AWS S3 – AWS Technologies Blog

AWS Simple Storage Service (S3)

Amazon S3 (Simple Storage Service) is a scalable object storage service provided by AWS (Amazon Web Services) that allows you to store and retrieve any amount of data at any time. It is commonly used for backup, archiving, and storing large amounts of unstructured data, such as media files, documents, and logs.

Scalability: S3 automatically scales to handle an increase in data, providing virtually unlimited storage.

Durability and Availability: Amazon S3 is designed for 99.999999999% durability and offers high availability.

Security: S3 supports encryption (both at rest and in transit), fine-grained access control, and integration with AWS Identity and Access Management (IAM).

Data Lifecycle Management: You can configure policies for automatic transitioning of data between storage classes or deletion of objects after a certain period.

Storage Classes: S3 offers different storage classes optimized for different use cases (e.g., Standard, Intelligent-Tiering, Glacier for archival).

Versioning: S3 supports versioning to keep multiple versions of an object, which helps in managing changes or recovery from accidental deletions.

Cross-Region Replication: Automatically replicates your data to different AWS regions for disaster recovery or improved data access performance.

Buckets

Object storage

Key – full path
Metadata – list of key values
Data
Tags
VersionID – optional

Bucket names

When you create a bucket, you specify, at the very minimum, two details: the bucket name and the AWS Region that you want the bucket to reside in.

Amazon S3 supports global buckets. Therefore, each bucket name must be unique across all AWS accounts in all AWS Regions within a partition. A partition is a grouping of Regions, of which AWS currently has three: Standard Regions, China Regions, and AWS GovCloud (US). When naming a bucket, choose a name that is relevant to you or your business. For example, you should avoid using AWS or Amazon in your bucket name.

The following are some examples of the rules that apply for naming buckets in Amazon S3. For a full list of rules, see the link in the resources section.

Bucket names must be between 3 (min) and 63 (max) characters long.
Bucket names can consist only of lowercase letters, numbers, dots (.), and hyphens (-).
Bucket names must begin and end with a letter or number.
Buckets must not be formatted as an IP address.
A bucket name cannot be used by another AWS account in the same partition until the bucket is deleted.

If your application automatically creates buckets, choose a bucket naming scheme that is unlikely to cause naming conflicts and will choose a different bucket name, should one not be available.

Object key names

The object key (key name) uniquely identifies the object in an Amazon S3 bucket. When you create an object, you specify the key name. As described earlier, the Amazon S3 model is a flat structure, meaning there is no hierarchy of subbuckets or subfolders.

However, the Amazon S3 console does support the concept of folders. By using key name prefixes and delimiters, you can imply a logical hierarchy.

For example, suppose your bucket called testbucket has two objects with the following object keys: 2022-03-01/AmazonS3.html and 2022-03-01/Cats.jpg. The console uses the key name prefix, 2022-03-01, and delimiter (/) to present a folder structure.

Amazon S3 supports buckets and objects, and there is no hierarchy. However, by using prefixes and delimiters in an object key name, the Amazon S3 console and the AWS SDKs are able to infer hierarchy and introduce the concept of folders.

Restrictions

Max object size of 5TB, if uploading more than 5GB must use multipart upload.

Item	Limit
Max size of a single object	5 TB (via Multipart Upload)
Max size for single PUT	5 GB
Max number of buckets	100 per AWS account (can be increased)
Max number of objects per bucket	Unlimited
Max object key length	1,024 bytes
Max parts in Multipart Upload	10,000 parts

Encryption

Amazon S3 reinforces encryption in transit (as it travels to and from Amazon S3) and at rest. To protect data, Amazon S3 automatically encrypts all objects on upload and applies server-side encryption with S3-managed keys as the base level of encryption for every bucket in Amazon S3 at no additional cost.

Encryption at Rest: Refers to encrypting your data when it is stored in S3.

SSE-S3: Simple encryption managed entirely by S3.
SSE-KMS: Allows for control over keys, with fine-grained access and auditing features.
SSE-C: Requires you to provide and manage your own encryption keys.
Client-Side Encryption: Encryption is handled on the client side before uploading the data to S3.

Encryption in Transit: Ensures data is encrypted while moving between the client and S3, typically done via SSL/TLS over HTTPS.

Encryption Type	Encryption at Rest	Encryption in Transit	Key Management	Use Case
SSE-S3 (Server-Side Encryption with S3 Managed Keys)	Yes (AES-256 encryption)	Yes (via HTTPS)	Managed by S3	Simple encryption with no key management needed. Default for S3 encryption.
SSE-KMS (Server-Side Encryption with AWS KMS Managed Keys)	Yes (AES-256 encryption)	Yes (via HTTPS)	Managed by AWS KMS	Fine-grained control over keys, key rotation, and access auditing.
SSE-C (Server-Side Encryption with Customer-Provided Keys)	Yes (AES-256 encryption)	Yes (via HTTPS)	Managed by customer	Full control over encryption keys, but you manage them manually.
Client-Side Encryption with KMS	Yes (client-side encryption)	Yes (via HTTPS)	Managed by AWS KMS	Encryption done on the client side, with AWS KMS key management.
Client-Side Encryption with Customer-Provided Keys	Yes (client-side encryption)	Yes (via HTTPS)	Managed by customer	Full control over encryption and key management on the client side.
SSL/TLS (for data in transit)	N/A	Yes (via HTTPS)	N/A	Encrypts data during transfer between S3 and client applications.