Skip to main content

S3 (Simple Storage Service)


Amazon S3 is an object storage service offering scalability, data availability, security, and performance.


  • An object consists of:
    • Key: name of the object
    • Value: object content as a sequence of bytes
    • Version ID: versioning identification
    • Metada: name-value pairs to store information regarding the object
    • Subresources: store object additional information (e.g. ACL, CORS, Torrent)
  • Objects can range in size from 0 B to 5 TB


  • Container for objects stored in Amazon S3
  • Bucket names must be unique across all AWS accounts in all the AWS Regions within a partition (i.e. Standard Regions, China Regions, GovCloud US)


  • Strong read-after-write consistency for PUT and DELETE requests of object
  • Updates to a single key are atomic
  • S3 does not support object locking for concurrent writers (if two PUT requests are simultaneously made to the same key, the request with the latest timestamp wins)

Storage Classesโ€‹

Frequently Accessedโ€‹

  • S3 Standard
    • Default storage class
    • Designed for frequently accessed data (more than once a month)
    • For performance-sensitive use cases (millisecond access)

Automatically Optimizedโ€‹

  • S3 Intelligent-Tiering
    • Automatically moves data to the most cost-effective access tier (Frequent Access, Infrequent Access and Archive Instant Access)
    • Useful for data that has unknown or changing access patterns
    • No retrieval fees

Infrequently Accessedโ€‹

  • Designed for long-lived, infrequently accessed data (once a month)
  • Millisecond access
  • S3 Standard-IA
    • Useful for primary or only copy of data that can't be re-created
  • S3 One Zone-IA
    • S3 stores data in only one Availability Zone
    • Less expensive than S3 Standard-IA
    • Useful if the data can be re-created and for object replicas when setting S3 Cross-Region Replication


  • Low-cost data archiving
  • S3 Glacier Instant Retrieval
    • Milliseconds retrieval
    • Less expensive than S3 Standard-IA, with the same latency and throughput performance as the S3 Standard-IA storage class
    • Higher data access costs than S3 Standard-IA
  • S3 Glacier Flexible Retrieva
    • Minutes retrieval for portions of data
    • Hours for bulk retrieval
  • S3 Glacier Deep Archive
    • 12 hours retrieval for portions of data
    • 48 Hours for bulk retrieval
    • Lowest cost storage option in AWS


  • Stores all versions of an object
  • Once enabled it cannot be disabled, only suspended

Lifecycle Managementโ€‹

  • Manage objects based on a set of rules
    • Transition actions: define when objects transition to another storage class
    • Expiration actions: define when objects expire.
  • Can be used in conjunction with versioning for both current and non-current versions

MFA Deleteโ€‹

  • Enforce delete operations to require MFA
  • Versioning must be enabled
  • Only the bucket owner (root account) can enable MFA delete

Cross-Region Replicationโ€‹

  • Versioning must be enabled on both source and destination buckets
  • Regions must be unique
  • File in an existing bucket are not replicated automatically, but all subsequent updated files are


Access Controlโ€‹

  • Bucket access can be controlled via:
    • Bucket Policies
    • Access Control Lists (ACL)
  • By default, all newly created buckets are private
  • S3 buckets can create access logs which logs all requests to the bucket
  • Access logs can be sent to another bucket
  • Presigned URLs allow users to temporarily download/upload objects to buckets without AWS security credentials or permissions


  • Transit
    • SSL/TLS
  • Rest
    • Server Side Encryption (SSE)
      • Amazon S3-Managed Keys (SSE-S3)
      • KMS keys Stored in AWS Key Management Service (SSE-KMS)
      • Customer-Provided Keys (SSE-C)
    • Client Side Encryption