Amazon S3 (stands for Simple Storage Services) is a simple web service interface that allows you to store object based data & retrieve it from anywhere and at any time. It is highly scalable, secure, durable (99.99999999999%), reliable, fast and inexpensive data storage.

Know the fundamentals:

• AWS S3 is object based storage which allows you to upload files, think of a drop-box (it actually uses AWS S3 service to store files), Facebook, Microsoft One Drive, Google Drive.

• Individual Amazon S3 objects can now range in size from 1 byte all the way to 5 terabytes (TB). The size can vary in future so stay tuned at https://aws.amazon.com/blogs/aws/
• Amazon recommends S3 customers to use Multipart upload for object files which are greater than 100MB of size.

• You can upload unlimited data using your individual AWS account and at the backend AWS monitors for the provisioning and scalability as and when required around all the regions in the world.

Files are stored in buckets which are nothing but a folder, you can put your files in the bucket or create as many buckets you want.

• Buckets names in S3 are universal and must be unique. You cannot create the same name if it is already used earlier. For example if I created a bucket called awsmum it creates a namespace as https://s3.ap-south-1.amazonaws.com/awsmum
• S3.ap-South-1 is the region
• awsmum is the bucket, you must use small character alphabet for the bucket name.
• The files would be uploaded & accessed using http secure service
• It is not used to install Operating systems or application databases.

S3 Data Consistency:

AWS S3 provides read-after-write consistency for PUTS of new object (e.g. a file 10MB file) in your bucket (which is a folder). When you upload word document you will be able to view the content immediately however if you try to modify and update the same word file then there will slightly delay in accessing the updated modified due to changes which are replicated across the storage facilities across AWS region. During this updating process the end users will be able to view the file which was originally uploaded or the updated modified file but what user will not see is the corrupted or partial data. For the detailed theory how it works you can refer to http://docs.aws.amazon.com/AmazonS3/latest/dev/Introduction.html .

AWS S3 Storage Classes – Standard / Infrequent Access / Reduced Redundancy / Glacier

S3 Standard:

• S3 Standard provides availability and durability which helps store data across multiple facilities and can sustain the loss of 2 facilities parallel.

S3 Infrequent Access (IA):

• S3 Standard also provides similar availability and durability like standard which helps store data across multiple facilities and can sustain the loss of 1 facilities only. It is much cheaper than S3 as the data is not frequently accessed and is only charged at the retrieval

Key features of Standard and Infrequent Access:

• Frequent accessing of data with highly available (99.99%) and redundant (99. 999999999%)
• Very low latency and high performance
• Backed with AWS S3 SLA for availability
• Supports encryption of data in transit and at rest
• Life cycle management for automatic migration of objects.

S3 Reduced Redundancy:

• Cheaper than standard and IA
• It provides availability (99.99%) & durability (99.99%)
• It is also backed with SLA and can sustain loss of data in a single facility

S3 Glacier:

• Very cheaper than Standard, IA & RR – 1 cent per GB per month
• Used for non-frequent data access & main purpose is for data archival
• Provides durability(99.999999999%) only
• Supports encryption of data in transit and at rest
• Vault lock feature enforces compliance via lockable policy

Below Table Summarize The above Storage Class Features.

AWS S3 Charges

S3 pricing is based on location of the AWS region and are charged for below:

• Storage – Data stored in AWS storage
• Request – Number of request made to S3 bucket
• Storage Management – you can tag and classify the object based on the tagging.
• Data Transfer – Data uploaded in S3 is free but data transfer in different region is charged.
• Transfer Acceleration – It enables fast, secure transfer of your files over long distance between end-user and S3 bucket with the help of cloud front service which is globally distributed.

What we learned so far:

• AWS IAM is global and not limited to any specific region
• Root account is the account through which we signed up for AWS account and by default it has full access to all the services and resources. It is also required to configure MFA for security purpose.

Now that we have understood IAM being a centralized control of your AWS account. Configuring MFA (multi-factor authentication) is one of the mandatory steps for the root account else we notice it shows as a pending task out of the 5 security step. We have successfully configured in previous article

IAM consist of Users, Group, Roles & policy documents and further we will understand more how to configure those & use it. After setting up the multi-factor authentication (MFA) on AWS root account we will further create User and Group so that we can delegate AWS service & resources access to dedicated authorized users.

Let us use “SAM” as a new user and below you will find two access type option.

1. Programmatic Access – User needs access key ID and secret access key to access the AWS service using API, CLI, SDK and other development tools.

2. AWS Management Access Console – User needs password to login using web AWS management console

While creating user you could also create more than one users and assign option to change password at first sign in. If you notice there are two access type

Instead of assigning the AWS services directly to the users let’s create custom group and add users to it which is a best practice. You might want to create groups based on the organization requirement and delegation purpose like HR, System Admin, Finance etc. As a group the policies are applied to users

We will create a group called “SystemAdmin” and assign policy “AdministratorAccess” to manage AWS services. Policy document is set of permissions which are assigned to group & any users who are member of the group inherits the permission. Policy document “AdministratorAccess” as mentioned below provides full access to AWS services and resources.

You can drill down to see the code (Jason format) which details attributes and its value. If you are developer you will love to read this and look for other policy documents too.

• Attributes – versions, statement, effect, action & resource
• Values – date, Allow, *(wildcard)

User is added to the Group – “SystemAdmin”

Review the summary

After clicking on create you will see the below details. Since we have selected both the access type; user is assigned not only with Access Key ID, Secret Access Key but also with password to access AWS services and resources using programmatic as well as via management console

Let’s understand roles, it is just a set of permission that grants access to actions and resources in AWS. It allows one service to interact with another AWS service and in further article we will understand more about roles.

Let us create a role called “AmazonEC2”

Select AmazonEC2 service under role type under AWS service roles and click on select

Select the policy AmazonEC2FullAccess & click on next step.

Review the role summary

Now the role is created and available as mentioned below. Working with role is again a vast topic we will see in further articles.

Now that we have created role lets finish the last part of the security status i.e. configure and apply IAM password policy.

Click on manage password policy

Below is the default option and let’s modify as your requirement, in my case I had updated password length with 8 and enabled password expiration to 30days.

Below is the security status which shows that we completed the 5 out of 5 steps complete.

Let’s summarize:

• New users have no permission by when created and hence Administrator must assign permission to access AWS services and resources.
• Access Key ID and Secret Key are different from Password and used for different purpose for example access type called Programmatic and Management Console. You cannot use password to do programmatic Access type & key ID/Secret Key to do Management console access.
• Configure MFA at least on your AWS root account for security purpose.
• You can create your own password policies under AWS IAM as per your requirement.

This is not the end of AWS IAM, there is lot to learn and deep dive on this topic but we have gone through the overview and a quick hands-on. We will explore more in the coming articles so stay tuned.