Skip to main content

Amazon S3

Key exam themes: Encryption types, presigned URLs, CORS, event notifications, storage classes.

Storage Classes​

ClassUse CaseMin DurationRetrieval
StandardFrequently accessedNoneInstant
Standard-IAInfrequently accessed, still fast30 daysInstant
One Zone-IAInfrequent, can lose one AZ30 daysInstant
Glacier InstantArchive, rare access90 daysInstant
Glacier FlexibleArchive, hours acceptable90 daysMinutes–hours
Glacier Deep ArchiveLong-term (7-10yr), very rare180 daysUp to 12 hours
Intelligent-TieringUnknown/changing access patternsNoneInstant (frequent tier)

Versioning​

  • Enable on bucket β€” objects get a VersionId
  • DELETE adds a delete marker β€” old versions still exist
  • MFA Delete β€” requires MFA to permanently delete a version
  • Once enabled, versioning can be suspended but not disabled

Encryption​

TypeKey ManagementWho manages?
SSE-S3AWS-managed key (AES-256)AWS
SSE-KMSKMS key (CMK or AWS-managed)AWS KMS + you
SSE-CCustomer-provided keyYou supply key in request header
Client-Side EncryptionKey never leaves clientYou
Exam tip
  • SSE-KMS β†’ audit trail in CloudTrail + KMS usage cost + throttling (KMS has limits)
  • SSE-C β†’ you send the key with every request (HTTPS required)
  • SSE-S3 β†’ default, no extra cost

Force Encryption via Bucket Policy​

{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::my-bucket/*",
  "Condition": {
    "StringNotEquals": {
      "s3:x-amz-server-side-encryption": "aws:kms"
    }
  }
}

Presigned URLs​

S3Presigner presigner = S3Presigner.create();

// Generate presigned GET URL (valid for 1 hour)
PresignedGetObjectRequest presigned = presigner.presignGetObject(b -> b
    .signatureDuration(Duration.ofHours(1))
    .getObjectRequest(r -> r
        .bucket("my-bucket")
        .key("reports/2024-Q4.pdf")));

URL url = presigned.url();
  • URL inherits the permissions of the signer (IAM role/user)
  • Can also presign PutObject for direct client uploads
  • Default expiry: 1 hour (max: 7 days)

Event Notifications​

DestinationUse Case
SNSFan-out notifications
SQSQueue for async processing
LambdaDirect serverless processing
EventBridgeComplex routing, filtering

Enabling EventBridge​

// Bucket notification configuration
{ "EventBridgeConfiguration": {} }

EventBridge gives you more filtering options than native S3 notifications.

CORS​

When your browser (domain A) calls S3 (domain B) β€” S3 needs a CORS rule:

<CORSRule>
  <AllowedOrigin>https://myapp.example.com</AllowedOrigin>
  <AllowedMethod>GET</AllowedMethod>
  <AllowedMethod>PUT</AllowedMethod>
  <AllowedHeader>*</AllowedHeader>
  <MaxAgeSeconds>3000</MaxAgeSeconds>
</CORSRule>
caution

CORS is not a security control β€” it only tells browsers whether to allow cross-origin responses. It doesn't prevent direct API calls.

Multipart Upload​

  • Recommended for objects > 100MB
  • Required for objects > 5GB
  • Parts can be uploaded in parallel
  • Must call CompleteMultipartUpload or AbortMultipartUpload
  • Use S3 Lifecycle rule to abort incomplete multipart uploads (avoid costs)

S3 Access Points​

  • Simplify bucket policies for large teams
  • Each access point has its own DNS name and policy
  • Can restrict access to a specific VPC

πŸ§ͺ Practice Questions​

Q1. A developer needs to allow a client browser to directly upload a file to S3. The app server should not be in the upload path. What is the BEST approach?

A) Use an API Gateway proxy to stream to S3
B) Generate a presigned PUT URL and return it to the client
C) Make the bucket public
D) Use S3 Transfer Acceleration

βœ… Answer & Explanation

B β€” A presigned PUT URL lets the client upload directly to S3 without going through your server, with a time-limited permission that inherits the signer's IAM credentials.

Q2. A team wants all objects in an S3 bucket to be encrypted using a customer-managed KMS key, and wants API calls to be auditable. Which encryption option should they use?

A) SSE-S3
B) SSE-KMS
C) SSE-C
D) Client-Side Encryption

βœ… Answer & Explanation

B β€” SSE-KMS uses a CMK (Customer Managed Key) in AWS KMS, and every encrypt/decrypt call is logged in CloudTrail, giving a full audit trail. SSE-S3 is auditable but uses AWS-managed keys.

Q3. An S3 bucket has versioning enabled. A user deletes a file. What actually happens?

A) The file is permanently deleted
B) The file and all versions are deleted
C) A delete marker is added; the previous versions still exist
D) The file is moved to Glacier

βœ… Answer & Explanation

C β€” With versioning enabled, a DELETE without specifying a VersionId adds a delete marker. The object appears deleted to normal GET requests but all previous versions are preserved.

πŸ”— Resources​