Professional Documents
Culture Documents
AWS-S3
AWS-S3
Names: no uppercase, no underscore, not an IP address. Not ip because it becomes a url eventually..
- Start with lower case alphabet or number
- Cant end with “s3alias”.. Or start as “xn”
Here what we do is add a bucket policy, and to create it we use “Policy Generator”.
🙂
Upload that html page to s3 along with pictures.. Then in s3 bucket settings enable static website.. And voila u
get a http link for your website
CORS
Assume we have a website oipa in weblogic in ec2.. We upload some static images to s3… and we enable s3
bucket to act as a static website… in order for ec2 oipa to use images from s3, we need to enable CORS in s3.
Cross-origin resource sharing (CORS) allows web applications that are loaded in one domain to interact with
resources in a different domain. There is a setting in s3, and just enable it..
Also, take another example.. We have 2 s3 buckets, b1, and b2.. Both are static websites… b1 has an html
page which uses images from b2.. It wont work.. Enable CORS from b2…
Jahan se fetch karna hai uska CORS enable karo…
Versioning S3 objects
Version allows to roll back to old version.. And if not enabled version = null, delete and its gone….
To delete current version and roll back to old version, click show version and click current version to delete
Once replication is enabled, only new objects are replicated. For older objects use “batch replication”
- Replication chains not allowed.. Say bucket-1 replicates to bucket-2, bucket-2 replicates to bucket-3..
Fine.. but bucket-1 will not be copied to bucket-3.
- Both source and target should have versioning enabled. Object copied show same version on both sides.
- By default delete markers are not replicated.. We can optionally enable it to replicate
One important thing.. Source bucket needs to have permission to write to target bucket.. For this we use aws IAM Role..
since you are owner of both accounts, just check box to create a new Iam role and it auto adds permissions..
Storage Class
1. General Purpose or called Standard: frequently used data
2. Infrequent Access: called as ‘IA’
a. Standard
b. One-zone IA
3. Glacier: for archive/backup
a. Instant Retrieval: min storage 90 days
b. Flexi Retrieval; min storage 90 days
c. Deep Retrieval: min storage 180 days
4. Intelligent Tier: aws auto decides to move data not accessed to one of above 3 options.. no retrieval charges.
==========================================================================================
Requestor Pays
put it on s3.. But enable requestor pays for data transfer. Requestor cant be anonymous, Must have aws account
S3 Select
SQL will never leave me… s3 provides a select statement sql query which we cam run and get some info about each
file stored.. Say we write: select all_file_name from s3-mybucket where creation_date < 1-jan-2020;
Q. we have un-encrypted files on s3.. How can we encrypt them in one go..
A: goto s3, choose Batch Operation
Encrypting S3 Objects
1. Server side encryption - when we upload plain text file and s3 encrypts.
a. S3 managed keys - s3 itself does it
b. Using aws Key Management system = KMS
c. Customer provided key
Say we set bucket policy that it should have 1a- s3 managed keys.. Then if versioning is enabled, and we change an
object’s encryption to KMS, then it will create a new version of that object.
Note: by default in aws kms one encryption key exists for free to use.. Else new key costs…
We cant do 1c - SSE-C… that is customer provided key cant be used from console, it can be done from cli.
==========================================================================================
Delete Protection from Mafia = MFA Delete
Say we wanna protect deleting versions objects or disabling versioning… we can aks users to enter MFA code from
phone.. But: ONLY BUCKET OWNER CAN & HAS TO ENABLE MFA DELETE
- Also, versioning has to be enabled for MFA delete to work.
S3 Access Logs
We can put access logs from one bucket to a new bucket but both in same region…
==========================================================================================
Wanna give access to someone outside aws to some files in Bucket?
- Pre-signed URL
What we do is create pre-signed url for our file we wanna share.. From console its 12 hours validity, and from cli 7 days
Any one can then download that file.. And we can also allow people to upload their own files using pre-signed url.
S3 Access Points
Say we have a bucket bucket-1. It has 2 folders: HR and Sales. Hr employees need a url for HR path, sales team for
Sales. And also IT team for both….
We create an Access Point that they can click url and just access these paths…
S3 Object Lambda
Also, say we have pics in a bucket.. And we have a lambda function that does Strip-it.. If someone wants to view a pic
from bucket, we wanna first strip-it by lambda function… then we can create an access point for bucket through lambda.