Lab 1 - Amazon Simple Storage(S3) |

Qwiklabs
Qwiklabs
16-20 minutes

© 2021 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may
not be reproduced or redistributed, in whole or in part, without prior written permission
from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.
All trademarks are the property of their owners.
Corrections, feedback, or other questions? Contact us at AWS Training and Certification.
Overview
This lab introduces you to Amazon Simple Storage Service (Amazon S3) by using the
AWS Management Console.
Amazon Simple Storage Service (Amazon S3) is storage for the internet. You can use
Amazon S3 to store and retrieve any amount of data at any time, from anywhere on the
web.
Topics Covered
After completing this lab, you can:
 Create a bucket in Amazon S3
 Add an object to your bucket
 Manage access permissions on an object
 Create a bucket policy
 Use bucket versioning
 Host a static website

Start Lab
1. At the top of your screen, launch your lab by choosing Start Lab
This starts the process of provisioning your lab resources. An estimated amount of time to
provision your lab resources is displayed. You must wait for your resources to be
provisioned before continuing.
If you are prompted for a token, use the one distributed to you (or credits you have
purchased).
2. Open your lab by choosing Open Console
This opens an AWS Management Console sign-in page.
3. On the sign-in page, configure:
 IAM user name:
 Password: Paste the value of Password from the left side of the lab page
  Choose Sign In
Do not change the Region unless instructed.
Common Login Errors
Error: You must first log out

If you see the message, You must first log out before logging into a different AWS
account:
 Choose click here
 Close your browser tab to return to your initial lab window
 Choose Open Console again

Task 1: Create a Bucket

In this task, you will create an Amazon S3 bucket. Every object in Amazon S3 is stored in a
bucket. When you create your bucket, please ensure that you create your bucket in your lab
region. Your LabRegion is located to the left of these instructions. You might see
additional buckets which you do not have access to.
4. In the AWS Management Console, on the Services menu, Choose S3.
5. Choose Create bucket, then configure:
 Bucket name:
 Replace INITIALS with your initials.
 Replace NUMBER with a random number.
 Leave Region at its default value.
Selecting a particular Region allows you to optimize latency, minimize costs, or address
regulatory requirements. Objects that are stored in a Region never leave that Region, unless
you explicitly transfer them to another Region.
The Copy settings from an existing bucket option can be used to create buckets that use
the same settings as another bucket. For this lab, you will not use this option.
6. Under Bucket settings for Block Public Access, Examine the Block public access
(bucket settings) section. No changes are needed, leave the settings as-is.
The default setting, 'Block all public access', prevents all public access to data stored in the
bucket.
 7. Choose Create bucket
If you receive an error that states that Bucket with the same name already exists, then
change the bucket name, and try these steps again until it works.
You have now successfully created a bucket.
For this lab, you will enable versioning.
8. Choose your bucket.
9. Choose the Properties tab.
10. In the Bucket Versioning section, choose Edit
11. Enable bucket versioning.
Task 2: Upload an Object to the Bucket
Now that you have created a bucket, you are ready to store objects. An object can be any
kind of file: a text file, a photo, a video, a .zip file, etc. When you add an object to Amazon
S3, you have the option of including custom metadata with the object, and setting
permissions to control access to the object.
In this task, you will upload objects to your Amazon S3 bucket.
12. Right-click this link, and download the picture to your computer: hi.gif
13. Within your bucket, choose the Objects tab.
14. Choose Upload
15. Choose Add files
16. Browse to and select the hi.gif file that you downloaded.
17. Choose Upload
After your file is finished uploading, it will be displayed in the bucket.
Task 3: Make Your Object Public
In this task, you will configure permissions on your object so that it is publicly accessible.
First, you will attempt to access the object to confirm that it is private by default.
18. Choose the hi.gif file.
19. Copy the Amazon S3 Object URL.
The link should look similar to this: https://mybucket-af-123.s3-us-west-
1.amazonaws.com/hi.gif
20. Open a new web browser tab, paste the link into the address field, and press enter.
You should receive an Access Denied error. This is because objects in Amazon S3 are
private by default.
You will now configure the object to be publicly accessible.
21. Keep this browser tab open, but return to the web browser tab with the S3
Management Console. This is the same screen where you copied the hi.gif access
Link.
You will now change the Bucket Permissions to unblock the default public access settings.
22. Choose the name of your bucket at the top of the window. (You might have to scroll
up the window to find it.)
23. Choose the Permissions tab.
24. Choose Edit under Block public access (bucket settings) section.
25. Configure the following settings:
  Uncheck Block all public access
26. Choose Save changes
27. On the Edit block public access (bucket settings) pop-up screen, type and choose
Confirm
You should receive a notification saying Successfully edited bucket settings for Block
Public Access.. You should now be able to configure the bucket to allow uploads of public
objects and public access to objects.
28. Choose the Objects tab. You should see hi.gif in the list.
You will now change the Object Permissions to allow public read access.
29. Choose the hi.gif name.
30. Scroll down to the Access control list section, then click Edit
31. Next to Everyone, select Read.
32. Select I understand the effects of these changes on this object..
33. Click Save changes
34. Return to the browser tab that displayed Access Denied, and refresh the browser
page.

Your picture should be now be displayed because it is publicly accessible.

35. Close the web browser tab that displays your picture, and return to the web browser
tab with the S3 Management Console.
In this example, you granted read access only to a specific object. If you want to grant
access to an entire bucket, you would use a bucket policy.
Task 4: Create a Bucket Policy
A bucket policy is a set of permissions that are associated with an Amazon S3 bucket. It can
be used to control access to a whole bucket, or to specific directories within a bucket.
You will now upload a new file, and verify that it is not publicly accessible.
36. Right-click this link, and download the picture to your computer: Eiffel.jpg
37. In the S3 Management Console, choose the name of your bucket at the top of the
window.
38. Choose Upload, then use the same upload process to upload the Eiffel.jpg file.
39. Click the Eiffel.jpg file.
40. Copy the Amazon S3 Object URL.
41. Open a new web browser tab, paste the link into the address field, and then press
ENTER.
Once again, Access Denied will be displayed. You will now configure a bucket policy to
grant access to all objects in the bucket, without having to specify permissions on each
object individually.
 42. Keep this browser tab open, but return to the web browser tab with the S3
Management Console.
43. Choose the name of your bucket at the top of the window.
You should see a list of the objects in your bucket. If you do not, navigate back to your
bucket so that you see the list of objects you have uploaded.
You will now change the bucket permissions to unblock the default public access settings.
44. Choose the Permissions tab.
45. Under Block public access Choose Edit then configure the following settings:
 Clear Block public access to buckets and objects granted through new public
bucket or access point policies by choosing
 Clear Block public and cross-account access to buckets and objects through any
public bucket or access point policies by choosing
46. Choose Save changes
47. On the Edit block public access (bucket settings) pop-up screen, type and Choose
Confirm
You should receive a notification that says Public access settings updated successfully.
Your bucket now should let you configure public access to all objects in it.
48. Scroll down to the Bucket policy section, then choose Edit
A blank Bucket policy editor is displayed. Bucket policies can be created manually, or
they can be created with the assistance of the AWS Policy generator.
Before creating the policy, you will need to copy the ARN (Amazon Resource Name) of
your bucket.
ARNs uniquely identify AWS resources across all of AWS. Each section of the ARN is
separated by a ":" and represents a specific piece of the path to the specified resource. The
sections can vary slightly depending on the service being referenced, but generally follows
this format:
arn:partition:service:region:account-id:resource
Amazon S3 does not require region or account-id parameters in ARNs, so those sections
are left blank. However, the ":" to separate the sections is still used, so it looks similar to
arn:aws:s3:::mybucket-jwt-312341234123412342143
Refer to the Additional Resources section at the end of the lab for links to more
information.
49. Copy the ARN of your bucket to the clipboard. It is displayed at the top of the
policy editor.
50. Choose the Policy generator button.
A new web browser tab will open with the AWS Policy Generator.
AWS policies use the JSON format, and are used to configure granular permissions for
AWS services. While you can write the policy in JSON manually, the AWS Policy
Generator allows you to create it using a friendly web interface.
51. In the AWS Policy Generator window, configure the following:
 Select Type of Policy: S3 Bucket Policy
 Effect: Allow
 Principal:
Using the * with Principal means that anyone will be able to perform the actions in the
policy. Refer to the Additional Resources section at the end of the lab for links to more
information about AWS JSON policy elements.
 AWS Service: Amazon S3
 Actions: GetObject
The get GetObject action grants permission for objects to be retrieved from Amazon S3.
Refer to the Additional Resources section at the end of the lab for links to more information
about the actions available for use in Amazon S3 policies.
 Amazon Resource Name (ARN): Paste the ARN that you previously copied.
 At the end of the ARN, append
The ARN should look similar to: arn:aws:s3:::mybucket-jwt-2341234213412/*
An Amazon Resource Name (ARN) is a standard way to refer to resources within AWS. In
this case, the ARN is referring to your S3 bucket. Adding /* to the end of the bucket name
allows the policy to apply to all objects within the bucket.
52. Choose Add Statement. The details of the statement you configured are added to a
table below the button. You can add multiple statements to a policy.
53. Choose Generate Policy.
A new window is displayed showing the generated policy in JSON format. It should look
similar to:
{
"Id": "Policy1557511288767",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1557511286634",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "mybucket-jwt-2341234213412/*",
"Principal": "*"
}
]
}
Confirm that appears after your bucket name as shown in the Resource line in the sample
above.
54. Copy the policy you created to your clipboard.
55. Close the web browser tab and return to the tab with the Bucket policy editor.
56. Paste the bucket policy you created into the Bucket policy editor.
57. Choose Save changes
You have just applied a bucket policy to your bucket. With this policy, all objects in your
bucket are now publicly accessible.
Notice the warning message at the top of the screen that shows Public.
58. Return to the browser tab that displayed Access Denied and refresh the page.
Use caution when you grant anonymous access to your Amazon S3 bucket. When you grant
anonymous access, anyone in the world can access your bucket. We highly recommend that
you never grant any kind of anonymous write access to your Amazon S3 bucket.
 59. Return to the browser tab that displayed Access Denied, and refresh the page.

You should now see a picture of the Eiffel Tower. This is because the bucket policy applies
to the bucket as a whole, without having to grant individual permissions to each object
individually.
60. Keep this browser tab open, but return to the web browser tab with the S3
Management Console.
Task 5: Explore Versioning
Versioning is a means of keeping multiple variants of an object in the same bucket. You
can use versioning to preserve, retrieve, and restore every version of every object that is
stored in your Amazon S3 bucket. With versioning, you can easily recover from both
unintended user actions and application failures.
In this task, you will upload a different version of the Eiffel Tower picture.
61. Right-click this link and save the picture to your computer using the same name:
Eiffel.jpg
Though this file has the same name as the previous file, it is a different picture. Save it to a
different location or override the existing Eiffel.jpg so that you can notice the version
change once you upload.
62. In the S3 Management Console, choose the Objects tab.
63. Choose Upload and use the same upload process to upload the new Eiffel.jpg
picture.
This is the same upload process you used in Task 2 (Upload an Object to the Bucket).
 64. Go to the browser tab that has the picture of the Eiffel tower.
65. Take note of the contents of the picture, then refresh the page.

You should now see a different picture. Amazon S3 always returns the latest version of an
object, if a version is not otherwise specified.
You can also obtain a list of available versions in the S3 Management Console.
66. Close the web browser tab that is displaying the Eiffel Tower.
67. In the S3 Management Console, Choose the name of the Eiffel.jpg object.
68. Choose the Versions tab.
69. Select the bottom version (which is not the latest version):
70. Choose Actions > Open.
You should now see the first version of the picture by using the S3 Management Console.
However, if you try to access the older Eiffel Tower picture by using the Amazon S3 URL
link, you will receive an Access denied message. This is expected in the lab because you
only have permission to access the latest version of the object. In order to access the
previous version of the object, you need to update your bucket policy to have the
"s3:GetObjectVersion" permission. Here is an example bucket policy that allows you to
access the older version using the link:
Task 6: Host a Static Website
In this task, you will learn how to host a static website on Amazon S3. On a static website,
individual webpages include static content. They might also contain client-side scripts.
To host a static website, you configure an Amazon S3 bucket for website hosting, and then
upload your website content to the bucket. This bucket must have public read access. It is
intentional that everyone in the world will have read access to this bucket.
71. Right-click this link, and save the file to your computer by using the same name:
index.html
72. In the S3 Management Console, Choose your bucket that starts with the name
mybucket.
73. Choose Upload and use the same upload process to upload the index.html file that
you just downloaded.
This is the same upload process you used in Task 2 (Upload an Object to the Bucket).
74. Choose Exit
75. Choose the Properties tab.
76. Scroll down to the Static website hosting section, then choose Edit
77. For Static website hosting, choose Enable.
78. For Index document, type
79. For Error document, type
80. Click Save changes
81. Scroll down to the Static website hosting section.
This should look similar to http://mybucket-sp-123.s3-website-us-west-2.amazonaws.com
 82. You should see the static webpage that you just created, which should be similar to
the image below.

Lab Complete
Congratulations! You now have successfully learned how to:
 Create a bucket in Amazon S3
 Add an object to your bucket
 Manage access permissions on an object
 Create a bucket policy
 Use bucket versioning
 Host a static website
End Lab
Follow these steps to close the console, end your lab, and evaluate the experience.
83. Return to the AWS Management Console.
84. On the navigation bar, choose awsstudent@<AccountNumber>, and then choose
Sign Out.
85. Choose End Lab
86. Choose OK
87. (Optional):
 Select the applicable number of stars
 Type a comment
 Choose Submit
o 1 star = Very dissatisfied
o 2 stars = Dissatisfied
o 3 stars = Neutral
o 4 stars = Satisfied
o 5 stars = Very satisfied
You may close the window if you don't want to provide feedback.
Additional Resources
 Amazon S3
 Editing Object Permissions
For more information about AWS Training and Certification, see
http://aws.amazon.com/training/.
Your feedback is welcome and appreciated.
If you would like to share any feedback, suggestions, or corrections, please provide the
details in our AWS Training and Certification Contact Form.