- vừa được xem lúc

Amazon Simple Storage Service - (AWS S3)

0 0 13

Người đăng: Hà Hữu Hưng

Theo Viblo Asia

What is Amazon S3?

Amazon Simple Storage Service (Amazon S3) is a highly scalable object storage solution offering top-tier data availability, security, and performance. It caters to diverse customer needs across various industries, facilitating storage and protection of any data volume for multiple applications including data lakes, websites, mobile apps, backup, archive, enterprise systems, IoT, and big data analytics. With robust management features, users can efficiently manage, organize, and control data access to align with their business, organizational, and compliance needs.

Amazon S3 provides easy-to-use management features so that you can organize your data and configure finely-tuned access controls to meet your specific business, organizational, and compliance requirements. Amazon S3 is designed for 99.999999999 percent (11 9s) of durability.

Amazon S3 features

Amazon S3 storage classes

Amazon S3 offers a variety of storage classes tailored for different needs:

  1. S3 Standard: Ideal for frequently accessed data.
  2. S3 Standard-Infrequent Access (S3 Standard-IA): Suited for less frequently accessed data.
  3. S3 Intelligent-Tiering: Automatically moves data between access tiers based on usage patterns.
  4. Amazon S3 Glacier: Provides lower-cost archival storage with different retrieval options.
  5. Amazon S3 Glacier Deep Archive: Offers the lowest-cost storage with longer retrieval times.
  6. Amazon S3 on Outposts: For on-premises hybrid data storage and meeting data residency requirements.

S3 also offers lifecycle management features, automatically transitioning data between storage classes as per set policies. Storage Class Analysis helps monitor access patterns, facilitating the identification of data suitable for migration to lower-cost tiers. Lifecycle policies can also manage data expiration and optimize storage for changing access patterns, ensuring cost efficiency and data accessibility.

Amazon S3 management and monitoring

1. Storage management

Amazon S3 offers diverse methods for categorizing and managing data, including bucket names, prefixes, object tags, and S3 Inventory. S3 Batch Operations further simplifies data management, enabling various actions such as copying objects, modifying tags, adjusting access controls, and restoring archived data from S3 Glacier. Moreover, it facilitates the execution of AWS Lambda functions for custom business logic. Upon completion, users receive notifications and comprehensive reports detailing the changes made.

2. Version control

Amazon S3 offers features for data version control, preventing accidental deletions, and data replication across AWS Regions. S3 versioning allows easy preservation, retrieval, and restoration of every object version. Multi-factor authentication (MFA) Delete enhances security by requiring two forms of authentication to delete objects from MFA Delete-enabled buckets, reducing the risk of unintended deletions.

3. Replication

Amazon S3 Replication allows for the replication of objects, including metadata and tags, to one or more destination buckets in the same or different AWS Regions. This feature serves various purposes such as reducing latency, ensuring compliance, enhancing security, and enabling disaster recovery.

There are three types of replication:

  • Cross-Region Replication (CRR) : Replicates objects from a source bucket to one or more destination buckets in different AWS Regions.
  • Same-Region Replication (SRR): Replicates objects between buckets within the same AWS Region.
  • Replication Time Control (RTC): Provides an SLA and visibility into replication times to meet compliance requirements.

4. Retention and copmliance

Amazon S3 Object Lock enables the enforcement of write-once-read-many (WORM) policies by preventing object version deletion during a specified retention period. This feature ensures data protection and compliance by blocking deletions, even if objects are moved between storage classes via S3 Lifecycle policies.

Two modes of configuration are available:

  • Governance mode: Allows AWS accounts with specific IAM permissions to remove S3 Object Lock from objects.
  • Compliance mode: Provides stronger immutability by prohibiting any user or root account from removing the protection, ensuring strict compliance with regulations.

S3 Object Lock facilitates the migration of workloads from existing WORM systems to Amazon S3, offering object-level and bucket-level configuration options to enforce retention policies effectively. Monitoring object WORM status can be achieved through S3 Inventory reports.

5. Storage monitoring

Amazon S3 offers extensive monitoring and control features to manage resource usage effectively:

  • Bucket Tagging: Apply tags to S3 buckets for cost allocation across different business dimensions. Utilize AWS Cost Allocation Reports to view usage and costs aggregated by bucket tags.
  • Amazon CloudWatch: Monitor operational health of AWS resources and set up billing alerts for user-defined thresholds in estimated charges.
  • AWS CloudTrail: Track and report on bucket-level and object-level activities for auditing and compliance purposes.
  • S3 Event Notifications: Trigger workflows, alerts, and AWS Lambda invocations based on specific changes to S3 resources. Use cases include automatic media transcoding upon upload, data file processing, and object synchronization with other data stores.

Amazon S3 access management and security

Amazon S3 offers flexible security features to block unauthorized users from accessing your data.

Access management

Amazon S3 ensures data protection by default, allowing users access only to the resources they create. Resource owners manage access through various features:

  • AWS Identity and Access Management (IAM): Create users and manage access permissions.
  • Access Control Lists (ACLs): Grant access to individual objects for authorized users.
  • Bucket Policies: Configure permissions for all objects within a single S3 bucket.
  • S3 Access Points: Simplify data access management by creating access points with specific names and permissions for each application or set of applications.
  • Query String Authentication: Grant time-limited access to others via temporary URLs.

Additionally, Amazon S3 supports audit logs for visibility into requests made against S3 resources, ensuring comprehensive monitoring and control over data access.

On-premises conectivity

Amazon S3 offers various methods for secure connectivity:

  • VPC Endpoints: Connect to S3 resources from Amazon VPC and on-premises environments. Supports server-side encryption with key management options and client-side encryption for data uploads.
  • AWS PrivateLink for S3: Provides private connectivity between S3 and on-premises environments. Provision interface VPC endpoints in your VPC to connect on-premises applications directly with S3 over AWS Direct Connect or AWS VPN.
  • Automatic Routing: Requests to interface VPC endpoints for S3 are automatically routed to S3 over the AWS network.
  • Access Controls: Set security groups and configure VPC endpoint policies for interface VPC endpoints to enforce additional access controls.

Encryption

Amazon S3 allows setting default encryption for a bucket to ensure all new objects are encrypted upon storage. Encryption options include server-side encryption with Amazon S3 managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) keys stored in AWS KMS (SSE-KMS).

When using SSE-KMS, enabling S3 Bucket Keys can decrease request traffic to AWS KMS, reducing encryption costs.

With server-side encryption, Amazon S3 encrypts objects upon storage and decrypts them upon download, ensuring data security throughout its lifecycle.

S3 Block Public Access

AWS introduced the S3 Block Public Access feature to help you avoid inadvertent data exposure. With Block Public Access, you can manage public access of your Amazon S3 resources at both the AWS account level and the bucket level, which helps ensure that your data is not publicly available. Any new bucket created has block all public access enabled by default.

Access Analyzer

Access Analyzer for Amazon S3 notifies you about buckets configured to grant access to anyone on the internet or other AWS accounts, including those outside your organization. Findings detail the sources and extent of public or shared access for each identified bucket.

Amazon S3 use cases

Amazon S3 use cases are similar to those of many file storage systems. With virtually unlimited storage low costs, Amazon S3 is a strong storage solution for data-intensive and long-term data storage requirements.

Backup and restore

Amazon S3, along with AWS services like Amazon S3 Glacier, Amazon EFS, and Amazon EBS, enables the creation of scalable, durable, and secure backup and restore solutions. These solutions can complement or replace existing on-premises capabilities.

AWS and its partners provide assistance to meet Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and compliance requirements. With AWS, data can be backed up from the AWS Cloud or via AWS Storage Gateway for on-premises data, ensuring comprehensive backup solutions.

Disaster recovery

Protecting critical data, applications, and IT systems, whether in the AWS Cloud or on-premises, can be achieved without the expense of a second physical site. Leveraging AWS resources and services, such as Amazon S3 storage, S3 Cross-Region Replication, and various compute, networking, and database services, enables the creation of disaster recovery architectures. These architectures ensure resilience and facilitate recovery from outages caused by natural disasters, system failures, and human errors.

Archive

Utilize S3 Glacier and S3 Glacier Deep Archive for cost-effective data archiving. Implement S3 Lifecycle policies or direct uploads for archival. Apply S3 Object Lock for retention and compliance. Enjoy expedited retrievals with S3 Glacier and timely restores from both services.

Hybrid cloud storage

Set up private connectivity between Amazon S3 and on-premises environments using AWS PrivateLink. Provision private endpoints in a VPC for direct access to S3 using private IPs.

AWS Storage Gateway seamlessly connects on-premises applications to AWS Storage, caching data locally for low-latency access.

Automate data transfers between on-premises storage, including S3 on Outposts, and Amazon S3 using AWS DataSync, achieving speeds up to 10 times faster than open-source tools.

Transfer files directly into and out of Amazon S3 with the fully managed AWS Transfer Family, enabling secure file exchanges with third parties using SFTP, FTPS, and FTP.

Collaborate with AWS Partner Network (APN) gateway providers to establish hybrid cloud storage environments.

Pricing

With Amazon S3, you pay for only what you use. No minimum fee applies. Amazon S3 has six cost components to consider when storing and managing your data:

  • Storage pricing
  • Request and data retrieval pricing
  • Data transfer and transfer acceleration pricing
  • Data management and analytics pricing
  • Price to process your data with S3 Object Lambda
  • Amazon S3 pricing varies based on the AWS Region where it resides.

END

Bình luận

Bài viết tương tự

- vừa được xem lúc

PDF Export, cẩn thận với những input có thể truyền vào

Giới thiệu. Dạo gần đây mình tình cờ gặp rất nhiều lỗi XSS, tuy nhiên trang đó lại có sử dụng dữ liệu người dùng input vào để export ra PDF.

0 0 66

- vừa được xem lúc

Giới thiệu về AWS Batch

Khi sử dụng hệ thống cloud service, điều chúng ta thường phải quan tâm đến không chỉ là hiệu suất hoạt động (performance) mà còn phải chú ý đến cả chi phí bỏ ra để duy trì hoạt động của hệ thống. Chắn hẳn là hệ thống lớn hay nhỏ nào cũng đã từng phải dùng đến những instance chuyên để chạy batch thực

0 0 143

- vừa được xem lúc

Tìm hiểu về AWS KMS

1. AWS KMS là gì. Ở KMS bạn có thể lựa chọn tạo symetric key (khóa đối xứng) hoặc asymetric key (khóa bất đối xứng) để làm CMK (Customer Master Key). Sau khi tạo key thì có thể thiết đặt key policy để control quyền access và sử dụng key.

0 0 66

- vừa được xem lúc

AWS VPC cho người mới bắt đầu

Tuần này, tôi trình bày lại những gì tôi đã học được về Virtual Private Cloud (VPC) của Amazon. Nếu bạn muốn xem những gì tôi đã học được về AWS, hãy xem Tổng quan về DynamoDB và Tổng quan về S3. VPC là gì. Những điều cần lưu ý:.

0 0 84

- vừa được xem lúc

AWS Essentials (Phần 6): Guildline SNS Basic trên AWS

Tiếp tục với chuỗi bài viết về Basic AWS Setting, chúng ta tiếp tục tìm hiểu tiếp tới SNS (Simple Notification Service). Đây là một service của AWS cho phép người dùng setting thực hiện gửi email, text message hay push notification tự động tới mobile device dựa trên event người dùng setting phía AWS

0 0 145

- vừa được xem lúc

Sử dụng Amazon CloudFront Content Delivery Network với Private S3 Bucket — Signing URLs

Trong nhiều trường hợp, thì việc sử dụng CDN là bắt buộc. Mình đã trải nghiệm với một số CDN nhưng cuối cùng mình lựa chọn sử dụng AWS CloudFront.

0 0 117