S3

What is S3

Amazon S3 (Simple Storage Service) is an object storage service that allows you to store and retrieve any amount of data from anywhere on the internet.

Think of it like Google Drive, but more powerful and programmable.

Core Concepts:

Concept	Simple Meaning
Bucket	A container for storing files (like a folder)
Object	A file + its metadata (e.g., image, video, PDF)
Key	Unique name of the file in the bucket
Region	Data center location where your bucket is hosted

Types of Uploads (Uploading Methods)

1. Single PUT upload (Simple Upload)

• Uploads files up to 5GB in one request.

• Best for small files.

2. Multipart Upload ✅ (Recommended for big files)

• Splits large files (up to 5TB) into parts.

• Upload parts in parallel → faster and more reliable.

• If upload fails midway, you can resume where it left off.

3. S3 Transfer Acceleration

• Uses AWS edge locations to speed up uploads from faraway places.

• Good for global applications or poor network conditions.

4. Presigned URLs

• Temporary, secure link to upload/download files without credentials.

• Example: Let users upload photos without giving them full access.

Storage Types:

Class Name	Use Case	Price	Retrieval Speed
S3 Standard	Frequently accessed files	💰	Milliseconds
S3 Intelligent-Tiering	Auto-moves files to save cost	💰⬇	Milliseconds
S3 Standard-IA	Infrequent access	💸	Milliseconds
S3 One Zone-IA	Infrequent, 1 AZ only	💸⬇	Milliseconds
S3 Glacier	Archival (cold storage)	🔒	Minutes to hours
S3 Glacier Deep Archive	Long-term backups	🔒💸	Up to 12 hours

Security in S3

IAM Policies:

• Control who can access buckets/objects.

• Example: Only allow access from specific IAM roles.

Bucket Policies:

• Set rules at the bucket level (like a firewall for a bucket).

Encryption:

• SSE-S3: AWS-managed encryption.

• SSE-KMS: You manage keys with AWS Key Management Service.

• SSE-C: You manage your own encryption keys.

Access Logging:

• Track all access to your S3 bucket (for security & auditing).

Capacity& Limits

Property	Limit
Max file size	5TB (must use multipart for >5GB)
Max bucket per account	100 by default (can request more)
Unlimited objects	No limit on number of files
Max object size (PUT)	5GB for single PUT; use multipart for bigger

What is AWS KMS?

AWS KMS is a managed encryption key service. It helps you create, store, and control cryptographic keys to encrypt your data securely.

Think of it as a locksmith service in the cloud: You create “keys” to lock (encrypt) and unlock (decrypt) your data safely.

Core Conepts

Term	Meaning
Customer Master Key (CMK)	The main encryption key you create or AWS manages to encrypt/decrypt your data.
Data Key	Temporary keys generated by KMS to encrypt your actual data (like file contents).
Key Alias	Friendly name you assign to your CMK (e.g., alias/myAppKey)
Key Policy	JSON document that defines who can use or manage your keys
Grant	Temporary permission to use a CMK without modifying its policy
Key Rotation	Automatically replace CMKs after a period for better security

How KMS Works (Simplified)

1. You create a CMK in KMS (either AWS-managed or customer-managed).

2. Your app or AWS service requests a data key from KMS.

3. KMS generates a data key:

   • Returns the plaintext data key to your app.

   • Returns the encrypted (wrapped) data key to store safely.

4. Your app uses the plaintext data key to encrypt data locally.

5. When you want to decrypt, your app sends the encrypted data key to KMS, which decrypts it and returns the plaintext key.

Types of CMKs

Type	Description	Who Manages?	Use Case
AWS Managed CMK	Automatically created and managed by AWS	AWS	Easy encryption with minimal effort
Customer Managed CMK	Created and managed by you	You (full control)	When you need fine control & auditing
AWS Owned CMK	Used internally by AWS services, not visible to you	AWS	Used by AWS behind the scenes

KMS vs AWS Enc

Service	What it encrypts	Uses KMS?	User Control Level
S3 Encryption	Objects	Yes (optional)	Low to Medium
EBS Encryption	Disk volumes	Yes (optional)	Medium
RDS Encryption	Databases	Yes (optional)	Medium
KMS	Keys (for encrypting data)	—	High (you manage keys)

Encryption is like sending secret messages

Imagine you want to send a secret message to your friend so no one else can read it.

1. Symmetric Encryption (Secret Code with One Key)

• You and your friend share the same secret key — like a special password.

• You use that key to lock (encrypt) the message before sending it.

• Your friend uses the same key to unlock (decrypt) the message and read it.

• It’s like having one magic key that opens and locks your secret box.

Example: You and your friend both have the same key to a treasure chest. You lock the chest with the key, send it, and your friend unlocks it with the same key.

2. Asymmetric Encryption (Secret Code with Two Keys)

• You have two keys: a public key and a private key.

• The public key is like a locked mailbox anyone can put letters into.

• The private key is your own secret key to open the mailbox and read letters.

• Your friend uses your public key to lock (encrypt) the message.

• Only you can unlock (decrypt) the message with your private key.

• No one else can open the mailbox because they don’t have the private key.

Example: You have a special mailbox with a slot (public key) anyone can drop letters in, but only you have the key to open it and read the letters.

Why both?

• Symmetric is fast but you have to share the same secret key safely.

• Asymmetric is slower but you don’t have to share your private key — more secure for sending keys!

SSE vs CSE (Side-by-Side Table)

Feature	Server-Side Encryption (SSE-KMS)	Client-Side Encryption (CSE)
Who encrypts the data?	AWS encrypts after upload	You encrypt before upload
Who stores the key?	KMS in AWS	You or KMS locally
Ease of use	✅ Easy	❗More complex
Can AWS see data?	AWS sees it before encrypting	No — AWS sees only encrypted data
Common use case	S3 buckets, EBS, RDS	Finance, healthcare, strict privacy
AWS KMS used?	Yes	Optional (can use KMS or local key)

• KMS = your key vault in the cloud (store + control encryption keys).

• SSE-KMS = AWS encrypts after receiving your data using KMS.

• CSE = You encrypt the data before sending it — AWS just stores it.

S3 Lifecycle:

Class	Use When...	Cost	Access Speed
Standard	You use it often	💰💰💰	Fast (ms)
Standard-IA	Rarely accessed files	💰💰	Fast (ms)
One Zone-IA	Rare access, 1 AZ only	💰	Fast (ms)
Glacier	Archive, infrequent access	💸	Minutes-hours
Glacier Deep Archive	Long-term backup only	🪙 Super cheap	Hours

S3 Replication means:

Automatically copying files from one bucket to another (even in a different region or account).

✅ It's used for:

• Backup

• Disaster recovery

• Cross-region compliance

• Data duplication