视频来源:B站《AWS 认证解决方案架构师 助理级 SAA-C03》
一边学习一边整理老师的课程内容及试验笔记,并与大家分享,侵权即删,谢谢支持!
附上汇总贴:AWS助理架构师认证培训 | 汇总_热爱编程的通信人的博客-CSDN博客
S3 Overview
Section introduction
- Amazon S3 is one of the main building blocks of AWS
- It's advertised as "infinitely scaling" storage
- Many websites use Amazon S3 as a backbone
- Many AWS services use Amazon S3 as an integration as well
- We'll have a step-by-step approach to S3
Amazon S3 Use cases
- Backup and storage
- Disaster Recovery
- Archive
- Hybrid Cloud storage
- Application hosting
- Media hosting
- Data lakes & big data analytics
- Software delivery
- Static website
Amazon S3 - Buckets
- Amazon S3 allows people to store objects (files) in "buckets" (directories)
- Buckets must have a globally unique name (across all regions all accounts)
- Buckets are defined at the region level
- S3 looks like a global service but buckets are created in a region
- Naming conventionNo uppercase, No underscore3-63 characters longNot an IPMust start with lowercase letter or number Must NOT start with the prefix xn--S3 Bucket Must NOT end with the suffix -s3alias
Amazon S3 - Objects
- Objects (files) have a Key
- The key is the FULL path:s3://my-bucket/my_file.txts3://my-bucket/my_folder1/another_folder/my_file.txt
- The key is composed of prefix + object names3://my-bucket/my_folder1/another_folder/my_file.txt
- There's no concept of "directories" within buckets (although the UI will trick you to think otherwise)
- Just keys with very long names that contain slashes ("/")
- Object values are the content of the body:Max. Object Size is 5TB (5000GB)lf uploading more than 5GB, must use "multi-part upload"
- Metadata (list of text key / value pair - system or user metadata)
- Tags (Unicode key / value pair - up to 10) - useful for security / lifecycle
- Version ID (if versioning is enabled)
S3 Security Bucket Policy
Amazon S3 - Security
- User-BasedIAM Policies - which API calls should be allowed for a specific user from IAM
- Resource-BasedBucket Policies - bucket wide rules from the S3 console - allows cross account Object Access Control List (ACL) - finer grain (can be disabled)Bucket Access Control List (ACL) - less common (can be disabled)
- Note: an IAM principal can access an S3 object ifThe user IAM permissions ALLOW it OR the resource policy ALLOWS it AND there's no explicit DENY
- Encryption: encrypt objects in Amazon S3 using encryption keys
S3 Bucket Policies
- JSON based policiesResources: buckets and objects Effect: Allow/DenyActions: Set of API to Allow or Deny Principal: The account or user to apply the policy to
- Use S3 bucket for policy to:Grant public access to the bucket Force objects to be encrypted at uploadGrant access to another account (Cross Account)
Example: Public Access - Use Bucket Policy
Example: User Access to S3 - IAM permissions
Example: EC2 instance access - Use IAM Roles
Advanced: Cross-Account Access - Use Bucket Policy
Bucket settings for Block Public Access
- These settings were created to prevent company data leaks
- If you know your bucket should never be public, leave these on
- Can be set at the account level
S3 Website Overview
Amazon S3 - Static Website Hosting
- S3 can host static websites and have them accessible on the Internet
- The website URL will be (depending on the region)http://bucket-name.s3-website-aws-region.amazonaws.comORhttp://bucket-name.s3-website.aws-region.amazonaws.com
- If you get a 403 Forbidden error, make sure the bucket policy allows public reads!
Versioning
Amazon S3 - Versioning
- You can version your files in Amazon S3
- It is enabled at the bucket level
- Same key overwrite will change the "version": 1, 2, 3...
- It is best practice to version your bucketsProtect against unintended deletes (ability to restore a version)Easy roll back to previous version
- Notes:Any file that is not versioned prior to enabling versioning wil have version "null"Suspending versioning does not delete the previous versions
S3 Replication
Amazon S3 - Replication (CRR & SRR)
- Must enable Versioning in source and destination buckets
- Cross-Region Replication (CRR)
- Same-Region Replication(SRR)
- Buckets can be in different AWS accounts
- Copying is asynchronous
- Must give proper IAM permissions to S3
- Use cases:CRR - compliance, lower latency access, replication across accountsSRR - log aggregation, live replication between production and test accounts
S3 Replication Notes
Amazon S3 - Replication (Notes)
- After you enable Replication, only new objects are replicated
- Optionally, you can replicate existing objects using S3 Batch Replication Replicates existing objects and objects that failed replication
- For DELETE operationsCan replicate delete markers from source to target (optional setting)Deletions with a version ID are not replicated (to avoid malicious deletes)
- There is no "chaining" of replicationlf bucket 1 has replication into bucket 2, which has replication into bucket 3Then objects created in bucket 1 are not replicated to bucket 3
S3 Storage Classes Overview
S3 Storage Classes
- Amazon S3 Standard - General Purpose
- Amazon S3 Standard - Infrequent Access (IA)
- Amazon S3 One Zone - Infrequent Access
- Amazon S3 Glacier Instant Retrieval
- Amazon S3 Glacier Flexible Retrieval
- Amazon S3 Glacier Deep Archive
- Amazon S3 Intelligent Tiering
- Can move between classes manually or using S3 Lifecycle configurations
S3 Durability and Availability
- Durability:High durability (99.999999999%, 119's) of objects across multiple AZIf you store 10,000,000 objects with Amazon S3, you can on average expect to incur a loss of a single object once every 10,000 yearsSame for all storage classes
- Availability:Measures how readily available a service isVaries depending on storage classExample: S3 standard has 99.99% availability = not available 53 minutes a year
S3 Standard - General Purpose
- 99.99% Availability
- Used for frequently accessed data
- Low latency and high throughput
- Sustain 2 concurrent facility failures
- Use Cases: Big Data analytics, mobile & gaming applications, content distribution...
S3 Storage Classes - Infrequent Access
- For data that is less frequently accessed, but requires rapid access when needed
- Lower cost than S3 Standard
- Amazon S3 Standard-Infrequent Access (S3 Standard-lA)99.9% AvailabilityUse cases: Disaster Recovery, backups
- Amazon S3 One Zone-Infrequent Access (S3 One Zone-lA)High durability (99.999999999%) in a single AZ; data lost when AZ is destroyed 99.5% AvailabilityUseCases: Storing secondary backup copies of on-premise data, or data you can recreate
Amazon S3 Glacier Storage Classes
- Low-cost object storage meant for archiving / backup
- Pricing: price for storage + object retrieval cost
- Amazon S3 Glacier Instant Retrieval Millisecond retrieval, great for data accessed once a quarter Minimum storage duration of 90 days
- Amazon S3 Glacier Flexible Retrieval (formerly Amazon S3 Glacier):Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk( 5 to 12 hours) - free Minimum storage duration of 90 days
- Amazon S3 Glacier Deep Archive - for long term storage:Standard (12 hours), Bulk (48 hours)Minimum storage duration of 180 days
S3 Intelligent-Tiering
- Small monthly monitoring and auto-tiering free
- Moves objects automatically between Access Tiers based on usage
- There are no retrieval charges in S3 Intelligent-Tiering
- Frequent Access tier (automatic): default tier
- Infrequent Access tier (automatic): objects not accessed for 30 days
- Archive Instant Access tier (automatic): objects not accessed for 90 days
- Archive Access tier (optional): configurable from 90 days to 700+ days
- Deep Archive Access tier (optional): config. from 180 days to 700+ days