 buckets support SSL encryption of data in transit and data at rest.

AWS Objects are private by Default and only accessible to the owner

AWS S3 Storage Classes

Standard S3 Storage [ default Storage Class ] is 99.9999999%Durability and 99.99% Available [ don’t confuse the two ] Low Latency and high throughput.  Supports SSL in transit and at rest.  Supports LifeCycle Management for migration of Objects.

Standard IA Storage ( Infrequently Accessed ) is optimized for long lived and infrequently accessed data. 99.9999999% Durability and 99.90% Availability. Min object size 128KB and greater than 30 days  Ideal for long term storage, backups and as a data store for DR. Supports SSL in transit and at rest.  Supports LifeCycle Management for migration of Objects.

Reduced Redundancy Storage ( RRS ) is optimized for non-critical, reproducible data,that is stored at lower levels of redundancy. Reduced Storage Cost. 99.99% Durable and 99.99% Available. 99.99% Durability and 99.99% Availability. Designed to sustain the loss of a single facility.

Use Cases: ( thumbnails, transcoded media or other processed data that can be reproduced easily )

Amazon Glacier is optimized for Data Archiving. Extremely Low Cost. Retrieval can be up to several hours/ Vault Lock feature enforces compliance via a lockable key. [ 3 -5 hour retrieval ]

Glacier Uses cases include: [ Media Asset Archiving, Healthcare Information Archiving, Scientific Data Storage, Digital Preservation, Magnetic Tape Replacement ].  You can restore up to 5% of your data for free each month [ you can set up data retrieval policy to eliminate going over free-tier ]

Glacier as a Standalone Service: Data is stored in encrypted archives that can be as large as 40TB Vaults are containers for Archives and vaults can be locked for compliance

All Classes Support AWS Life Cycle Management Polices; transition to different class; and expiration of objects.

S3 supports Multi Factor  (MFA ) Delete – to protect form accidental deletes. MFA Delete can only be enabled by the root account.


  • S3 provides for read after write consistency for PUTS of new objects
  • S3 provides for eventual consistency for overwrite PUTS and DELETES

AWS S3 Security

Bucket Policies – JSON language to create; you can grant permissions to users [ allow / deny ] to perform specific actions all or part of objects in buckets. Broad Rules across all requests. Can restrict http referrer or IP

Bucket ACL – Grant specific permissions R, W and Full_control to specifc users

IAM Policy – grant IAM users fine-grained control to thier S3 buckets while maintaining full control of everything else


SSE-S3 Keys – Check box style encryption solution where AWS is responsible for key mgmt and key protection. All objects are encrypted with a unique key. The actual object is then encrypted further by a separate master key.; a new mater key is issued monthly; with AWS rotating keys.

SSE-KMS – Amazon handles key mgmt and protection for S3, but you manage the keys. Separate permissions for master key; and provides auditing so you can see who access the object with the key.; allows you to view any failed attempts.

SSE-C Used when customer wnats to maintain keys; but does not want to maintain an encryption library. AWS will encrypt and decrypt objects; while customer maintains full control of keys.

Client Side Encryption

This is sued when you want to encrypt data BEFORE sending it to AWS S3. Client has most control; maintains end-to-end control of encryption process. You have two options:

Use an AWS KMS managed customer master key

Use a client side master key

Pre-Signed URLs: Use Pre-signed URLS for time-limited download access

Bucket Versioning

Allows you to preservice, retrieve and restore every version of every object stored in the bucket. Once version is turned on; it cannot be turned off, only disabled.

Cross Region Replication

Allows you to asynchronously replicate all new objects in the source host bucket in one AWS Region to a target bucket in another region. And metadata and ACL associated with the object are part of the replication. If CRR is enabled while objects are in the bucket; it won’t affect those; only NEW objects.  Versioning must be enabled for both source and destination buckets for CRR to work + you must have an IAM policy to give permission to replicate objects on your behalf.

Event Notifications and Logging

Event notifications are set at the bucket level and can trigger a message in Amazon SNS or SQS or store an action in AWS Lambda in response to an upload or delete of an object (by PUT, POST, COPY, DELETE  or multipart upload completion). You can configure Event notifications through the S3 console, trough REST API or by using Amazon SDK.

Logging is off by default. When you enable logging for the source bucket; you must choose a target bucket.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s