Amazon Simple Storage Service Developer Guide
User Manual:
Open the PDF directly: View PDF
Page Count: 623 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- Amazon Simple Storage Service
- Table of Contents
- What Is Amazon S3?
- Introduction to Amazon S3
- Making Requests
- About Access Keys
- Request Endpoints
- Making Requests to Amazon S3 over IPv6
- Making Requests Using the AWS SDKs
- Making Requests Using AWS Account or IAM User Credentials
- Making Requests Using AWS Account or IAM User Credentials - AWS SDK for Java
- Making Requests Using AWS Account or IAM User Credentials - AWS SDK for .NET
- Making Requests Using AWS Account or IAM User Credentials - AWS SDK for PHP
- Making Requests Using AWS Account or IAM User Credentials - AWS SDK for Ruby
- Making Requests Using IAM User Temporary Credentials
- Making Requests Using Federated User Temporary Credentials
- Making Requests Using Federated User Temporary Credentials - AWS SDK for Java
- Making Requests Using Federated User Temporary Credentials - AWS SDK for .NET
- Making Requests Using Federated User Temporary Credentials - AWS SDK for PHP
- Making Requests Using Federated User Temporary Credentials - AWS SDK for Ruby
- Making Requests Using AWS Account or IAM User Credentials
- Making Requests Using the REST API
- Working with Amazon S3 Buckets
- Creating a Bucket
- Accessing a Bucket
- Bucket Configuration Options
- Bucket Restrictions and Limitations
- Examples of Creating a Bucket
- Deleting or Emptying a Bucket
- Managing Bucket Website Configuration
- Amazon S3 Transfer Acceleration
- Why Use Amazon S3 Transfer Acceleration?
- Getting Started with Amazon S3 Transfer Acceleration
- Requirements for Using Amazon S3 Transfer Acceleration
- Amazon S3 Transfer Acceleration Examples
- Requester Pays Buckets
- Buckets and Access Control
- Billing and Reporting of Buckets
- Working with Amazon S3 Objects
- Object Key and Metadata
- Storage Classes
- Object Subresources
- Object Versioning
- Object Lifecycle Management
- What Is Lifecycle Configuration?
- How Do I Configure a Lifecycle?
- Transitioning Objects: General Considerations
- Expiring Objects: General Considerations
- Lifecycle and Other Bucket Configurations
- Lifecycle Configuration Elements
- ID Element
- Status Element
- Prefix Element
- Elements to Describe Lifecycle Actions
- Examples of Lifecycle Configuration
- Example 1: Specify a Lifecycle Rule for a Subset of Objects in a Bucket
- Example 2: Specify a Lifecycle Rule that Applies to All Objects in the Bucket
- Example 3: Disable a Lifecycle Rule
- Example 4: Tiering Down Storage Class Over Object Lifetime
- Example 5: Specify Multiple Rules
- Example 6: Specify Multiple Rules with Overlapping Prefixes
- Example 7: Specify a Lifecycle Rule for a Versioning-Enable Bucket
- Example 8: Removing Expired Object Delete Markers
- GLACIER Storage Class: Additional Lifecycle Configuration Considerations
- Specifying a Lifecycle Configuration
- Cross-Origin Resource Sharing (CORS)
- Operations on Objects
- Getting Objects
- Uploading Objects
- Uploading Objects in a Single Operation
- Uploading Objects Using Multipart Upload API
- Multipart Upload Overview
- Using the AWS Java SDK for Multipart Upload (High-Level API)
- Using the AWS Java SDK for Multipart Upload (Low-Level API)
- Using the AWS .NET SDK for Multipart Upload (High-Level API)
- Using the AWS .NET SDK for Multipart Upload (Low-Level API)
- Using the AWS PHP SDK for Multipart Upload (High-Level API)
- Using the AWS PHP SDK for Multipart Upload (Low-Level API)
- Using the AWS SDK for Ruby for Multipart Upload
- Using the REST API for Multipart Upload
- Uploading Objects Using Pre-Signed URLs
- Copying Objects
- Listing Object Keys
- Deleting Objects
- Restoring Archived Objects
- Managing Access Permissions to Your Amazon S3 Resources
- Introduction to Managing Access Permissions to Your Amazon S3 Resources
- Overview of Managing Access
- How Amazon S3 Authorizes a Request
- Related Topics
- How Amazon S3 Authorizes a Request for a Bucket Operation
- Example 1: Bucket Operation Requested by Bucket Owner
- Example 2: Bucket Operation Requested by an AWS Account That Is Not the Bucket Owner
- Example 3: Bucket Operation Requested by an IAM User Whose Parent AWS Account Is Also the Bucket Owner
- Example 4: Bucket Operation Requested by an IAM User Whose Parent AWS Account Is Not the Bucket Owner
- How Amazon S3 Authorizes a Request for an Object Operation
- Guidelines for Using the Available Access Policy Options
- Example Walkthroughs: Managing Access to Your Amazon S3 Resources
- Before You Try the Example Walkthroughs
- Setting Up the Tools for the Example Walkthroughs
- Example 1: Bucket Owner Granting Its Users Bucket Permissions
- Example 2: Bucket Owner Granting Cross-Account Bucket Permissions
- Example 3: Bucket Owner Granting Its Users Permissions to Objects It Does Not Own
- Example 4: Bucket Owner Granting Cross-account Permission to Objects It Does Not Own
- Using Bucket Policies and User Policies
- Access Policy Language Overview
- Common Elements in an Access Policy
- Specifying Resources in a Policy
- Specifying a Principal in a Policy
- Specifying Permissions in a Policy
- Specifying Conditions in a Policy
- Available Condition Keys
- Amazon S3 Condition Keys for Object Operations
- Example 1: Granting s3:PutObject permission with a condition requiring the bucket owner to get full control
- Example 2: Granting s3:PutObject permission requiring objects stored using server-side encryption
- Example 3: Granting s3:PutObject permission to copy objects with a restriction on the copy source
- Example 4: Granting access to a specific version of an object
- Example 5: Restrict object uploads to objects with a specific storage class
- Amazon S3 Condition Keys for Bucket Operations
- Bucket Policy Examples
- Granting Permissions to Multiple Accounts with Added Conditions
- Granting Read-Only Permission to an Anonymous User
- Restricting Access to Specific IP Addresses
- Restricting Access to a Specific HTTP Referrer
- Granting Permission to an Amazon CloudFront Origin Identity
- Adding a Bucket Policy to Require MFA Authentication
- Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control
- Example Bucket Policies for VPC Endpoints for Amazon S3
- User Policy Examples
- Example: Allow an IAM user access to one of your buckets
- Example: Allow each IAM user access to a folder in a bucket
- Example: Allow a group to have a shared folder in Amazon S3
- Example: Allow all your users to read objects in a portion of the corporate bucket
- Example: Allow a partner to drop files into a specific portion of the corporate bucket
- An Example Walkthrough: Using user policies to control access to your bucket
- Background: Basics of Buckets and Folders
- Walkthrough Example
- Step 0: Preparing for the Walkthrough
- Step 1: Create a Bucket
- Step 2: Create IAM Users and a Group
- Step 3: Verify that IAM Users Have No Permissions
- Step 4: Grant Group-Level Permissions
- Step 5: Grant IAM User Alice Specific Permissions
- Step 6: Grant IAM User Bob Specific Permissions
- Step 7: Secure the Private Folder
- Cleanup
- Related Resources
- Access Policy Language Overview
- Managing Access with ACLs
- Introduction to Managing Access Permissions to Your Amazon S3 Resources
- Protecting Data in Amazon S3
- Protecting Data Using Encryption
- Protecting Data Using Server-Side Encryption
- Protecting Data Using Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS)
- Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)
- API Support for Server-Side Encryption
- Specifying Server-Side Encryption Using the AWS SDK for Java
- Specifying Server-Side Encryption Using the AWS SDK for .NET
- Specifying Server-Side Encryption Using the AWS SDK for PHP
- Specifying Server-Side Encryption Using the AWS SDK for Ruby
- Specifying Server-Side Encryption Using the REST API
- Specifying Server-Side Encryption Using the AWS Management Console
- Protecting Data Using Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C)
- Using SSE-C
- Presigned URL and SSE-C
- Specifying Server-Side Encryption with Customer-Provided Encryption Keys Using the AWS Java SDK
- Specifying Server-Side Encryption with Customer-Provided Encryption Keys Using the .NET SDK
- Specifying Server-Side Encryption with Customer-Provided Encryption Keys Using the REST API
- Protecting Data Using Client-Side Encryption
- Option 1: Using an AWS KMS–Managed Customer Master Key (CMK)
- Option 2: Using a Client-Side Master Key
- Example: Client-Side Encryption (Option 1: Using an AWS KMS–Managed Customer Master Key (AWS SDK for Java))
- Examples: Client-Side Encryption (Option 2: Using a Client-Side Master Key (AWS SDK for Java))
- Protecting Data Using Server-Side Encryption
- Using Reduced Redundancy Storage
- Using Versioning
- How to Configure Versioning on a Bucket
- MFA Delete
- Related Topics
- Examples of Enabling Bucket Versioning
- Managing Objects in a Versioning-Enabled Bucket
- Managing Objects in a Versioning-Suspended Bucket
- Protecting Data Using Encryption
- Hosting a Static Website on Amazon S3
- Website Endpoints
- Configure a Bucket for Website Hosting
- Example Walkthroughs - Hosting Websites On Amazon S3
- Example: Setting Up a Static Website
- Example: Setting Up a Static Website Using a Custom Domain
- Configuring Amazon S3 Event Notifications
- Overview
- How to Enable Event Notifications
- Event Notification Types and Destinations
- Configuring Notifications with Object Key Name Filtering
- Granting Permissions to Publish Event Notification Messages to a Destination
- Example Walkthrough 1: Configure a Bucket for Notifications (Message Destination: SNS Topic and SQS Queue)
- Example Walkthrough 2: Configure a Bucket for Notifications (Message Destination: AWS Lambda)
- Event Message Structure
- Cross-Region Replication
- Use-case Scenarios
- Requirements
- Related Topics
- What Is and Is Not Replicated
- How to Set Up Cross-Region Replication
- Create an IAM Role
- Add Replication Configuration
- Walkthrough 1: Configure Cross-Region Replication Where Source and Destination Buckets Are Owned by the Same AWS Account
- Walkthrough 2: Configure Cross-Region Replication Where Source and Destination Buckets Are Owned by Different AWS Accounts
- How to Set Up Cross-Region Replication Using the Console
- How to Set Up Cross-Region Replication Using the AWS SDK for Java
- How to Set Up Cross-Region Replication Using the AWS SDK for .NET
- How to Find Replication Status of an Object
- Troubleshooting Cross-Region Replication in Amazon S3
- Cross-Region Replication and Other Bucket Configurations
- Request Routing
- Performance Optimization
- Monitoring Amazon S3 with Amazon CloudWatch
- Logging Amazon S3 API Calls By Using AWS CloudTrail
- Using BitTorrent with Amazon S3
- Using Amazon DevPay with Amazon S3
- Handling REST and SOAP Errors
- Troubleshooting Amazon S3
- Server Access Logging
- Using the AWS SDKs, CLI, and Explorers
- Appendices
- Appendix A: Using the SOAP API
- Appendix B: Authenticating Requests (AWS Signature Version 2)
- Authenticating Requests Using the REST API
- Signing and Authenticating REST Requests
- Using Temporary Security Credentials
- The Authentication Header
- Request Canonicalization for Signing
- Constructing the CanonicalizedResource Element
- Constructing the CanonicalizedAmzHeaders Element
- Positional versus Named HTTP Header StringToSign Elements
- Time Stamp Requirement
- Authentication Examples
- REST Request Signing Problems
- Query String Request Authentication Alternative
- Browser-Based Uploads Using POST (AWS Signature Version 2)
- Amazon S3 Resources
- Document History
- AWS Glossary