KEMBAR78
AWS S3 Storage Training Guide | PDF | Amazon Web Services | World Wide Web
Scribd
Upload
119 views26 pages

AWS S3 Storage Training Guide

This document provides an overview of an Amazon Web Services training course. The 6-day course covers topics such as system operations, computing, networking, storage, archiving, and monitoring on AWS. Each day includes presentations and hands-on labs to reinforce the concepts. Module 4 focuses specifically on storage using Amazon S3, covering concepts like buckets, objects, encryption methods, access controls, and hosting static websites.

Uploaded by

Nhật Minh Trần
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
119 views26 pages

AWS S3 Storage Training Guide

This document provides an overview of an Amazon Web Services training course. The 6-day course covers topics such as system operations, computing, networking, storage, archiving, and monitoring on AWS. Each day includes presentations and hands-on labs to reinforce the concepts. Module 4 focuses specifically on storage using Amazon S3, covering concepts like buckets, objects, encryption methods, access controls, and hosting static websites.

Uploaded by

Nhật Minh Trần
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

Training Course

Amazon Web Service

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 1


Course Schedule

Day Presentations Lab


Day 1 System Operations on AWS
Day 2 Computing on AWS X
Day 3 Networking on AWS X
Day 4 Storage and Archiving in the Cloud X
Day 5 Monitoring in the Cloud X
Day 6 Managing Resource Consumption in the Cloud X

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 2


Module 4:

Storage S3 in AWS

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 3


Module 4: Storage S3 in AWS

 Goal: Understanding S3 Storage and Data


Lab: Create and configuring S3 Storage

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 4


Module 4: Storage and Archiving in AWS

Section introduction

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 5


Module 4: Storage and Archiving in AWS

Section introduction

• Amazon S3 is one of the main building blocks of AWS


• It’s advertised as “infinitely scaling” storage
• It’s widely popular and deserves its own section

• Many websites use Amazon S3 as a backbone


• Many AWS services uses Amazon S3 as an integration as well

• We’ll have a step-by-step approach to S3

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 6


Module 4: Storage and Archiving in AWS

Amazon S3 Overview - Bucket

• Amazon S3 allows people to store object (files) in “buckets” (directories)


• Buckets must have a globally unique name
• Buckets are defined at the region level
• Naming convention
• No uppercase
• No underscore
• 3-63 characters long
• Not an IP
• Must start with lowercase letter or number

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 7


Module 4: Storage and Archiving in AWS

Amazon S3 Overview - Object

• Objects (files) have a Key


• The key is the FULL path:
• S3://my-bucket/my_file.txt
• S3://my-bucket/my_folder/another_folder/my_file.txt
• The key is composed of prefix + object name
• S3://my-bucket/my_folder/another_folder/my_file.txt
• There’s no concept of “directories” within buckets
• Just keys with very long names that contains slashes (“/”)
8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 8
Module 4: Storage and Archiving in AWS

Amazon S3 Overview – Object (continued)

• Objects values are the content of the body


• Max Object Size is 5TB (5000GB)
• If uploading more than 5GB, must use “multi-part upload”
• Metadata (list of text key/value pairs – system or user metadata)
• Tags (Unicode key/value pair – up to 10) – useful for security/lifecycle
• Version ID (if versioning is enabled)

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 9


Module 4: Storage and Archiving in AWS

Amazon S3 Overview – Versioning

• You can version your files in Amazon S3


• It is enabled at the bucket level
• Same key overwrite will increment the “version”: 1,2,3 …
• It is best practice to version your buckets
• Protect against unintended deletes (ability to restore a version)
• Easy roll back to previos version
• Notes:
• Any file that is not versioned prior to enabling versioning will have version “null
• Suspending versioning does not delete previos versions

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 10


Module 4: Storage and Archiving in AWS

S3 Encryption

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 11


Module 4: Storage and Archiving in AWS

S3 Encryption for Object

• There are 4 methods of encrypting object in S3


• SSE-S3: encrypts S3 objects using keys handled & managed by AWS
• SSE-KMS: leverage AWS Key Management Service to manage encryption keys
• SSE-C: when you want to manage your own encryption keys
• Client Side Encryption
• It’s important to understand which ones are adapted to which situation
for the exam

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 12


Module 4: Storage and Archiving in AWS

SSE-S3
• SSE-S3: encryption using keys handled & managed by Amazon S3
• Object is encrypted server side
• AES-256 encryption type
• Must set header: “x-amz-server-side-encryption”:”AES256”

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 13


Module 4: Storage and Archiving in AWS

SSE-KMS
• SSE-KMS: encryption using keys handled & managed by KMS
• KMS Advantages: user control + audit trail
• Object is encrypted server side
• Must set header: “x-amz-server-side-encryption”:”aws:kms”

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 14


Module 4: Storage and Archiving in AWS

SSE-C
• SSE-C: serve-side encryption using data keys fully managed by the customer
outside of AWS
• Amazon S3 does not store the encryption key you provide
• HTTS must be used
• Encryption key must provided in HTTP headers, for every HTTP request made

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 15


Module 4: Storage and Archiving in AWS

Client Side Encryption


• Client library such as the Amazon S3 Encryption Client
• Clients must encrypt data themselves before sending to S3
• Clients must decrypt data themselves when retrieving from S3
• Customer fully manages the keys and encryption cycle

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 16


Module 4: Storage and Archiving in AWS

Encryption in transit (SSL/TLS)

• Amazon S3 exposes
• HTTP endpoint: non encrypted
• HTTPS endpoint: encryption in flight
• You’re free to use the endpoint you want, but HTTPS is recommended
• Most clients would use the HTTPS endpoint by default
• HTTPS is mandatory for SSE-C
• Encryption in flight is also called SSL/TLS

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 17


Module 4: Storage and Archiving in AWS

S3 Security
• User based
• IAM policies – which API calls should be allowed for a specific user from IAM
console
• Resource Based
• Bucket Policies – bucket wide rules from the S3 console – allows across account
• Object Access Control List (ACL) – finger grain
• Bucket Access Control Lish (ACL) – less common
• Note: an IAM principal can access an S3 object if
• The user IAM permission allow it OR the resource policy ALLOW it
• AND there’s no explicit DENY

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 18


Module 4: Storage and Archiving in AWS

S3 Bucket Policies

• JSON based policies


• Resources: bucket and objects
• Action: Set of API to Allow or Deny
• Effect: Allow / Deny
• Principal: The account or user to apply the policy
• Use S3 bucket for policy to
• Grand public access to the bucket
• Force object to be encrypted at upload
• Grant access to another account (Cross Account)

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 19


Module 4: Storage and Archiving in AWS

Bucket settings for Block Public Access


• Block public access to buckets and objects granted through
• New access control lists (ACLs)
• Any access control lists (ACLs)
• New public bucket or access point policies

• Block public and cross-account access to buckets and objects through any
public bucket or access point policies

• These setting were created to prevent company data leaks


• If you know your bucket should never be public, leave these on
• Can be set at the

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 20


Module 4: Storage and Archiving in AWS

S3 Security - Other

• Networking:
• Supports VPC Endpoint (for instances in VPC without www internet)
• Logging and Audit:
• S3 Access Logs can be stored in other S3 bucket
• API calls can be looged in AWS CloudTrail
• User Security:
• MFA Delete: MFA (multi factor authentication) can be required in versioned bucketes to
delete object
• Pre-Sign URLs: URLs that are valid only for a limited time (ex: premium video service
for logged in users)

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 21


Module 4: Storage and Archiving in AWS

S3 Websites

• S3 can host static websites and have them accessible on the


www
• The website URL will be:
• <bucket-name>.s3-website-<AWS-region>.amazonaws.com
• <bucket-name>.s3-website.<AWS-region>.amazonaws.com
• If you get 403 (Forbidden) error, make sure the bucket policy
allow public reads

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 22


Module 4: Storage and Archiving in AWS

CORS - Explained

• An origin is scheme (protocol), host (domain) and port


• Eg: https://www.example.com (implied port is 443 for HTTPS, 80 for HTTP)
• CORS means Cross-Origin Resource Sharing
• Web Browser based mechanism to allow requests to other origins while visiting
the main origin
• Same origin: http://example.com/app1 & http://example.com/app2
• Different origins: http://www.example.com & http://other.example/com
• The request won’t be fulfilled unleCORS Headers (ex: Access-Control-Allow-
Orgin)
• ss the other origin allows for the request, using

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 23


Module 4: Storage and Archiving in AWS

CORS - Diagram

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 24


Module 4: Storage and Archiving in AWS

S3 CORS
• If a client does a cross-origin request on your S3 bucket, we need to enable
the correct CORS headers
• It’s a popular axam question
• You can allow for a specific origin or for * (all orgins)

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 25


Module 4: Storage and Archiving in AWS

Thank you!!!

8/9/2023 09e-BM/DT/FSOFT - ©FPT SOFTWARE – Fresher Academy - Internal Use 26

You might also like