-
-
Save ckumarn/502efe98c3b44ac60c55681ba897f3d2 to your computer and use it in GitHub Desktop.
-
Set permissions for every single service - granular permissions
-
Temporary access to AWS account - identity federation
-
Cross account access - b/w multiple AWS accounts - Using roles
-
PCI DSS Compliance - Payment Card Industry (PCI) Data Security Standard (DSS) - For credit card payments
-
Free to use
-
Access: Console, CLI, API, SDK
-
Not possible to restrict root user permissions
-
Policies, Group, Users, Roles
-
Security features outside of IAM: (Not part of IAM) EC2 Windows - Username, password EC2 linux - Key pair EC2/RDS - Security Groups to control traffic
- Setup administrator group (optional)
- Provide separate access for every user using IAM
- Provide least privilege needed for the user
- Make use of Access Advisor to inspect user access
- An user can be assigned with a policy to access a resource
- An user can be added to a group containing collection of policies along with other users
-
Operations involved:
- Create bucket
- write object
- read object
- delete object
- list keys
-
Max file size of an object - 5TB
-
HTTP: REST / AWS SDK / SOAP (deprecated)
-
HTTPS: REST / AWS SDK / SOAP
-
Every bucket has only one key
-
ID for bucket - bucket, key, version ID
-
Object locking - not available
-
Two PUT request to same key, last request is considered
-
Price is low for Reduced Redundancy Storage (RRS) when compared to S3 storage
-
RRS - Not much replication occurs
-
REST access - metadata is returned in HTTP headers Only 4KB without body can be requested in headers
-
requestPayment - subresource - pay by download (while 3rd person downloads the shared content)
-
Access through
- Account access key - 20 character Access key ID & 40 character secret access key
- IAM user keys
- Temp security credentials
-
Access methods
- Virtual hosted style URL - http://bucket.s3-aws-region.amazonaws.com
- path-style URL - http://s3-aws-region.amazonaws.com/bucket
- bucket name -globally unique -regardless of AWS region
- Max. 100 buckets per account
- Bucket ownership not transferable
- You cannot create a bucket within another bucket
- DNS Convention bucket naming system - optional in US East (N. Virginia)
- Bucket name can start with lowercase letter or number
- Maximum upload size - 5GB (singlepart) / 5TB (multipart)
- S3 Console - delete/empty bucket if there are less than 100,000 objects (Check if versioning is enabled - single object can have 101,000 object revisions)
- CLI - bucket shouldn't have versioning enabled
- Life Cycle Config - rule for expiring objects
- Using AWS SDK - First delete all objects then the bucket
- Fast, easy & secure transfers
- transfers long distance between client and S3 bucket
- Uses CloudFront - distributed edge locations
- Versioning disabled by default.
- Once enabled, can't be disabled, it can only be suspended
- Enabled at Bucket level.
- Cross Region Replication : Replicate files from source to destination bucket upon uploading to source. (Requires versioning to be enabled)
- When enabled, unique version ID (uneditable) generated automatically
- PUT
- Bucket has: a.jpg, b.jpg, c.jpg
- Add a.jpg to bucket
- Bucket now has: a.jpg (version 11111), a.jpg (version 12121), b.jpg, c.jpg
- GET
- When a.jpg is called, newly stored object is retrieved (version 12121)
- To retrieve different version, specify the version number along with filename
- DELETE
- Delete marker is introduced by S3 when object is deleted. But object remains in bucket
- To remove permanently specify version ID along with filename
- Rules can be applied to objects in S3 Buckets
- Infrequent Access Storage Class - can be moved after 30 days (minimum)
- Glacier Storage Class - can be moved after 1 day (minimum) [But when clubbed with (1) minimum 31 days]
- Permanently Delete - can be deleted after 1 day (minimum)
- Creating an object with name Development/Projects1.xls will create a folder named Development and object named Projects1.xls