AWS S3 - SAA Cheat Sheet

This page contains information I have collated on Amazon S3. If you know the basics of S3 and how it is used, this cheat sheet should cover the specific areas that could come up in the Solutions Architect Associate exam.

Naming Convention

• MUST BE:
  • Globally Unique
  • 3 -63 characters
  • All lowercase
  • No_underscore
  • Not an IP-address
  • Not start with xn- or end with -s3alias

Security

• An object can be accessed if allowed by IAM OR bucket policy / ACL
• Security can be controlled using:
  • IAM - always takes priority.
  • Bucket Policy - can be cross account.
  • Object ACL - fine grain control (can be disabled).
  • Bucket ACL - less common (can be disabled).

Encryption

• You can force Encryption using Bucket policies or use S3 'default encryption'
• The types of encryption are:
  • SSE-S3 - Key managed by aws.
  • SSE-KMS - Key controlled by user within aws.
  • SSE-C - Key fully controlled by user (not stored in aws).
  • Client-Side-Encryption - Self explanatory.

Replication

• Versioning must be enabled for replication.
• There are 2 types:
  1. CRR (Cross Region Replication)
  2. SRR (Same Region Replication)
• Only new objects will be replicated after replication is enabled.
• For old objects, use S3 BATCH REPLICATION.

Storage Classes

It is possible to move an object to any storage class below it in this table:

 ______________________________________________________
|        NAME        | RETRIVAL FEE | MINIMUM DURATION |
|____________________|______________|__________________|
|S3 Standard         | None         | None             |
|Infrequent Access   | per GB       | 30 days          |
|Intelligent Tiering | None         | None             |
|One Zone IA         | per GB       | 90 days          |
|Glacier Instant     | per GB       | 90 days          |
|Glacier Flexible    | per GB       | 90 days          |
|Deep Archive        | per GB       | 180 days         |

Lifecycle Rules

• Used to automate the moving of objects.
• Types:
  • Transition action: Move tier after a certain time.
  • Expiration action: Delete after time / old version / incomplete multi-part upload.

Versioning

• Enabling versioning on a bucket with existing items will give them the version number: null.

Multi Part Upload

• Required for files over 5GB.
• Recommended for files over 100MB.

S3 Event Notifications

• Integrate S3 events with: SNS, SQS, Lambda, Event Bridge

CORS (Cross Origin Resource Sharing)

• If accessing an S3 bucket from another origin, you need to allow Access-Control-Allow-Origin in the bucket policy for that or all origins.

Requester Pays Buckets

• The requester of the data pays for the networking cost of downloading the object instead of the bucket owner.
• As a result the requester cannot be anonymous.

Transfer Acceleration

• Transfer to S3 via edge location to utilise speed of private AWS network.

Byte Range Fetch

• Retrieve a specific no. of bytes.
• Multiple fetch can be done in parallel.

S3 Select

• Use SQL to filter S3.

S3 Batch

• Perform bulk operations with a single request.

Pre Signed URLs

• The user that receives the URL inherits the permissions of the user who generated it.

S3 Vault Lock

• Block object version from deleting.
• Must set a fixed period.
• Versioning must be enabled.
• Retention Modes:
  • Compliance - No Admins
  • Governance - Admins
  • Legal Hold - Protect indefinitely - Admins

Glacier Vault Lock

• The object can never be deleted.
• WORM - Write Once Read Many.

S3 Access Points

• Manage permissions through "access points" which can be assigned to multiple user groups.

S3 Object Lambda

• Modify data requested by S3 via a Access Point.
• Can use data from AWS managed databases.