Amazon S3 Advance Feature
Amazon S3 Advance Feature
Amazon S3 has some Advance features which is described one by one below.
Prefixes and Delimiters:
AWS uses prefixes and delimiters parameters when listing key names for objects. It helps creation of bucket hierarchy. Typically we use (\ or /) as delimiters and then use key name to emulate a file and folder hierarchy.
Amazon S3 provides following storage class for various use cases.
- Amazon S3 Standard: It offers high durability, high availability, low latency and high performance object storage for general purpose because it provides low first-byte latency and high throughput.
- Amazon S3 Standard – Infrequent access: It is designed for long lived, less frequently accessed data. It has lower per GB –month storage cost than standard.
- Amazon S3 Reduced Redundancy storage: It offers slightly lower durability than standard and standard –IA at a reduced cost.
- Amazon Glacier: It is used for data that does not require real time access such as archive long term backups. It offers secure, durable, extremely low cost cloud storage. To access the Amazon Glacier objects , you issue a restore command using Amazon S3 API and after three to five hours later your Amazon Glacier objects is copied to Amazon S3 RRR, your original Data remains in Amazon Glacier until explicitly deleted.
Object Lifecycle Management:
Using Amazon S3 Lifecycle configuration rules, storage cost can be reduced by automatically transitioning data from one storage class to another storage class or deleting data after a period of time.
Some of the Lifecycle rule are:
- Store backup data initially in Amazon S3 standard
- After 60 days transition data to Amazon Standard –IA
- After 120 days transition data to Amazon Glacier
- After 3 years delete.
Amazon S3 Secure Sockets layer ( SSL ) API endpoints is used to secure S3 data in flight while sending data to and from amazon S3 using HTTPS protocols .
When data is rest, we can use several variation of Server Side Encryption (SSE). It encrypts data at object level as it writes it in to disk at datacenter and decrypts it when you access it. SSE is performed by Amazon S3 and AWS key management Service. Using 256-bit AES.
- SSE –S3 (AWS –managed Keys): It is key management and key protection encryption mechanism solution via AWS. In this every object is encrypted with unique key. The actual object key itself is encrypted by separate master key which is issued at monthly, with AWS rotating the Keys. Encrypted data, Keys, Master keys are stored separately on secure hosts.
- SSE-KMS (AWS KMS Keys): It is fully integrated key solution by Amazon S3 for key management and protection of Amazon S3. In this there are separate permission for using master keys. AWS KMS also provides auditing so that you can see who has used your keys to access which objects and when.
Client Side Encryption:
It is encrypting data on the client side of your application before sending to Amazon S3 using following two option:
- Use a KWS KMS –managed customer master key.
- Use Client side master key
Amazon S3 provides facility to keep various version of data or objects in the bucket which helps protect data against accident or malicious deletion. Each version is referenced with Version ID, when any accident happened, the object can be restored to its original state by referencing version ID. Once Version is enabled, it cannot be removed from bucket and it can only be suspended.
It provide another layer of data protection above versioning. It requires additional authentication in order to permanently delete an object version or change versioning of a bucket. In addition to your normal security credentials, MFA delete require an authentication code generated by hardware or Virtual multi factor Authentication device.
Cross Region Replication:
In the Cross region replication your source bucket is replicated to destination bucket as soon as any changes to data, metadata, or ACL is done. To enable it versioning must be turned on for both source and destination bucket.
To track request for your Amazon bucket you must enable Amazon S3 server access logs. It is off by default and when it is enabled then where the logs can be stored must be chosen (the target bucket)
Once logging is enabled, logs are delivered on best effort basis with slight delay, and it includes following information.
- Requester account and IP address
- Bucket name
- Request Time
- Action (GET, PUT, LIST)
- Response status and error code.
When enabled, notification will be sent in response to action taken on objects uploaded or stored in Amazon S3. It is setup at bucket level and can be configured them through Amazon S3 Console through REST API or AWS SDK. Notification is published when new objects are created (PUT, POST, and COPY) or removed (DELETE).