S3 main folder is called as buckets, and bucket names must be unique across the world..

However, s3 bucket belongs to a fixed region.

Names: no uppercase, no underscore, not an IP address. Not ip because it becomes a url eventually..
- Start with lower case alphabet or number
- Cant end with “s3alias”.. Or start as “xn”

Any file in a bucket is called object. Bucket can have folders..

Objects can be versioned… have tags… to upload more than 5GB, split that file…

Lets make this bucket publicly accessible…

Remember this: sometime back setting bucket policy to allow public access was enough.. But then people made
mistakes and their PII data was leaked.. So aws added extra step for making a bucket public…
Steps to make bucket public access:
1. Create a policy at bucket level:
Goto bucket > Permissions > Bucket Policy

Here what we do is add a bucket policy, and to create it we use “Policy Generator”.

2. Enable Public access

bucket > Permissions > Un-block public access

This extra security was added by aws and needs to be unchecked:

 Funny Website with S3
Assume we own a restaurant.. We design a cool html page with some pics of menu..

🙂
Upload that html page to s3 along with pictures.. Then in s3 bucket settings enable static website.. And voila u
get a http link for your website

CORS
Assume we have a website oipa in weblogic in ec2.. We upload some static images to s3… and we enable s3
bucket to act as a static website… in order for ec2 oipa to use images from s3, we need to enable CORS in s3.

Cross-origin resource sharing (CORS) allows web applications that are loaded in one domain to interact with
resources in a different domain. There is a setting in s3, and just enable it..

Also, take another example.. We have 2 s3 buckets, b1, and b2.. Both are static websites… b1 has an html
page which uses images from b2.. It wont work.. Enable CORS from b2…
Jahan se fetch karna hai uska CORS enable karo…

Versioning S3 objects
Version allows to roll back to old version.. And if not enabled version = null, delete and its gone….
To delete current version and roll back to old version, click show version and click current version to delete

Once versioning is enabled:

● When you delete file while "Versions: Hide" is selected, the delete marker is created.
● When you delete file while "Versions: Show" is selected, the file is permanently deleted.

Replication of S3 buckets: redundancy in azure…

First enable versioning of bucket.. Then choose either:
1. Same Region Replication: SRR
2. Cross Region Replication: CRR

Once replication is enabled, only new objects are replicated. For older objects use “batch replication”

- Replication chains not allowed.. Say bucket-1 replicates to bucket-2, bucket-2 replicates to bucket-3..
Fine.. but bucket-1 will not be copied to bucket-3.

- Both source and target should have versioning enabled. Object copied show same version on both sides.

- By default delete markers are not replicated.. We can optionally enable it to replicate
One important thing.. Source bucket needs to have permission to write to target bucket.. For this we use aws IAM Role..
since you are owner of both accounts, just check box to create a new Iam role and it auto adds permissions..
Storage Class
1. General Purpose or called Standard: frequently used data
2. Infrequent Access: called as ‘IA’
a. Standard
b. One-zone IA
3. Glacier: for archive/backup
a. Instant Retrieval: min storage 90 days
b. Flexi Retrieval; min storage 90 days
c. Deep Retrieval: min storage 180 days
4. Intelligent Tier: aws auto decides to move data not accessed to one of above 3 options.. no retrieval charges.

S3 > management > Lifecycle Rules

say our S3 is in General Purpose class. Add a rule to move data not accessed in 7 days to glacier deep.

Deep shikha will take 12 or 48 hours…

Its flexi not instant mode.

How to know what is best lifecycle policy?
Use s3 Storage Class Analysis report - which is refreshed daily… it gives suggestions..

==========================================================================================
Requestor Pays
put it on s3.. But enable requestor pays for data transfer. Requestor cant be anonymous, Must have aws account

Bucket Change Event Notifications

Say someone delete a file or added a file and you want to do something like send a sms, email.. Or write to Azure
Service Bus queue.. Sorry SQS in aws…
Goto s3 > properties.. Create a new event notification, give it a name, choose type of events…Then choose
destination: SNS Topic or SQS quue

S3 Select
SQL will never leave me… s3 provides a select statement sql query which we cam run and get some info about each
file stored.. Say we write: select all_file_name from s3-mybucket where creation_date < 1-jan-2020;

Take a small Byte

S3 also allows u to take a small byte of all files to get some metadata of all files on it.. Called as Byte range fetch

Q. How to upload tooo big data to s3?

A: In most regions they have a local place called: S3 Transfer Acceleration Point.. As its local, upload there and from
there it will reach S3. But its even better if u can first use multi-part upload by splitting the large file..

Q. we have un-encrypted files on s3.. How can we encrypt them in one go..
A: goto s3, choose Batch Operation
Encrypting S3 Objects
1. Server side encryption - when we upload plain text file and s3 encrypts.
a. S3 managed keys - s3 itself does it
b. Using aws Key Management system = KMS
c. Customer provided key

2. Client Side Encryption - we upload encrypted objects

Say we set bucket policy that it should have 1a- s3 managed keys.. Then if versioning is enabled, and we change an
object’s encryption to KMS, then it will create a new version of that object.

Note: by default in aws kms one encryption key exists for free to use.. Else new key costs…

We cant do 1c - SSE-C… that is customer provided key cant be used from console, it can be done from cli.

==========================================================================================
Delete Protection from Mafia = MFA Delete
Say we wanna protect deleting versions objects or disabling versioning… we can aks users to enter MFA code from
phone.. But: ONLY BUCKET OWNER CAN & HAS TO ENABLE MFA DELETE
- Also, versioning has to be enabled for MFA delete to work.
S3 Access Logs
We can put access logs from one bucket to a new bucket but both in same region…

==========================================================================================
Wanna give access to someone outside aws to some files in Bucket?
- Pre-signed URL
What we do is create pre-signed url for our file we wanna share.. From console its 12 hours validity, and from cli 7 days
Any one can then download that file.. And we can also allow people to upload their own files using pre-signed url.

S3 Access Points
Say we have a bucket bucket-1. It has 2 folders: HR and Sales. Hr employees need a url for HR path, sales team for
Sales. And also IT team for both….
We create an Access Point that they can click url and just access these paths…

S3 Object Lambda
Also, say we have pics in a bucket.. And we have a lambda function that does Strip-it.. If someone wants to view a pic
from bucket, we wanna first strip-it by lambda function… then we can create an access point for bucket through lambda.

That is access to S3 object is through lambda only

=========================================================================================
S3 object lock
How to absolutely make sure no one can delete my file or write to it for 2 years or 3 years?
No one no on… To use S3 Object Lock you must first enable S3 Versioning for the bucket.

Use S3 Object Lock… uses WORM - write once read many.

1. Define Retention period
2. Or do “Legal hold” → legal hold means court case is going on.. Dont touch as we dont know for how long…

3. Define “Retention modes”

a. Governance mode: only governor can edit the file… that is someone with special permissions
b. Compliance mode: not even governor.. No one.. No one can touch it..