AWS S3

General Overview

Object storage service for scalable, durable data storage.
99.999999999% (11 9's) durability; 99.99% availability for most classes.
Unlimited storage; pay for usage (storage, requests, data transfer).
Global via multi-Region access; integrates with AWS services (EC2, Lambda, etc.).
Data Model:
- Bucket – top-level container (unique name, global namespace)
- Object – file + metadata
- Key – full path to object within a bucket
There is no concept of directory in General-purpose S3.
Objects size is limited at 5GB objects with more than 5GB, must use "multi-part" upload.
Objects can have key-value pairs of Metadata and can have key-value tags (useful for security/lifecycles)

Class	Use Case	Durability	Availability	Retrieval Time	Minimum Storage Duration	Retrieval Fee
S3 Standard	Frequent access	11 9s	99.99%	Instant	None	No
S3 Intelligent-Tiering	Unknown access patterns	11 9s	99.9–99.99%	Instant	None	No
S3 Standard-IA	Infrequent access	11 9s	99.9%	Instant	30 days	Yes *
S3 One Zone-IA	Non-critical infrequent data	11 9s	99.5%	Instant	30 days	Yes
S3 Glacier Instant Retrieval	Rarely accessed, quick retrieval	11 9s	99.9%	ms	90 days	Yes
S3 Glacier Flexible Retrieval	Archive w/ minutes–hours access	11 9s	99.99%	minutes–hours	90 days	Yes
S3 Glacier Deep Archive	Long-term cold storage	11 9s	99.99%	hours (12h typical)	180 days	Yes

* : Retrieval is priced per GB.

(R1) Transition current versions of objects between storage classes.
- Storage class transitions (Target storage class).
- Days after object creation.
(R2) Transition noncurrent versions of objects between storage classes.
- Storage class transitions.
- Days after objects become noncurrent.
- Number of newer versions to retain.

(R3) Expire current versions of objects.
- Days after object creation
(R4) Permanently delete noncurrent versions of objects.
- Days after objects become noncurrent
- Number of newer versions to retain - Optional
(R5) Delete expired object delete markers or incomplete multipart uploads.
- Delete expired object delete markers
- Delete incomplete multipart uploads

Delete an object with Show versions off -> Soft Delete -> Delete Marker created and is the current version shadowing all other versions.
Delete an object with Show versions on -> Permanent Delete for the chosen version -> if current is deleted the latest non current becomes current.
No promotion is supported. If an old version is wanted it should be copied over the latest version to create a new one with the content of the old one.
Lifecycle rule actions (R3) creates a delete marker and promotes it as current version.
The Expiration rule (R3) only applies to actual object versions, not delete markers.

Feature	Details
Prerequisites	Versioning enabled on both source and destination
Replication scope	All objects, prefix, or tags
What's replicated	New objects after enabling, metadata, ACLs, tags
Not replicated	Existing objects (need S3 Batch), lifecycle actions, objects in Glacier/Deep Archive
Delete behavior	Delete markers can be replicated (optional), version deletes not replicated
Replication Time Control (RTC)	99.99% within 15 minutes (SLA)
Batch Replication	Replicate existing objects, failed replications

Bucket default encryption: Applied to new objects without specified encryption
Enforce encryption: Use bucket policy to deny unencrypted uploads

Priority order: Explicit DENY → Explicit ALLOW → Implicit DENY

Method	Scope	Use Case
IAM Policies	User/role level	Control who can access S3
Bucket Policies	Bucket level	Cross-account, public access, IP restrictions
ACLs (legacy)	Bucket/object level	Simple permissions (avoid for new implementations)
Access Points	Subset of bucket	Simplify permissions for shared datasets
Presigned URLs	Object level	Temporary access without credentials

Four settings: Block public ACLs, Ignore public ACLs, Block public policies, Restrict public buckets
Applied at account or bucket level
Overrides bucket policies and ACLs