-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathS3
184 lines (132 loc) · 4.45 KB
/
S3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
#################################
# By Ksanchez #
# Security+ | MGP | Ps. Auditor #
# @ksanchez_cld (Twitter) #
#################################
Amazon S3 - Simple Storage Service.
- Also known as object storage.
- Amazon S3 is a highly durable and distributed data store. Using a web services interface, you can store and retrieve large amounts of data as objects in buckets.
- In Amazon S3 data is stored as objects.
- Objects can be any file type.
- Objects are assigned an object key.
- The object key linked to each object is unique.
- Metadata can also be stored with each object.
- Syncronously stored on multiple devices.
- The name of S3 bucket must be globally unique.
- A bucket is created in private by default.
- The content owner can always access the content of the bucket created.
- The bucket has the following componets:
- Versioning.
- Loggin.
- Tags.
BUCKET
- Container for objects stored in S3.
- Total volume of data and number of objects are unlimited.
- Bucket name must:
- Be unique.
- Be at least 3 and no more than 63 characters long.
- Be lowercase.
- Must not contain uppercase characters or underscores.
OBJECT
- Entities (data/metadata) stored in a bucket.
- 0 bytes to a max of 5 TB.
- Largest object upload is 5 GB.
- Multi-part upload for 100 MB to 5 TB.
LIFECYCLE POLICIES
- Obect deletion after expiry time.
- Object archiving to Glacier after expiry time.
- Can be restored from Glacier back to S3.
S3 VERSIONING
- Versioning allows you to keep multiple versions of the same object in the same bucket.
- Preserves copies of objects inside a bucket.
- Preserve, retrieve, or restore every version of every object.
- Individual objects can be restored to previous versions.
- Deleted objects can be recovered.
- Is enabled at the bucket level.
- Is disabled by default.
- Can be disabled, but not deleted.
- Overriding an object result in a new object being created, with a new version number attached.
- Versioning operation are managed by AWS.
- Create lifeclycle policied to control dataflow.
- Archival and expiration dates.
- Integrated with AWS Glacier.
SECURITY
- S3 is secure by default. The bucket is private when created.
- IAM roles, users and groups.
- Bucket policies applied at the bucket level.
- Access Control List (ACL) applied at the bucket and object level.
- Permissions can be set in several ways:
- On each object.
- On each bucket.
- IAM policy or bucket policy.
S3 SECURITY FEATURES
- Access Logging.
- Event Notifications.
- CloudTrail Audit.
- CORS Configuration.
- Versioning.
- CloudWatch S3 Metrics.
DURABILITY
- 99.999999999 - 11 9's durability.
AVAILABILITY
- 99.99 - 4 9's Availability.
S3 STORAGE CLASS
- Standard.
- 99.999999999% durability (Multi-AZ).
- 99.99% Availability.
- Support SSL encryption in transit and at rest.
- Lifecycle management.
- Standard-IA - Infrequent Access (IA).
- Same feature as S3 standard.
- Lower per GB storage price than standard
- Per GB retrieval fee.
- Standard - One Zone IA.
- 99.999999999% durability (Single AZ).
- 99.5% availability.
- Lower per GB storage price than standard IA.
- Per GB retrieval fee.
- Reduced redundancy storage (RRS).
- 99.99% durability and 99.99% availability.
- Being deprecated by AWS.
- Manage and securely control access to S3 objects.
- Classify your data type rather than location.
- Tag objects with key-value pairs.
- Create policies based on data type.
[S3 DATA PROTECTION]
- Client-side Encryption.
- Server-side Encryption.
- Encryption is performed at the object level.
- Data is encypted during the writting to disk.
- Data is decrypted during the reading process.
- SSE encrypts the object data but not the associated metadata.
- Unencrypted metadata could be a compliance issue.
- Use customer provided keys.
- AWS provided Encryption keys (VAULT).
- Protecting data in transit.
- Use ssl endpoints over HTTPS.
- Secure upload and download of data.
- Client side encryption before upload.
- Protecting data in rest.
- AWS does the encryption and decryption process.
- Key management is encrypted by AWS S3 master Key.
- Key management is stored separately from your data.
- AWS 256-bit Encryption.
- Integrated with AWS KMS.
[SERVICES THAT CAN BE INTEGRATED WITH S3]
- EBS.
- Dynamo DB.
- Cloudfront.
- Route 53.
- Glacier.
- CloudWatch.
- EMR.
- Lambda.
- Kinesis.
- RDS.
- Amazon S3 - can be used with:
- PCI-DSS.
- HIPPA.
- ITAR.
- SOC3.
- ISO27001.
::ADDITIONALS::