Professional Documents
Culture Documents
1
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
Table of Contents
8.1. Introduction to Object Storage ........................................................................................... 4
8.2. S3: Data Consistency Models in Distributed Storage Systems ...................................... 4
8.3. AWS S3 Buckets ................................................................................................................... 4
8.4. S3 Objects .............................................................................................................................. 5
8.5. S3 Managing Access and Access Policies ......................................................................... 5
8.6. AWS S3 Access Policy types ............................................................................................... 6
8.7. S3: Understanding Bucket and Object ACLs: Closer Look ............................................ 7
8.8. Bucket Versioning (S3 Bucket Sub-resource) ................................................................... 9
8.9. S3: Copying or Uploading S3 Objects ............................................................................. 10
8.10. S3: Storage Tiers or Classes............................................................................................... 11
8.11. Glacier .................................................................................................................................. 12
8.12. Glacier: Archive Retrieval in Glacier ............................................................................... 14
8.13. S3 Bucket Lifecycle Policies .............................................................................................. 15
8.14. S3 Server Side Encryption (SSE)....................................................................................... 16
8.15. S3: Static Website Hosting in an S3 Bucket..................................................................... 17
8.16. S3: Pre-Signed URLs ........................................................................................................... 17
8.17. S3: Cross Region Replication (CRR) ................................................................................. 18
8.18. S3: Transfer Acceleration ................................................................................................... 19
8.19. S3: Performance Considerations ....................................................................................... 20
8.20. S3: Billing .............................................................................................................................. 20
8.21. S3: Notification ..................................................................................................................... 21
8.22. S3: Monitoring ...................................................................................................................... 21
2
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
Introduction
Amazon Simple Storage Service (Amazon S3) is storage for the Internet. You can use
Amazon S3 to store and retrieve any amount of data at any time, from anywhere on
the web. You can accomplish these tasks using the AWS Management Console
which is a simple and intuitive web interface. This guide introduces you to Amazon
S3 and how to use the AWS Management Console to complete the tasks.
Learning Objectives
3
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
4
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
Advantages of Amazon S3
Amazon S3 is intentionally built with a minimal feature set that focuses on
simplicity and robustness.
Some of the advantages of the Amazon S3 services are as follows:
• Create Buckets: Create and name a bucket that stores data. Buckets are
the fundamental container in Amazon S3 for data storage.
• Store data in Buckets: Store an infinite amount of data in a bucket.
Upload as many objects as you like into an Amazon S3 bucket. Each
object can contain up to 5 TB of data. Each object is stored and retrieved
using a unique developer-assigned key.
• Download data: Download your data or enable others to do so.
Download your dataany time you like or allow others to do the same.
• Permissions: Grant or deny access to others who want to upload or
download data into your Amazon S3 bucket. Grant upload and
download permissions to three types of users. Authentication
mechanisms can help to keep the data secure from unauthorized access.
• Standard interfaces: Use standard based REST and SOAP interfaces
designed to work with any Internet-development toolkit.
8.4. S3 Objects
A bucket is a container for objects stored in Amazon S3. Every object is
contained in a bucket. For example, if the object named photos/puppy.jpg is
stored in John Smith’s bucket, then it is addressable using the URL:
http://johnsmith.s3.amazonaws.com/photos/puppy.jpg
Buckets serve several purposes such as:
• Organize the Amazon S3 namespace at the highest level
• Identify the account responsible for storage and data transfer charges
• Play a role in access control
• Serve as the unit of aggregation for usage reporting
You can configure buckets so that they are created in a specific region.
5
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
• ACL: Each bucket and object has an ACL associated with it. An ACL is a
list of grants identifying grantee and permission granted. You can use
ACLs to grant basic read or write permissions to other AWS accounts.
ACLs use an Amazon S3 specific XML schema. The grant in the ACL
shows a bucket owner as having full control permission.
• Bucket Policy: For your bucket, you can add a bucket policy to grant
other AWS accounts or IAM user’s permissions for the bucket and the
objects in it. Any object permissions apply only to the objects that the
bucket owner creates. Bucket policies supplement and in many cases,
replace ACL based access policies.
The following is an example of bucket policy. You can express bucket
policy and user policy using a JSON file. The policy grants anonymous
read permission on all the objects in a bucket. The bucket policy has one
statement which allows the s3:GetObjectaction (read permission) on
objects in a bucket named examplebucket. By specifying the principle
with a wild card (*), the policy grants anonymous access.
User policies: You can use IAM to manage access to your Amazon S3
resources. You can create IAM users, groups, and roles in your account
and attach access policies to them by granting the access to AWS
resources, including Amazon S3.
6
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
To create an S3 bucket:
1. Sign in to the AWS Management Console and open the Amazon S3
console
2. Click Create bucket
3. In the Bucket name field, type a unique DNS-compliant name for the new
bucket
4. For Region, select US West (Oregon) as the region where the bucket must
reside
5. Click Create
Add an Object to a Bucket
Now you have created a bucket, you are ready to add an object to it. An object
can be any kind of file such as a text file, a photo, a video, and so on.
To upload an object to a bucket:
1. In the Bucket name list, select the name of the bucket to upload your
object
2. Click Upload
3. In the Upload dialog box, click Add files to select the file to upload
4. Select a file to upload, and then click Open
5. Click Upload
View an Object
To download an object from a bucket:
1. In the Bucket name list, select the name of the bucket that you have
created.
2. In the Name list, select the check box next to the object that you have
uploaded, and then click Download on the object overview panel.
7
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
Move an Object
To copy an object:
1. Select the name of the bucket created in the Bucket name list
2. Click Create Folder, type favorite-pics for the folder name, and then
click Save
3. Select the check box in the Name list, next to the object to be copied,
click More, and then select Copy.
4. Select the name of the folder favorite-pics in the Name list.
5. Click More and then select Paste.
6. Click Paste
Delete an Object and Bucket
If you no longer need to store the object that you have uploaded and made a
copy of it while going through this guide, you should delete the objects to
prevent further charges.
You can delete the objects individually or you can empty a bucket which deletes
all the objects in the bucket without deleting the bucket.
To delete an Object from a Bucket
1. Select the name of the bucket in the Bucket name list that you want to
delete an object from.
2. Select the check box in the name list, next to the object that you want to
delete, click More, and then select Delete.
3. Verify that the name of the object you selected for deletion in the Delete
objects dialog box is listed, and then click Delete.
How to Specify an ACL?
Amazon S3 APIs enables you to set an ACL when you create a bucket or an
object. Amazon S3 also provides API to set an ACL on an existing bucket or an
object.
These APIs provide the following methods to set an ACL:
• Set ACL using request headers: When you send a request to create a
resource (bucket or object), you set an ACL using the request headers.
Using these headers, you can either specify a canned ACL or specify
grants explicitly (identifying grantee and permissions explicitly).
• Set ACL using request body: When you send a request to set an ACL on
an existing resource, you can set the ACL either in the request header or
in the body.
8
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
9
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
expiration lifecycle policy will manage the deletes of the non-current object
versions in the version-enabled bucket which can be in one of three states:
unversioned (the default), versioning-enabled, or versioning-suspended.
Important
Once you version-enable a bucket, it can never return to an unversioned state.
However, You can suspend versioning on that bucket.
The versioning state applies to all (never some) of the objects in that bucket. The
first time you enable a bucket for versioning, objects in it are thereafter
versioned always and given a unique version ID.
Note:
• Objects stored in your bucket before you set the versioning state have a
version ID of null. When you enable versioning, existing objects in your
bucket do not change. What changes is how Amazon S3 handles the
objects in future requests.
• The bucket owner or any user with appropriate permissions can suspend
versioning to stop accruing object versions. When you suspend
versioning, existing objects in your bucket do not change. What changes
is how Amazon S3 handles objects in future requests.
10
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
when you copy an object, Amazon S3 resets the creation date of the copied
object. You don't need to set any of these values in your copy request.
When copying an object, you might decide to update some of the metadata
values. For example, if your source object is configured to use standard storage,
you might choose to use reduced redundancy storage for the object copy. You
might also decide to alter some of the user-defined metadata values present on
the source object.
Note:
If you choose to update any of the object's user-configurable metadata (system
or user-defined) during the copy, then you must explicitly specify all the user-
configurable metadata present on the source object in your request, even if you
are changing only one of the metadata values.
11
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
8.11. Glacier
Amazon Glacier is an extremely low-cost storage service that provides durable
storage with security features for data archiving and backup. With Amazon
Glacier, customers can store their data cost effectively for months, years, or even
12
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
Benefits
• Retrievals as Quick as 1-5 Minutes
Amazon Glacier provides three retrieval options to fit your use case.
Expedited retrievals typically return data in 1-5 minutes and are great
for Active Archive use cases. Standard retrievals typically complete
between 3-5 hours’ work, and work well for less time-sensitive needs
such as backup data, media editing or long-term analytics. Bulk retrievals
are the lowest-cost retrieval option, returning large amounts of data
within 5-12 hours.
• Unmatched Durability and Scalability
Amazon Glacier runs on the world’s largest Global Cloud infrastructure,
and was designed for 99.999999999% of durability. Data is automatically
distributed across a minimum of three physical Availability Zones that
are geographically separated within an AWS region, and Amazon Glacier
can also automatically replicate the data to any other AWS region.
• Most Comprehensive Security and Compliance Capabilities
Amazon Glacier offers sophisticated integration with AWS CloudTrail to
log, monitor, and retain storage API call activities for auditing and
support three different forms of encryption. Amazon Glacier also
supports security standards and compliance certifications including SEC
Rule 17a-4, PCI-DSS, HIPAA/HITECH, FedRAMP, EU Data Protection
Directive, and FISMA, and Amazon Glacier Vault Lock enables WORM
storage capabilities which helps to satisfy the compliance requirements
for every regulatory agency virtually around the globe.
13
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
• Low Cost
Amazon Glacier is designed to be the lowest cost AWS object storage
class which allows you to archive large amounts of data at a very low
cost. This makes it feasible to retain all the data you want for use cases
such as data lakes, analytics, IoT, machine learning, compliance, and
media asset archiving. You pay only for what you need with no
minimum commitments or up-front fees.
• Most Supported Platform with the Largest Ecosystem
In addition to integration with most AWS services, the Amazon object
storage ecosystem includes tens to thousands of consulting, systems
integrator, and independent software vendor partners with more joining
every month. AWS Marketplace offers 35 categories and more than 3,500
software listings from over 1,100 ISVs that are pre-configured to deploy
on the AWS Cloud. AWS Partner Network partners have adapted their
services and software to work with Amazon S3 and Amazon Glacier for
solutions such as Backup and Recovery, Archiving, and Disaster
Recovery. No other Cloud provider has more partners with solutions that
are pre-integrated to work with their service.
• Query In Place
Amazon Glacier is the only Cloud archive storage service that allows you
to query data in place and retrieve only the subset of data you need from
an archive. Amazon Glacier Select helps you to reduce the total cost of
ownership by extending your data lake into cost-effective archive storage.
14
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
hours. This is the default option for retrieval requests that do not specify
the retrieval option.
• Bulk: Bulk retrievals are Amazon Glacier’s lowest-cost retrieval option
which can be used to retrieve large amounts, even petabytes of data
inexpensively in a day. Bulk retrievals typically complete within 5–12
hours.
To make an Expedited, Standard, or Bulk retrieval, set the Tier parameter in
the Initiate Job (POST jobs) REST API request to the option you want, or the
equivalent in the AWS CLI or AWS SDKs. You don't need to designate whether
an expedited retrieval is On-Demand or Provisioned. If you have purchased
provisioned capacity, then all expedited retrievals are automatically served
through your provisioned capacity.
Ranged Archive Retrievals
When you retrieve an archive from Amazon Glacier, you can optionally specify
a range, or portion, of the archive to retrieve. The default is to retrieve the whole
archive.
Specifying a range of bytes can be helpful when you want to do the following:
• Manage your data downloads: Amazon Glacier allows retrieved data to
be downloaded for 24 hours after the retrieval request completes.
Therefore, you want to retrieve only portions of the archive so that you
can manage the schedule of downloads within the given download
window.
• Retrieve a targeted part of a large archive: For example, suppose you
have previously aggregated many files and uploaded them as a single
archive, and now you want to retrieve a few of the files. In this case, you
can specify a range of the archive that contains the files you are interested
in by using one retrieval request or you can initiate multiple retrieval
requests, each with a range for one or more files.
When initiating a retrieval job using range retrievals, you must provide a
range that is megabyte aligned. In other words, the byte range can start at
zero (the beginning of your archive), or at any 1 MB interval thereafter (1
MB, 2 MB, 3 MB, and so on).
15
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
A versioning-enabled bucket can have many versions of the same object, one
current version and zero or more non-current (previous) versions. Using a
lifecycle policy, you can define the actions specific to current and non-current
object versions.
Object Lifecycle Management
You can configure the lifecycle to manage your objects so that they are stored
cost effectively throughout their lifecycle. A lifecycle configuration is a set of rules
that define the actions that Amazon S3 applies to a group of objects.
There are two types of actions, namely:
• Transition actions:
Define when objects transition to another storage class. For example, you
might choose to transition objects to the Standard_IA storage class for 30
days after you created them, or archive objects to the Glacier storage class
for one year after creating them.
• Expiration actions:
Define when objects expire. Amazon S3 deletes expired objects on your
behalf.
16
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
for the use of an envelope key (that is, a key that protects your data's
encryption key) that provides added protection against unauthorized
access of your objects in S3. SSE-KMS also provides you with an audit
trail of when your key was used and by whom. Additionally, you have
the option to create and manage encryption keys by yourself, or use a
default key that is unique for the service you are using, and the region
you are working in.
• Use Server-Side Encryption with Customer-Provided Keys (SSE-C):
You manage the encryption keys and Amazon S3 manages the encryption
as it writes to disks and decryption when you access your objects. When
you list objects in your bucket, the list API will return a list of all objects
regardless of whether they are encrypted.
17
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
method (PUT for uploading objects), and an expiration date and time. The pre-
signed URLs are valid only for the specified duration.
You can generate a pre-signed URL programmatically using the AWS SDK for
Java or the AWS SDK for .NET. If you are using Microsoft Visual Studio, you
can also use AWS Explorer to generate a pre-signed object URL without writing
any code. Anyone who receives a valid pre-signed URL can then
programmatically upload an object.
18
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
Amazon S3 encrypts all data in transit across AWS regions using Secure Sockets
Layer (SSL).
You can replicate objects from a source bucket to only one destination bucket.
After Amazon S3 replicates an object, the object cannot be replicated again. For
example, you might change the destination bucket in an existing replication
configuration, but Amazon S3 does not replicate it again.
Use case Scenarios
19
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
20
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
21
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
22
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
Summary
• Amazon S3 is object storage built to store and retrieve any amount of data
from anywhere such as web sites and mobile apps, corporate
applications, and data from IoT sensors or devices.
• Amazon S3 is designed to deliver 99.999999999% durability, and stores
data for millions of applications used by market leaders in every
industry.
• Amazon S3 provides comprehensive security and compliance capabilities
that meet even the most stringent regulatory requirements.
• Amazon S3 gives customers flexibility in the way they manage data for
cost optimization, access control, and compliance.
• Amazon S3 provides query-in-place functionality, allowing you to run
powerful analytics directly on your data at rest.
• Amazon S3 is the most supported Cloud storage service available, with
integration from the largest community of third-party solutions, systems
integrator partners, and other AWS services.
23
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.
AWS Foundation and Architecture
References:
1. http://docs.aws.amazon.com/*
2. https://aws.amazon.com/whitepapers/*
3. https://aws.amazon.com/blogs/*
24
©COPYRIGHT 2017, ALL RIGHTS RESERVED. MANIPAL GLOBAL EDUCATION SERVICES PVT. LTD.