AWS S3: Buckets, Storage Classes, and Permissions
S3 is AWS's object storage service and appears in almost every architecture. Here's what the exam tests.
S3 fundamentals
S3 stores objects (files) in buckets. It's globally durable, highly available, and scales infinitely.
# Key concepts: # Bucket — globally unique container for objects # Object — a file + metadata, identified by a key (path-like name) # Key — unique identifier for an object within a bucket # e.g., "images/profile/alice.jpg" # Bucket names must be globally unique across all AWS accounts # Buckets exist in a specific region # Object size: 0 bytes to 5 TB # Single PUT upload limit: 5 GB (use multipart above 100 MB) # Default: buckets are private # Public access requires explicit configuration # (Block Public Access settings must be disabled first)
S3 storage classes
Storage classes let you trade cost vs retrieval speed/availability.
# S3 Standard # - 99.99% availability, 11 nines durability # - Frequent access, low latency # - Use: active data, websites, content distribution # S3 Intelligent-Tiering # - Automatically moves between access tiers # - Use: unknown or unpredictable access patterns # S3 Standard-IA (Infrequent Access) # - Lower storage cost, retrieval fee applies # - 99.9% availability # - Use: disaster recovery, backups accessed monthly # S3 One Zone-IA # - Stored in single AZ (less resilient) # - 20% cheaper than Standard-IA # - Use: recreatable data, secondary backups # S3 Glacier Instant Retrieval # - Archives needing millisecond retrieval # S3 Glacier Flexible Retrieval # - Minutes to hours retrieval time # S3 Glacier Deep Archive # - Cheapest storage, 12-hour retrieval # Use: long-term compliance archives
S3 security and access control
S3 has multiple layers of access control. Bucket policies are the most commonly tested.
# Layers of access control:
# 1. Block Public Access (account and bucket level) — override all else
# 2. Bucket policy (JSON, attached to bucket)
# 3. ACLs (legacy, generally disabled now)
# 4. IAM policies (attached to users/roles)
# Example bucket policy: allow public read for static website
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}]
}
# Pre-signed URLs: grant temporary access without changing permissions
# Useful for letting users upload/download without AWS credentialsVersioning and lifecycle rules
Versioning keeps all versions of an object. Lifecycle rules automate storage class transitions and deletion.
# Versioning: # - Keeps all versions of every object # - Protects against accidental deletion # - Delete adds a "delete marker" — old versions still accessible # - Enable on bucket (can't be disabled once enabled, only suspended) # Lifecycle rules (JSON or console): # Transition: move to cheaper storage class after N days # Expiration: delete objects after N days # Example lifecycle: # Day 0: Object created in S3 Standard # Day 30: Transition to Standard-IA # Day 90: Transition to Glacier Flexible Retrieval # Day 365: Delete (expiration) # Combine with versioning: # - Expire old versions after 90 days # - Delete incomplete multipart uploads after 7 days
Exam tip
The most common S3 exam scenario: "Cheapest storage for data accessed once a year for compliance" — S3 Glacier Deep Archive. For infrequent but fast retrieval — Standard-IA. For unpredictable access — Intelligent-Tiering.
Think you're ready? Prove it.
Take the free AWS readiness test. Get a score, topic breakdown, and your exact weak areas.
Take the free AWS test →Free · No sign-up · Instant results