S3 – Versioning

Versioning is a method of keeping multiple modifications/versions of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket.

With versioning, you can easily recover from both unintended user actions, accidental deletes and application failures.

How Versioning works:

In Windows/Linux, if you try to store a file or copy a file with a name of the file which already exists, then you’ll get a pop up, error showing file already exists. Whereas, in versioning .

  • If you overwrite an object, it results in a new object version in the bucket. Remember, versioning will not create a new object/file when you overwrite, it’ll simply preserve and suppress the old version, with new version on top. You can always restore the previous version.

In versioning enabled buckets, by default, GET requests will retrieve the most recently written version. In order to retrieve the older version, you’ve to specify the version id of the object.

  • If you delete an object, instead of removing it permanently, Amazon S3 inserts a delete marker, which becomes the current object version.
  • Each version will take up the individual size of the object. If a 1GB file is uploaded to s3 bucket and then remove the contents of the source file upto 500MB and reuploads it with same name, then the 500MB file will be current version of the object and total object size would 1.5 GB.
  • Versioning can only be suspended after enabling, can’t be disabled.
  • Important: You can enable additional security for your S3 bucket by enabling Versioning and Multi factor authentication.

With respect to Versioning, Buckets can only be in 3 states.

  • unversioned (the default)
  • versioning-enabled
  • versioning-suspended.

S3 – Encryption

Encryption on any system requires three components:

(1) data to encrypt
(2) a method to encrypt the data using a cryptographic algorithm(AES)
(3) encryption keys to be used in conjunction with the data and the algorithm.

 

S3 supports encryption of data in transit and at rest.

The data at transit will be encrypted using SSL. For data at rest, you can encrypt using below options.

Server Side Encryption

How it works:

sse

SSE- S3 (Server Side Encryption): Amazon handles key management and key protection using multiple layers of security.

In this model, data is encrypted before it is written to disk in Amazon S3. Each object is encrypted with a unique data key. As an additional safeguard, this key is encrypted with a periodically rotated master key(encrypted data key) managed by Amazon S3.

 

SSE – KMS (Key Management Service) : You can use AWS KMS to manage your encryption keys. It provides an audit trail so you can see who used your key to access which object and when, as well as view failed attempts to access data from users without permission to decrypt the data.

 

SSE-C (Customer provided keys) : You can use your own encryption key while uploading an object to Amazon S3.This encryption key is used by Amazon S3 to encrypt your data.

When you retrieve this object from Amazon S3, you must provide the same encryption key in your request. Amazon S3 verifies that the encryption key matches, decrypts the object, and returns the object to you.

 

Client Side Encryption:

You encrypt the files in your end using your preferred encryption types and then upload the encrypted filed to S3.

 

Scenarios – When to use:

Understanding of the given scenario is very important in the examination. You’ll be given a scenario for encrypting the files and you’ve to choose the right answer based upon the requirements and keywords mentioned.

Amazon handles the encryption/decryption and keys: 

SSE – S3 is the right option for this scenario. You needn’t to worry about encryption/decryption or keys, let AWS handles everything by themselves.

You want to manage/take hold of keys: 

SSE-C is the right option for this scenario. AWS handles the encryption/decryption, whereas you’ll be managing the keys.

You manage your keys and also wants to track who’s using your key/attempting to decrypt files without your permission:

SSE-KMS is the right option for this scenario. It provides an audit trail so you can see who used your key to access which object and when, as well as view failed attempts to access data from users without permission to decrypt the data.

Note: You can’t apply different types of server-side encryption to the same object simultaneously.

 

AWS S3 – Simple Storage Service

Simple, durable, massively scalable object storage

S3 is one of the most amazing features of AWS and heavily featured exam topic in AWS certifications.

You have to know what are the different storage types, classes available in S3. Which is ideal for the given scenario, how to move the data in and out of the S3 etc.

Below are the general overview and exam tips for the S3.

  • S3 is an object storage service. You can store flat files, host a static website but can’t install operating systems or run a dynamic site.
  • It’s a highly available and durable service. The data stored is backed up in multiple availability zones by default and cost effective as well.
  • There are three types of S3 storage classes available. S3 – Standard, Infrequent access, Glacier.
  • Remember, Reduced Redundancy Storage (RRS) is an Amazon S3 storage option.
  • S3 supports SSL encryption of data in transit and at rest. Read about encryption here: S3 Encryption

 

Storage:

Individual Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5 terabytes.

The largest object that can be uploaded in a single PUT is 5 gigabytes. For objects larger than 100 megabytes, customers should consider using the Multipart Upload capability.

In short, You can store an object of maximum size 5TB which can be uploaded in chunks.

Maximum size of single chunk is 5GB. You can use multipart upload for faster uploading of chunks size greater than 100MB.

Note: It’s recommended to use multipart upload for objects greater than 100MB size and it’s required to use multipart for files of size 5GB.

Amazon S3 buckets in all Regions provide read-after-write consistency for PUTS of new objects and eventual consistency for overwrite PUTS and DELETES.

If an object uploaded is not immediately reflecting in the bucket, then it means that bucket in the region is using eventual consistency.