Amazon Simple Storage Service (Amazon S3)

What Is This Service?

Amazon S3 is AWS’s fully managed object storage service designed for durability, scalability, security, and global accessibility.

Stores:

Objects
=
Data
+
Metadata
+
Key

Not:

Filesystem
Block storage
Database

Mental model:
S3 = infinitely scalable object storage + security control plane + data lake foundation.

Durability:

11 9’s
(99.999999999%)

Availability depends on storage class.

---

Why It Matters for Security

S3 is the most frequently exposed AWS service.

Security goals:

• Prevent public exposure
• Enforce encryption
• Control data access
• Protect backups
• Enable governance
• Support compliance

Security outcomes:

• Centralized storage security
• Fine-grained access control
• Immutable retention
• Secure sharing
• Large-scale auditability

Typical use cases:

• Data lakes
• Backup
• Static websites
• Analytics
• Application assets
• Log storage

---

Architecture Example

flowchart LR

Users

CloudFront

Bucket[S3 Bucket]

AccessPoint[S3 Access Point]

KMS[KMS]

IAM[IAM]

Org[Organizations]

Versioning[Versioning]

ObjectLock[Object Lock]

Replication[Replication]

Users --> CloudFront

CloudFront --> AccessPoint

AccessPoint --> Bucket

IAM --> Bucket

KMS --> Bucket

Versioning --> Bucket

ObjectLock --> Bucket

Bucket --> Replication

Replication --> Org

Core architecture:

Identity
 ↓
Bucket
 ↓
Object
 ↓
Policy
 ↓
Protection

---

Workflow(s)

Secure Object Access

sequenceDiagram

participant User
participant IAM
participant S3

User->>IAM: Request authorization

IAM-->>User: Allow

User->>S3: GetObject

S3-->>User: Return object

---

Cross-Account Access

sequenceDiagram

participant AccountA
participant Bucket
participant AccountB

AccountA->>Bucket: Bucket Policy

AccountB->>Bucket: Access request

Bucket-->>AccountB: Object access

---

Object Lock Protection

sequenceDiagram

participant User
participant S3
participant ObjectLock

User->>S3: Delete object

S3->>ObjectLock: Validate retention

ObjectLock-->>S3: Deny

S3-->>User: Delete rejected

---

Replication Workflow

sequenceDiagram

participant Source
participant S3
participant Destination

Source->>S3: PutObject

S3->>Destination: Replicate

Destination-->>S3: Complete

---

Core Concepts

Buckets

Containers for objects.

Properties:

• Globally unique name
• Region-scoped storage
• Unlimited objects

Exam trap:

Bucket names are global.

Buckets are regional.

---

Objects

Consist of:

Data
Metadata
Key
Version ID

Maximum object size:

5 TB

Single PUT:

5 GB

Multipart upload above that.

---

Prefixes

Logical organization.

Example:

logs/2026/app.log

Not actual folders.

Exam trap:

S3 has no directories.

---

Versioning (MOST TESTED)

Protects against:

• Accidental overwrite
• Deletion

Delete action:

Delete Marker

Not immediate deletion.

Required for:

• Replication
• Object Lock

---

Storage Classes

Standard

Multi-AZ.

General purpose.

---

Standard-IA

Lower cost.

Retrieval fees.

---

One Zone-IA

Single AZ.

Lower durability.

---

Intelligent-Tiering

Automatic movement.

---

Glacier Instant Retrieval

Fast archive access.

---

Glacier Flexible Retrieval

Archive.

---

Glacier Deep Archive

Lowest cost.

Hours retrieval.

Exam shortcut:

Archive ≠ Backup.

---

Important Integrations

AWS KMS (VERY HIGH VALUE)

Supports:

SSE-KMS

Controls:

• Encryption
• Audit
• Access

---

IAM

Controls:

• Identity permissions

---

Bucket Policies

Controls:

• Resource access

Cross-account patterns.

---

Access Points (HIGH VALUE)

Application-specific access.

Provides:

• Policy segmentation

Pattern:

App
 ↓
Access Point
 ↓
Bucket

---

Multi-Region Access Points

Global access layer.

Supports:

• Automatic routing

Not replication.

Massive exam trap.

---

AWS Organizations

Supports:

• SCP
• Central governance

---

CloudFront

Recommended for:

• Global secure delivery

---

AWS Backup

Supports:

• S3 recovery

Backup ≠ replication.

---

Macie

Discovers:

• Sensitive data

---

Security Features

Block Public Access (MOST TESTED)

Controls:

Public ACLs
Public Policies

Recommended:

Enable account-wide

Overrides public access.

Massive exam topic.

---

Object Ownership

Modern default:

Bucket owner enforced

Effect:

ACLs disabled

Exam trap:

ACLs increasingly deprecated.

---

Encryption At Rest

Supported:

SSE-S3

AWS-managed.

---

SSE-KMS

Customer control.

---

DSSE-KMS

Dual-layer KMS encryption.

Advanced exam topic.

---

SSE-C

Customer supplied keys.

Rare.

---

Encryption In Transit

Supports:

HTTPS

Enforce using bucket policy.

---

Object Lock (VERY HIGH VALUE)

Provides:

WORM

Requires:

Versioning

Modes:

Governance

Privileged bypass.

---

Compliance

Immutable.

Cannot be removed.

Supports retention.

---

MFA Delete (HIGH VALUE)

Protects:

• Version deletion
• Version suspension

Root required.

CLI/API only.

Massive exam trap.

---

Access Analyzer

Finds:

• Public buckets
• Cross-account access

---

Advanced Security and Operational Concepts

S3 Authorization Evaluation (MOST TESTED)

Evaluation:

SCP
+
IAM
+
Bucket Policy
+
ACL
+
Explicit Deny

Any deny:

DENY

---

Bucket Policy vs IAM Policy

IAM:

Who

Bucket:

Who + External Access

Cross-account:

Prefer:

Bucket Policy

---

ACLs Are Legacy

Modern:

Object Ownership
↓
ACL Disabled

Exam shortcut:

Do not choose ACL first.

---

S3 Is Strongly Consistent

Supports:

PUT
GET
LIST

Immediately.

Old eventual consistency questions are obsolete.

---

Replication Nuances (VERY HIGH VALUE)

Types:

SRR

Same Region Replication

---

CRR

Cross Region Replication

Requirements:

Versioning

Replication:

• New objects only
• Asynchronous

Delete markers:

Not replicated by default.

Exam trap.

---

Multi-Region Access Point ≠ Replication

MRAP:

Routing

CRR:

Data Copy

---

Presigned URLs

Temporary object access.

Signed by:

IAM principal

Exam trap:

Permissions inherited.

---

Event Notifications

Targets:

• Lambda
• SNS
• SQS

Not:

FIFO SQS

Exam nuance.

---

Storage Lens

Organization-wide storage analytics.

---

Requester Pays

Requester pays:

• Retrieval
• Transfer

Owner pays:

• Storage

---

Comparisons

Service	Storage Type	Shared	POSIX	Primary Use
S3	Object	Yes	No	Data Lake
EFS	File	Yes	Yes	Shared Apps
EBS	Block	No	No	Instances
FSx Lustre	Parallel Files	Yes	Yes	HPC
Glacier	Archive Class	No	No	Long Retention

---

Common Exam Traps

1. Buckets are regional.

2. Names are global.

3. Versioning required for replication.

4. Object Lock requires versioning.

5. Block Public Access overrides public configs.

6. Bucket Owner Enforced disables ACLs.

7. MRAP ≠ replication.

8. S3 is strongly consistent.

9. MFA Delete requires root.

10. SSE-KMS enables auditability.

11. Explicit deny always wins.

12. Archive ≠ backup.

13. Presigned URLs inherit creator permissions.

---

5-Second Recall

• S3 = object storage
• Versioning enables protection
• Block Public Access first
• KMS for control
• Object Lock = WORM
• MRAP routes
• Replication copies

---

Quick Revision Notes

• Object storage foundation
• Strong consistency
• Versioning unlocks advanced features
• Object Lock protects immutability
• Access Points simplify access
• KMS provides encryption governance
• Bucket Owner Enforced disables ACLs
• CRR requires versioning
• Block Public Access everywhere
• Most tested storage service