# S3 ## **What is S3** Amazon S3 (Simple Storage Service) is an object storage service that allows you to store and retrieve any amount of data from anywhere on the internet. Think of it like Google Drive, but more powerful and programmable. ### **Core Concepts:** | Concept | Simple Meaning | | ---------- | ------------------------------------------------ | | **Bucket** | A container for storing files (like a folder) | | **Object** | A file + its metadata (e.g., image, video, PDF) | | **Key** | Unique name of the file in the bucket | | **Region** | Data center location where your bucket is hosted | ### Types of Uploads (Uploading Methods) 1\. Single PUT upload (Simple Upload) * Uploads files up to 5GB in one request. * Best for small files. 2\. Multipart Upload βœ… (Recommended for big files) * Splits large files (up to 5TB) into parts. * Upload parts in parallel β†’ faster and more reliable. * If upload fails midway, you can resume where it left off. 3\. S3 Transfer Acceleration * Uses AWS edge locations to speed up uploads from faraway places. * Good for global applications or poor network conditions. 4\. Presigned URLs * Temporary, secure link to upload/download files without credentials. * Example: Let users upload photos without giving them full access. ### **Storage Types:** | Class Name | Use Case | Price | Retrieval Speed | | --------------------------- | ----------------------------- | ----- | ---------------- | | **S3 Standard** | Frequently accessed files | πŸ’° | Milliseconds | | **S3 Intelligent-Tiering** | Auto-moves files to save cost | πŸ’°β¬‡ | Milliseconds | | **S3 Standard-IA** | Infrequent access | πŸ’Έ | Milliseconds | | **S3 One Zone-IA** | Infrequent, 1 AZ only | πŸ’Έβ¬‡ | Milliseconds | | **S3 Glacier** | Archival (cold storage) | πŸ”’ | Minutes to hours | | **S3 Glacier Deep Archive** | Long-term backups | πŸ”’πŸ’Έ | Up to 12 hours | ### **Security in S3** IAM Policies: * Control who can access buckets/objects. * Example: Only allow access from specific IAM roles. Bucket Policies: * Set rules at the bucket level (like a firewall for a bucket). Encryption: * **SSE-S3**: AWS-managed encryption. * **SSE-KMS**: You manage keys with AWS Key Management Service. * **SSE-C**: You manage your own encryption keys. Access Logging: * Track all access to your S3 bucket (for security & auditing). ### **Capacity& Limits** | Property | Limit | | -------------------------- | -------------------------------------------- | | **Max file size** | 5TB (must use multipart for >5GB) | | **Max bucket per account** | 100 by default (can request more) | | **Unlimited objects** | No limit on number of files | | **Max object size (PUT)** | 5GB for single PUT; use multipart for bigger | ### **What is AWS KMS?** AWS KMS is a managed encryption key service. It helps you create, store, and control cryptographic keys to encrypt your data securely. Think of it as a locksmith service in the cloud: You create β€œkeys” to lock (encrypt) and unlock (decrypt) your data safely. **Core Conepts** | Term | Meaning | | ----------------------------- | --------------------------------------------------------------------------------- | | **Customer Master Key (CMK)** | The main encryption key you create or AWS manages to encrypt/decrypt your data. | | **Data Key** | Temporary keys generated by KMS to encrypt your actual data (like file contents). | | **Key Alias** | Friendly name you assign to your CMK (e.g., alias/myAppKey) | | **Key Policy** | JSON document that defines who can use or manage your keys | | **Grant** | Temporary permission to use a CMK without modifying its policy | | **Key Rotation** | Automatically replace CMKs after a period for better security | **How KMS Works (Simplified)** 1. You create a CMK in KMS (either AWS-managed or customer-managed). 2. Your app or AWS service requests a data key from KMS. 3. KMS generates a data key: * Returns the plaintext data key to your app. * Returns the encrypted (wrapped) data key to store safely. 4. Your app uses the plaintext data key to encrypt data locally. 5. When you want to decrypt, your app sends the encrypted data key to KMS, which decrypts it and returns the plaintext key. ### **Types of CMKs** | Type | Description | Who Manages? | Use Case | | ------------------------ | --------------------------------------------------- | ------------------ | ------------------------------------- | | **AWS Managed CMK** | Automatically created and managed by AWS | AWS | Easy encryption with minimal effort | | **Customer Managed CMK** | Created and managed by you | You (full control) | When you need fine control & auditing | | **AWS Owned CMK** | Used internally by AWS services, not visible to you | AWS | Used by AWS behind the scenes | ### **KMS vs AWS Enc** | Service | What it encrypts | Uses KMS? | User Control Level | | ------------------ | -------------------------- | -------------- | ---------------------- | | **S3 Encryption** | Objects | Yes (optional) | Low to Medium | | **EBS Encryption** | Disk volumes | Yes (optional) | Medium | | **RDS Encryption** | Databases | Yes (optional) | Medium | | **KMS** | Keys (for encrypting data) | β€” | High (you manage keys) | ### **Encryption is like sending secret messages** Imagine you want to send a secret message to your friend so no one else can read it. 1\. Symmetric Encryption (Secret Code with One Key) * You and your friend share the same secret key β€” like a special password. * You use that key to lock (encrypt) the message before sending it. * Your friend uses the same key to unlock (decrypt) the message and read it. * It’s like having one magic key that opens and locks your secret box. Example:\ You and your friend both have the same key to a treasure chest. You lock the chest with the key, send it, and your friend unlocks it with the same key. 2\. Asymmetric Encryption (Secret Code with Two Keys) * You have two keys: a public key and a private key. * The public key is like a locked mailbox anyone can put letters into. * The private key is your own secret key to open the mailbox and read letters. * Your friend uses your public key to lock (encrypt) the message. * Only you can unlock (decrypt) the message with your private key. * No one else can open the mailbox because they don’t have the private key. Example:\ You have a special mailbox with a slot (public key) anyone can drop letters in, but only you have the key to open it and read the letters. Why both? * Symmetric is fast but you have to share the same secret key safely. * Asymmetric is slower but you don’t have to share your private key β€” more secure for sending keys! ### **SSE vs CSE (Side-by-Side Table)** | Feature | Server-Side Encryption (SSE-KMS) | Client-Side Encryption (CSE) | | ---------------------- | -------------------------------- | ----------------------------------- | | Who encrypts the data? | AWS encrypts after upload | You encrypt before upload | | Who stores the key? | KMS in AWS | You or KMS locally | | Ease of use | βœ… Easy | ❗More complex | | Can AWS see data? | AWS sees it before encrypting | No β€” AWS sees only encrypted data | | Common use case | S3 buckets, EBS, RDS | Finance, healthcare, strict privacy | | AWS KMS used? | Yes | Optional (can use KMS or local key) | * KMS = your key vault in the cloud (store + control encryption keys). * SSE-KMS = AWS encrypts after receiving your data using KMS. * CSE = You encrypt the data before sending it β€” AWS just stores it. ### **S3 Lifecycle:** | Class | Use When... | Cost | Access Speed | | ------------------------ | -------------------------- | -------------- | ------------- | | **Standard** | You use it often | πŸ’°πŸ’°πŸ’° | Fast (ms) | | **Standard-IA** | Rarely accessed files | πŸ’°πŸ’° | Fast (ms) | | **One Zone-IA** | Rare access, 1 AZ only | πŸ’° | Fast (ms) | | **Glacier** | Archive, infrequent access | πŸ’Έ | Minutes-hours | | **Glacier Deep Archive** | Long-term backup only | πŸͺ™ Super cheap | Hours | ### **S3 Replication means:** Automatically copying files from one bucket to another (even in a different region or account). βœ… It's used for: * Backup * Disaster recovery * Cross-region compliance * Data duplication