AWS学习笔记（十二）：S3 Storage and Data Management

Amazon S3 Overview - Buckets

• Amazon S3 allows people to store objects (files) in "buckets" (directories)
• Buckets must have a globally unique name
• Buckets are defined at the region level
• Naming convention
  • No uppercase
  • No underscore
  • 3-63 characters long
  • Not an IP
  • Must start with lowercase letter or number

Amazon S3 Overview – Objects

• Object values are the content of the body:
  • Max Object Size is 5TB (5000GB)
  • If uploading more than 5GB, must use "multi-part upload"
• Metadata (list of text key / value pairs – system or user metadata)
• Tags (Unicode key / value pair – up to 10) – useful for security / lifecycle
• Version ID (if versioning is enabled)

S3 Encryption for Objects

SSE-S3: encrypts S3 objects using keys handled & managed by AWS

• Object is encrypted server side
• AES-256 encryption type
• Must set header: "x-amz-server-side-encryption": "AES256"

SSE-KMS: leverage AWS Key Management Service to manage encryption keys

• SSE-KMS: encryption using keys handled & managed by KMS
• KMS Advantages: user control + audit trail
• Object is encrypted server side
• Must set header: "x-amz-server-side-encryption": "aws:kms"

SSE-C: when you want to manage your own encryption keys

• server-side encryption using data keys fully managed by the customer outside of AWS
• Amazon S3 does not store the encryption key you provide
• HTTPS must be used
• Encryption key must provided in HTTP headers, for every HTTP request made

Client Side Encryption

• Client library such as the Amazon S3 Encryption Client
• Clients must encrypt data themselves before sending to S3
• Clients must decrypt data themselves when retrieving from S3
• Customer fully manages the keys and encryption cycle

S3 Security

User based

• IAM policies - which API calls should be allowed for a specific user from IAM console

Resource Based

• Bucket Policies - bucket wide rules from the S3 console - allows cross account
• Object Access Control List (ACL) – finer grain
• Bucket Access Control List (ACL) – less common

Note: an IAM principal can access an S3 object if

• the user IAM permissions allow it OR the resource policy ALLOWS it
• AND there's no explicit DENY

CORS (Cross-Origin Resource Sharing)

using CORS Headers (ex: Access-Control-Allow-Origin)