AWS simple storage service

Содержание

Слайд 2

WHAT IS S3?

Object storage
Almost unlimited amount of data, accessible from anywhere
99.999999999% durability

WHAT IS S3? Object storage Almost unlimited amount of data, accessible from
(that’s eleven nines!)
Cheapest way to store data on AWS
Can even host static websites
Supports BitTorrent, too
Integrates with many AWS services

Слайд 3

COMMON USE CASES

Backup and recovery
Data archiving
Data lakes
Hybrid cloud storage
Cloud-native application data

COMMON USE CASES Backup and recovery Data archiving Data lakes Hybrid cloud storage Cloud-native application data

Слайд 4

BUCKET – CONTAINER RESOURCE

Logical resource, similar to directory
Region-specific, but has globally unique

BUCKET – CONTAINER RESOURCE Logical resource, similar to directory Region-specific, but has
name
Has its own set of access policies and ACLs
Has multiple bucket-wide options:
Versioning
Lifecycle management
Logging
Notifications
Cross-region replication
And many more

Слайд 5

OBJECT – KEY-VALUE RESOURCE

Object is a key-value pair: key is file name,

OBJECT – KEY-VALUE RESOURCE Object is a key-value pair: key is file
value is the content
Can be versioned
Metadata is a set of key-value pairs that store information about an object
Has subresources, such as torrent and ACL
Each object has a storage class associated with it

Слайд 6

STORAGE CLASSES

Standard (STANDARD & RRS) – default storage class
STANDARD – millisecond access

STORAGE CLASSES Standard (STANDARD & RRS) – default storage class STANDARD –
times, full durability/availability
RRS – reduced redundancy storage – is meaningless now, don’t use it
Infrequent access (STANDARD_IA & ONEZONE_IA) – for infrequently accessed files
STANDARD_IA: millisecond access times, cheaper storage, expensive requests
ONEZONE_IA: like standard, but less available/resilient, so its somewhat cheaper
Suitable for files over 128KB that you plan to store for at least 30 days
Glacier – for archiving data
Not available in real time! You need to restore objects first
Very cheap storage, very expensive requests

Слайд 7

STORAGE CLASSES – IN NUMBERS

STORAGE CLASSES – IN NUMBERS

Слайд 8

VERSIONING

Off by default
Useful to prevent unintended deletions or overwrites
Once versioning is enabled,

VERSIONING Off by default Useful to prevent unintended deletions or overwrites Once
you cannot disable it (you can still suspend it)
Each object version is stored separately (takes more space)
GET request returns the latest version by default – you can specify version id to get specific version
DELETE request does not delete all versions, it just puts a delete marker as a current version. You can still permanently delete specific versions of an object

Слайд 9

ACL – ACCESS CONTROL LISTS

A resource-based access policy
Applies both to buckets and

ACL – ACCESS CONTROL LISTS A resource-based access policy Applies both to
objects, each has an ACL attached as a subresource
Works on account / group level
Can be used to grant read/write permissions to other accounts
Limitations:
Cannot be used to grant permissions to IAM users
No conditional permissions
No deny rules

Слайд 10

ACL - GRANTEE

A Grantee is an entity that receives permissions
A Grantee could

ACL - GRANTEE A Grantee is an entity that receives permissions A
be:
An AWS account (identified by a Canonical User Id)
A predefined group (represented by a URL):
Authenticated Users (http://acs.amazonaws.com/groups/global/AuthenticatedUsers)
All Users (http://acs.amazonaws.com/groups/global/AllUsers)
Log Delivery (http://acs.amazonaws.com/groups/s3/LogDelivery)

Слайд 11

ACL - PERMISSION

Permissions describe which actions a Grantee is allowed to perform

ACL - PERMISSION Permissions describe which actions a Grantee is allowed to
on a resource
You can grant following permissions:

Слайд 12

ACL – CANNED ACL

ACL – CANNED ACL

Слайд 13

POLICIES – POLICY LANGUAGE

JSON-based documents
User policies (IAM) and Bucket policies (S3)
Policies consist

POLICIES – POLICY LANGUAGE JSON-based documents User policies (IAM) and Bucket policies
of following sections:
Resources: buckets and objects in S3, identified by ARN
Actions: for each resource you can define a set of operations that will be allowed or denied
Effect: allow or deny
Principal: account, user, service, or other entity affected by the policy
Condition (optional): lets you specify conditions for when your policy is in effect

Слайд 14

POLICIES – AN EXAMPLE

{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [{
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account-ID:user/Dave"
},
"Action": [
"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource":

POLICIES – AN EXAMPLE { "Version": "2012-10-17", "Id": "ExamplePolicy01", "Statement": [{ "Sid":
[
"arn:aws:s3:::examplebucket/*",
"arn:aws:s3:::examplebucket"
]
}]
}

Слайд 15

POLICIES – SPECIFYING RESOURCES

Resources are specified by ARN
Arn format: arn:partition:service:region:namespace:relative-id
Partition : commonly

POLICIES – SPECIFYING RESOURCES Resources are specified by ARN Arn format: arn:partition:service:region:namespace:relative-id
just “aws”, “aws-cn” in China
Service: “s3” in our case
Region: not needed for s3
Namespace: not needed for s3
Relative-id: either bucket name or bucket-name/object-key.
You can use wildcards (* and ?), but they cannot span segments
You can also use policy variables, such as ${aws:username} (requires version 2012-10-17)

Слайд 16

POLICIES – SPECIFYING PRINCIPALS

Can be an account, user, service, or other entity
To

POLICIES – SPECIFYING PRINCIPALS Can be an account, user, service, or other
grant permissions to an account:
"Principal":{"AWS":"arn:aws:iam::accountid:root"}
"Principal":{"CanonicalUser":“canonical_user_id“}
To grant permissions to an user:
"Principal":{"AWS":"arn:aws:iam::accountid:user/username"}
To grant permissions to everyone:
"Principal":"*“
"Principal":{"AWS":"*"}

Слайд 17

POLICIES – SPECIFYING PERMISSION

Permissions are keywords that map to S3 operations (GET,

POLICIES – SPECIFYING PERMISSION Permissions are keywords that map to S3 operations
PUT, DELETE, etc).
Format: s3:
Common Actions are: Get, Put/Create, Delete, Abort, Restore, List
Common Resources are: Object, Bucket, MultipartUpload,
Common Properties: Acl, Version, Tagging, Parts
Wildcards are allowed
Examples:
s3:ListBucket
s3:List*
s3:GetBucketAcl
s3:DeleteObjectVersion

Слайд 18

POLICIES – SPECIFYING CONDITIONS

Access policies allow you to specify conditions when policy

POLICIES – SPECIFYING CONDITIONS Access policies allow you to specify conditions when
takes effect
Use Boolean operators and special expressions to match your condition against values in the request
https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html
Имя файла: AWS-simple-storage-service.pptx
Количество просмотров: 50
Количество скачиваний: 0