[AWS Certified Solutions Architect] S3

요약

**CloudFront는 S3를 OAI로 설정하여 static file 제공에 특화되어있음. 문제에서 글로벌/Static 파일에 대한 지문이 주어지는 경우 반드시 CloudFront/S3조합을 떠올릴 것

**업로드의 경우 1GB미만의 파일은 CloudFront에 업로드하여 S3로 보냄, 1GB를 초과할 경우 Multi-Part upload와 Transfer Acceleration 을 사용하여 직접 S3로 보내는 것이 좋음

** 글로벌/Dynamic File 처리는 CRR을 통해 (consistently syncronized) 여러 region에 복사를 하고 Global Accelerator를 사용

** S3에 업로드된 데이터의 후속작업이 필요한 경우 S3 event를 사용 Lambda/SNS/SQS 사용 가능

** S3의 Security를 위해서 직접적인 외부접근은 Bucket policy로 제한. 외부사용자의 접근이 필요한 경우 Pre-signed URL사용. CloudFront를 사용한 경우 CloudFront Signed URL/Cookie사용 및 CloudFront를 WAF(웹, IP rules), Shield(DDoS) 통해서 제어

 

 

 

S3 : Objects & Buckets

- Buckets : Need globally unique name, Defined at the region level

- Objects : a key which is the FULL path(= prefix + object name), Max size is 5tb, To upload more than 5GB, must use multi-part upload

​

Versioning : Enabled at the bucket level, Protect against unintended deletes, Easy rollback

- Any file that is not versioned prior to enabling versioning will hae version 'null'

 

** Versioning이 필요한 기능 MFA-delete, S3 replication, Lifecycle Configuration​​

​

Encryption

- SSE-S3 : Encryption using keys handeled & managed by AmazonS3 / object is encrypted server side / AES-256 encryption / Must set header: “x-amz-server-side-encryption": "AES256"

- SSE-KMS : encryption using keys handled & managed by KMS(other AWS service, full control over the rotation policy of the encryption key​) / object is encrypted server side / Must set header “x-amz-server-side-encryption": ”aws:kms"

- SSE-C : server-side encryption using data keys fully managed by the customer outside of AWS / HTTPS must be used

- Client Side encryption : client must encrypt/decrypt data themselves before sending to S3 / when retrieving from S3

Encryption in transit(SSL/TLS) HTTPS is recommended

​

** SSE 는 ServerSide Encryption 으로 암호화를 하는 키가 다름

CSE는 클라이언트 사이드에서 암호화를 하기 때문에 클라이언트가 직접 암호화/복호화가 필요함

​

S3 Security

- User based : IAM policies

- Resource Based : Bucket Policies

Block public and cross-account access to buckets and objects through any public bucket or access point policies

- Networking : VPC endpoints

- Logging and Audit : S3 Access logs -> other S3 bucket / API calls -> AWS CloudTrail

- User Security :

• MFA-delete(need to enable Versioning on the S3 bucket)- permanently delete an object version, suspend versioning on the bucket, only the bucket owner(root account) can enable/disable MFA-delete by CLI

• Pre-Signed URLs - can generate pre-signed URLs using SDK or CLI for up/download, valid for a default of 3600 secs(can change timeout with TIME_BY_SECONDS argument)

​

S3 Websites : host static websites can be accessbile on the www , 403 error(forbidden) -> check bucket policy

CORS : Request to other S3 buckets contents / need to enable correct CORS headers

​

S3 Replication :

- CRR / SRR must enable versioning, can be in different accounts, need proper IAM permissions

- After activating, only new objects are replicated

- Can replicate delete markers from source to target(optional)

- Deletions with a version ID are not replicated

- No chaining

​

Storage Class

S3 Standard / Intelligent Tiering / S3 standard-IA / S3 One Zone-IA / S3 glacier / S3 Glacier Deep archive

S3 Standard, Intelligent Tiering : No retrieval fee, No minimum capacity charge per object

S3 One Zone-IA : Lowest availability

Glacier : Expedited 1~5mins /standard >12hours /bulk >48hours <-> Deep Archive : Standard >12hours / Bulk >48hours

** S3 Standard, Intelligent Tiering / S3 standard-IA, S3 One Zone-IA / S3 glacier, S3 Glacier Deep archive 으로 묶어서 비슷한 특징이 있지만 세부 내용의 차이를 알아둘 필요가 있음

​

Lifecycle Configuration rule : trasit objects between storage class

- Transision Actions : defines when objects are transitioned to another storage

ex) Move objects to Standard IA class 60 days after creation

Move to Glacier for archiving after 6 months

- Expiration Actions : configure objects to expire after some time

ex) Access log files can be set to delete after a 365 days

Can be used to delete old versions of files (if versioning is enabled)

Can be used to delete incomplete multi-part uploads

- S3 analytics : help to determine when to trasition objects from Standard to Standard_IA (*NOT WORK FOR ONEZONE_IA or GLACIER )

** Object의 접근빈도에 따라서 자동으로 다른 클래스의 Bucket으로 이동시킬 수 있음.

Standard -> IA -> Intelligent Tiering -> One-zone IA -> Glacier -> Deep Archive

​

S3 Select & Glacier Select : retrieve less data using SQL by performing SERVER SIDE FILERTING *Rows&Columns

​

S3 Event Notifications : Can create as many S3 events as desired -> trigger SNS/SQS/LAMBDA

ex) Generate thumbnails of images uploaded to S3

​

Amazon Athena: Serverless query service to perform analytics against S3 objects

​

S3 Baseline Performance : your app can achieve at least 3,500 PUT/COPY/POST/DELETEs, 5,500 get/head requests per second per prefix in a bucket

​

S3 Byte-Range Fetches : parallelize GETs by requesting specific byte ranges

​

AWS CloudFront : Content Delivery Network (CDN)

- Improves read performance, content is cached at the edge

- DDoS protection, integration with Shield, AWS Web Application Firewall

- You can reduce the number of edge locations for cost reduction , Price Class All/Price Class 200/Price Class 100

**Origin으로 부터 데이터를 미리 Edge location에 캐싱하여 지연을 낮춘다.

​

CloudFront Origins

- S3 Bucket : enhanced security with CloudFront OAI , CloudFront can be used as an ingress(to upload files to S3)

- Custom Origin(HTTP) : ALB, EC2, S3 website (Allow Public IP of Edge Locations)

​

- Multiple Origin : To route to different kind of origins based on the content type (ex. S3 & EC2)

Request Based on path patterns like /images/* , /api/*, /*

– Origin Groups : To increase high-availability and do failover, Group two same type of origins (ex. S3 & S3, one primary and one secondary origin)

​

CloudFront Geo Restriction : restrict who can access your distribution, The “country” is determined using a 3rd party Geo-IP database

​

CloudFront : Global Edge network / Great for static content that must be available everywhere​

vs

S3 CRR : Must be setup for each region you want replication to happen / Great for dynamic content that needs to be available at low-latency in few regions

​

CloudFront Signed URL / Cookie : distribute paid shared content(private content) to premium users ​over the world

- Signed URL : access to individual files (one signed URL per file)

- Signed Cookies : access to multiple files (one signed cookie for many files)

​

AWS Global Accelerator : 2 Anycast IP are created for your application,

- The Anycast IP send traffic directly to Edge Locations / The Edge locations send the traffic to your application

- Works with Elastic IP, EC2 instances, ALB, NLB, public or private

- Consistent Performance / Health Checks / Security

**Anycast IP를 사용하여 요청이 들어왔을 때 지연이 낮은 서버를 통해 어플리케이션에 접근을 빠르게 한다.

​

AWS CloudFront : Improves performance for both cacheable content / Dynamic content / Content is served at the edge

vs

Global Accelerator : Improves performance for a wide range of applications over TCP or UDP / Good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, Good for HTTP use cases that require static IP addresses

​

출처 : Udemy Ultimate AWS Certified Solution Architecture Associate 2022