S3

Simple Storage Service

---

• Object Based Storage
• Buckets are region specific but the S3 namespace are universal
• stored as key , values along with version and metadata
  • Key - object name ,
  • value - actual data
  • version
  • metadata - permissions , etc.,
• 5 TB per file is maximum size
• PUT request - max size is 5GB

Storage Classes

Permissions

• Can be controlled via
  • Access Control Lists (object level)
  • Bucket Policies (Bucket level)

Encryption

• Can be encrypted via S3 Managed or KMS Managed or Customer Managed Keys
• In a request we can define the x-amz-server-side-encryption header to specify the server-side encryption method for Amazon S3 objects - SSE-S3, SSE-KMS, CMKs

Server-Side Encryption (SSE):

• Amazon S3 uses AES-256 to encrypt data on the server side on both SSE-S3 and SSE-KMS.

Client-Side Encryption:

• CMKs are used to encrypt data locally before uploading it to S3.
• Key Steps in client side encryption:
  1. Data Key Generation: The client (your application) generates a random, unique data key to encrypt the object data.
  2. Data Encryption: The client uses the data key to encrypt the object data.
  3. Key Encryption: The client uses a customer-managed key (CMK) stored in AWS Key Management Service (KMS) to encrypt the data key.
  4. Object Upload: The client uploads the encrypted object data to S3, along with the encrypted data key as metadata.
  5. Decryption: When the client retrieves the object, it uses the CMK to decrypt the data key, and then uses the decrypted data key to decrypt the object data.