1 00:00:07,110 --> 00:00:11,180 - The S3 service has a very broad feature set. 2 00:00:11,180 --> 00:00:14,160 And part of that is because it's been around for so long, 3 00:00:14,160 --> 00:00:15,890 since 2006, 4 00:00:15,890 --> 00:00:20,630 but also because it has a really broad acceptance 5 00:00:20,630 --> 00:00:23,470 as far as customers realizing 6 00:00:23,470 --> 00:00:25,920 that there are so many different ways to use it 7 00:00:25,920 --> 00:00:27,790 that they keep asking for new features 8 00:00:27,790 --> 00:00:28,890 to go along with that. 9 00:00:29,850 --> 00:00:33,200 So let's start with some security features. 10 00:00:33,200 --> 00:00:35,560 S3 is one of the services 11 00:00:35,560 --> 00:00:39,150 that supports resource based access control. 12 00:00:39,150 --> 00:00:41,820 So you can provide a bucket policy 13 00:00:41,820 --> 00:00:44,250 that looks a lot like an IAM policy 14 00:00:44,250 --> 00:00:46,873 to grant or restrict access to your bucket. 15 00:00:48,410 --> 00:00:52,200 There is a feature called S3 Block Public Access 16 00:00:52,200 --> 00:00:55,670 which acts as a sort of an override switch 17 00:00:56,620 --> 00:00:58,480 on top of public access 18 00:00:58,480 --> 00:01:02,700 so that you can disable the capabilities 19 00:01:02,700 --> 00:01:05,513 for making buckets or objects public. 20 00:01:07,210 --> 00:01:10,290 In addition to bucket policies, 21 00:01:10,290 --> 00:01:13,990 S3 also supports bucket and object ACLs 22 00:01:13,990 --> 00:01:16,120 or access control lists. 23 00:01:16,120 --> 00:01:19,590 These are primitive permission mechanisms 24 00:01:19,590 --> 00:01:22,540 that have been around since the service was released 25 00:01:22,540 --> 00:01:27,410 and are still in use by a couple of different features 26 00:01:27,410 --> 00:01:31,670 and integration points across the rest of AWS, 27 00:01:31,670 --> 00:01:36,370 including if you create a pre-signed URL 28 00:01:36,370 --> 00:01:39,270 for an object in an S3 bucket, 29 00:01:39,270 --> 00:01:42,493 it uses an ACL to provide that permission. 30 00:01:44,360 --> 00:01:48,020 You can also enable object level encryption. 31 00:01:48,020 --> 00:01:51,000 And you can make it a default at the bucket level 32 00:01:51,000 --> 00:01:53,530 but you can still override on a per object basis. 33 00:01:53,530 --> 00:01:56,360 And this is going to be at rest encryption 34 00:01:56,360 --> 00:01:58,393 with a number of different key options. 35 00:02:00,160 --> 00:02:03,110 Let's take a look at some of the object management features. 36 00:02:03,110 --> 00:02:05,220 We can create lifecycle rules 37 00:02:05,220 --> 00:02:08,240 which give you the ability to move data 38 00:02:08,240 --> 00:02:11,630 through the different storage classes as they age 39 00:02:11,630 --> 00:02:13,163 or even delete them. 40 00:02:14,700 --> 00:02:16,100 You have versioning, 41 00:02:16,100 --> 00:02:18,300 which we're actually gonna talk about in just a moment, 42 00:02:18,300 --> 00:02:19,460 which turns your bucket 43 00:02:19,460 --> 00:02:22,180 into sort of a version control system. 44 00:02:22,180 --> 00:02:24,260 And you have the ability 45 00:02:24,260 --> 00:02:27,510 to replicate the contents of your bucket 46 00:02:27,510 --> 00:02:30,860 or prefixes within the bucket 47 00:02:30,860 --> 00:02:34,500 to other buckets in the same region, 48 00:02:34,500 --> 00:02:39,030 across region, same account, cross account, 49 00:02:39,030 --> 00:02:44,030 and even doing multi-way replication across several buckets. 50 00:02:47,160 --> 00:02:49,110 So let's take a look at lifecycle rules 51 00:02:49,110 --> 00:02:50,603 in a little bit more detail. 52 00:02:51,480 --> 00:02:52,930 As far as the options go, 53 00:02:52,930 --> 00:02:57,930 you can choose to transition current versions of a resource 54 00:02:59,510 --> 00:03:02,350 into other storage classes, 55 00:03:02,350 --> 00:03:07,350 recognizing that you can only move left to right 56 00:03:07,360 --> 00:03:12,070 through standard S3 IA, Z-IA, 57 00:03:12,070 --> 00:03:13,570 and then through the glacier classes. 58 00:03:13,570 --> 00:03:15,443 You cannot move backwards. 59 00:03:16,820 --> 00:03:20,110 You can transition previous versions of an object 60 00:03:20,110 --> 00:03:21,103 in the same way. 61 00:03:22,470 --> 00:03:26,980 You can choose to expire current or previous versions. 62 00:03:26,980 --> 00:03:30,030 And when we say expire, we mean delete. 63 00:03:30,030 --> 00:03:33,460 But if you have versioning enabled, 64 00:03:33,460 --> 00:03:35,340 it simply adds a delete marker 65 00:03:35,340 --> 00:03:37,040 and we'll talk about that shortly. 66 00:03:37,990 --> 00:03:41,970 You can also choose to delete incomplete multipart uploads. 67 00:03:41,970 --> 00:03:45,840 This is something that is a cost saver, 68 00:03:45,840 --> 00:03:50,840 that if a client had attempted to upload a large object 69 00:03:51,480 --> 00:03:54,440 and failed somewhere in the middle, 70 00:03:54,440 --> 00:03:58,233 you still pay for the partial data that was uploaded. 71 00:04:00,450 --> 00:04:03,130 So now let's take a look at versioning. 72 00:04:03,130 --> 00:04:04,640 When you create a bucket, 73 00:04:04,640 --> 00:04:09,640 the default behavior is for it to be unversioned. 74 00:04:10,520 --> 00:04:13,730 And that means it doesn't create any versions of new objects 75 00:04:13,730 --> 00:04:16,287 and it's simply unconfigured. 76 00:04:17,150 --> 00:04:22,150 But if you enable versioning, from that point forward, 77 00:04:23,550 --> 00:04:25,600 you can suspend the versioning, 78 00:04:25,600 --> 00:04:28,030 which stops new versions from being created, 79 00:04:28,030 --> 00:04:31,253 but you cannot return it to the unversioned state. 80 00:04:32,490 --> 00:04:37,100 Now a version enabled bucket is going to attach a version ID 81 00:04:37,100 --> 00:04:39,750 to every version of an object. 82 00:04:39,750 --> 00:04:43,700 If you delete an object, it simply attaches a delete marker. 83 00:04:43,700 --> 00:04:46,163 It doesn't actually delete the data. 84 00:04:47,190 --> 00:04:50,710 And if you ever have a requirement 85 00:04:50,710 --> 00:04:52,660 to avoid accidental deletion, 86 00:04:52,660 --> 00:04:56,000 providing a sort of recycle bin, 87 00:04:56,000 --> 00:04:58,183 this is one way to go about it. 88 00:04:59,380 --> 00:05:03,280 There are only a couple of ways in all of AWS 89 00:05:03,280 --> 00:05:07,610 where you can guarantee data will not be deleted 90 00:05:07,610 --> 00:05:09,580 under any circumstances. 91 00:05:09,580 --> 00:05:12,460 The glacier vault lock is one of them. 92 00:05:12,460 --> 00:05:16,610 So there are S3 buckets and there are glacier vaults. 93 00:05:16,610 --> 00:05:19,640 When you transition data into glacier, 94 00:05:19,640 --> 00:05:22,250 it's going to be placed into a vault. 95 00:05:22,250 --> 00:05:26,550 And while the glacier vaults provide a policy 96 00:05:26,550 --> 00:05:28,720 similar to bucket policies, 97 00:05:28,720 --> 00:05:31,930 they have a second policy called a vault log. 98 00:05:31,930 --> 00:05:34,850 And this is also a permission policy. 99 00:05:34,850 --> 00:05:38,620 You use it for very specific purposes, 100 00:05:38,620 --> 00:05:42,440 such as denying deletes on your data. 101 00:05:42,440 --> 00:05:44,940 You can use it to enforce lifecycle rules 102 00:05:45,780 --> 00:05:49,280 but what really makes this unique 103 00:05:49,280 --> 00:05:53,060 as a resource based policy, is when you create it, 104 00:05:53,060 --> 00:05:55,960 you have 24 hours to verify. 105 00:05:55,960 --> 00:05:59,160 And once you do that verification, 106 00:05:59,160 --> 00:06:03,180 that policy is locked forever. 107 00:06:03,180 --> 00:06:06,650 There is no way for you to change or delete the policy. 108 00:06:06,650 --> 00:06:10,680 And there's no support request that you can put into AWS 109 00:06:10,680 --> 00:06:12,153 to ask them to do the same. 110 00:06:15,480 --> 00:06:18,543 Now, another feature of S3 is that as an object store, 111 00:06:19,400 --> 00:06:22,140 every single object has its own URL 112 00:06:22,140 --> 00:06:24,340 that you can use to access it. 113 00:06:24,340 --> 00:06:27,190 However, the data is private by default 114 00:06:27,190 --> 00:06:29,090 and it does require authentication 115 00:06:29,090 --> 00:06:31,570 and permissions to reach them. 116 00:06:31,570 --> 00:06:36,570 But when you enable public access to an object, 117 00:06:36,990 --> 00:06:40,023 you use that URL to access the object. 118 00:06:41,600 --> 00:06:45,370 An entire bucket can be turned into a static website. 119 00:06:45,370 --> 00:06:47,880 And if you do that, you have access 120 00:06:47,880 --> 00:06:50,950 to be able to create redirect engines 121 00:06:50,950 --> 00:06:53,130 around different prefixes and URLs. 122 00:06:55,340 --> 00:06:57,950 And finally, and I mentioned these a little bit earlier, 123 00:06:57,950 --> 00:07:00,390 you can create pre-signed URLs 124 00:07:00,390 --> 00:07:04,330 against an individual object in a bucket 125 00:07:04,330 --> 00:07:07,150 to allow a client to access it 126 00:07:07,150 --> 00:07:09,760 without providing explicit authentication 127 00:07:09,760 --> 00:07:11,043 and permissions to do so. 128 00:07:14,010 --> 00:07:17,060 Now, when you enable S3 static website hosting, 129 00:07:17,060 --> 00:07:18,190 there are a couple of things 130 00:07:18,190 --> 00:07:20,160 that you can do from that point. 131 00:07:20,160 --> 00:07:23,770 First off, the bucket name has to match 132 00:07:23,770 --> 00:07:26,200 the DNS you're gonna use to reach the bucket 133 00:07:26,200 --> 00:07:28,593 if you want to use custom DNS. 134 00:07:29,500 --> 00:07:32,420 Next, you can configure an index document. 135 00:07:32,420 --> 00:07:35,630 So like index.html, or something like that. 136 00:07:35,630 --> 00:07:39,310 You can configure error pages for different error codes. 137 00:07:39,310 --> 00:07:41,060 You can even configure redirects 138 00:07:41,060 --> 00:07:43,780 and turn your bucket into a redirect engine. 139 00:07:43,780 --> 00:07:46,180 And you can enable access logs, 140 00:07:46,180 --> 00:07:49,423 which are then delivered to a different S3 bucket. 141 00:07:50,730 --> 00:07:53,950 However, there is a trade off. 142 00:07:53,950 --> 00:07:56,120 If you enable static website hosting, 143 00:07:56,120 --> 00:08:01,120 you cannot use HTTPS to access those objects. 144 00:08:01,230 --> 00:08:04,113 You can only use unencrypted transports.