ALPHA UNIVERSITY COLLEGE

AWS Certified Cloud Practitioner

CLF-C02
Amazon S3 Section
 Grades: 9 - 12 CCSS, NGSS

Introduction
• Amazon S3 is one of the main building blocks of AWS
• It’s advertised as ”infinitely scaling” storage

• Many websites use Amazon S3 as a backbone

• Many AWS services use Amazon S3 as an integration as wel
l
• We’ll have a step-by-step approach to S3
 Amazon S3 Use cases
• Backup and storage
• Disaster Recovery
Nasdaq stores 7 years of
• Archive • Hybrid Cloud storage data into S3 Glacier

• Application hosting
• Media hosting
• Data lakes & big data analytics
Sysco runs analytics
• Software delivery on its data and gain business
insights
• Static website
 Amazon S3 - Buckets
• Amazon S3 allows people to store objects (files) in “buckets” (directories)
• Buckets must have a globally unique name (across all regions all accounts)
• Buckets are defined at the region level
• S3 looks like a global service but buckets are created in a region
• Naming convention
• No uppercase, No underscore
• 3-63 characters long
• Not an IP
• Must start with lowercase letter or number
 Amazon S3 - Objects
• Objects (files) have a Key
• The key is the FULL path:
• s3://my-bucket/my_file.txt
• s3://my-bucket/my_folder1/another_folder/my_file.txt
• The key is composed of prefix + object name
• s3://my-bucket/my_folder1/another_folder/my_file.txt
• Object values are the content of the body:
• Max. Object Size is 5TB (5000GB)
• If uploading more than 5GB, must use “multi-part upload”
 Amazon S3 – Security
• User-Based
• IAM Policies – which API calls should be allowed for a specific user from IAM
• Resource-Based
• Bucket Policies – bucket wide rules from the S3 console - allows cross account
• Object Access Control List (ACL) – finer grain (can be disabled)
• Bucket Access Control List (ACL) – less common (can be disabled)

Note: an IAM principal can access an S3 object if

• The user IAM permissions ALLOW it OR the resource policy ALLOWS it
• AND there’s no explicit DENY

• Encryption: encrypt objects in Amazon S3 using encryption keys

 S3 Bucket Policies
• JSON based policies
• Resources: buckets and objects
• Effect: Allow / Deny
• Actions: Set of API to Allow or Deny
• Principal: The account or user to apply the policy to
• Use S3 bucket for policy to:
• Grant public access to the bucket
• Force objects to be encrypted at upload
• Grant access to another account (Cross Account
Example: Public Access - Use Bucket Policy
Example: User Access to S3 – IAM permissions
Example: EC2 instance access - Use IAM Roles
Advanced: Cross-Account Access – Use Bucket Policy
 Amazon S3 – Static Website Hosting
• S3 can host static websites and have them accessible on the Internet

US-WEST-2
• The website URL will be (depending on the region)
• http://bucket-name.s3-website-aws-region.amazonaws.com
OR
• http://bucket-name.s3-website.aws-region.amazonaws.com (demo-bucket)

• If you get a 404 Forbidden error, make sure the bucket policy allows public reads!