{"id":25364,"date":"2017-05-12T19:34:27","date_gmt":"2017-05-12T19:34:27","guid":{"rendered":"https:\/\/www.whizlabs.com\/?p=25364"},"modified":"2024-05-22T10:52:09","modified_gmt":"2024-05-22T05:22:09","slug":"aws-s3-data-security","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/aws-s3-data-security\/","title":{"rendered":"How to secure files in Amazon S3?"},"content":{"rendered":"<p><span lang=\"EN-US\">If you are new to AWS world, we would like to inform you that <a href=\"http:\/\/www.java2blog.com\/2017\/07\/aws-certification-benefits.html\" target=\"_blank\" rel=\"noopener\">being certified on AWS has great benefits for your career<\/a>. Are you preparing for\u00a0<\/span><a href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/\"><span lang=\"EN-US\">AWS Certified SysOps Administrator \u2013 Associate certification exam<\/span><\/a><span lang=\"EN-US\">? \u00a0Are you ready to pass this exam? In this blog, we are writing a series of articles on topics which are covered in the AWS Certified SysOps Associate certification exam. You can subscribe to us for receiving further updates on this topic.<\/span><\/p>\n<p><span lang=\"EN-US\">The SysOps Associate certification exam is the hardest exam at the associate certification level. We would recommend you pass both solution architect associated certification exam and developer associated certification exam first before of taking\u00a0this exam.<\/span><\/p>\n<p><span lang=\"EN-US\">The AWS Certified SysOps Administrator \u2013 Associate exam validates technical expertise in deployment, management, and operations on the AWS platform<\/span><\/p>\n<ul type=\"disc\">\n<li><b><span lang=\"EN-US\">TRY\u00a0NOW :\u00a0<\/span><\/b><a href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/free-test\/\" title=\"AWS Certified SysOps Administrator Associate \u2013 Free Test\"><b><span lang=\"EN-US\">10 Free Practice Questions for SysOps Associate Exam<\/span><\/b><\/a><span lang=\"EN-US\"><\/span><\/li>\n<li><b><span lang=\"EN-US\">OFFER :\u00a0<\/span><\/b><a href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/\" title=\"AWS Certified SysOps Administrator Associate\"><b><span lang=\"EN-US\">420 Practice Questions for SysOps Associate Exam (50% Discount)<\/span><\/b><\/a><span lang=\"EN-US\"><\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">The AWS Certified SysOps Administrator \u2013 Associate Level exam validates the candidate\u2019s ability to:<\/span><\/p>\n<ul type=\"disc\">\n<li><span lang=\"EN-US\">Deliver the stability and scalability needed by a business on AWS<\/span><\/li>\n<li><span lang=\"EN-US\">Provision systems,\u00a0services, and deployment automation on AWS<\/span><\/li>\n<li><span lang=\"EN-US\">Ensure data integrity and data security on AWS technology<\/span><\/li>\n<li><span lang=\"EN-US\">Provide guidance on AWS best practices<\/span><\/li>\n<li><span lang=\"EN-US\">Understand and monitor metrics on AWS<\/span><\/li>\n<\/ul>\n<div>\n<figure id=\"attachment_23164\" aria-describedby=\"caption-attachment-23164\" style=\"width: 654px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/aws-s3-data-security.jpgFigure0_SysOpsBlueprint.png\"><img decoding=\"async\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/Figure0_SysOpsBlueprint.png\" alt=\"Domains covered at the AWS Certified SysOps associate exam\" width=\"654\" height=\"545\" class=\"size-full wp-image-23164\" \/><\/a><figcaption id=\"caption-attachment-23164\" class=\"wp-caption-text\">Domains covered by the AWS Certified SysOps associate exam<\/figcaption><\/figure>\n<\/div>\n<p align=\"center\"><b><i><span lang=\"EN-US\">Figure #0. \u00a0Domains covered\u00a0by\u00a0the AWS Certified SysOps associate exam<\/span><\/i><\/b><span lang=\"EN-US\"><\/span><\/p>\n<p><span lang=\"EN-US\">You can download the related\u00a0<\/span><a href=\"http:\/\/awstrainingandcertification.s3.amazonaws.com\/production\/AWS_certified_sysops_associate_blueprint.pdf\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">AWS Certified SysOps Administrator \u2013 Associate Level Exam Blueprint<\/span><\/a><span lang=\"EN-US\">\u00a0for more detail about it.<\/span><\/p>\n<p>In this article, we are going to explain about the topic that addresses the <i>ensure data integrity and access controls when using the AWS platform<\/i> as highlighted in the AWS Blueprint from the above exam guide.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ea7e02;color:#ea7e02\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ea7e02;color:#ea7e02\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-s3-data-security\/#Context\" >Context<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-s3-data-security\/#What_is_Amazon_S3\" >What is Amazon S3?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-s3-data-security\/#How_to_use_S3\" >How to use S3?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-s3-data-security\/#Controlling_the_access_to_your_files\" >Controlling the access to your files<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-s3-data-security\/#Availability_and_Durability_according_to_Type\" >Availability and Durability according to Type<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-s3-data-security\/#Versioning_Data_Files\" >Versioning Data Files<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-s3-data-security\/#Lifecycle_Rules\" >Lifecycle Rules<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-s3-data-security\/#Important_Points_to_Remember_for_the_AWS_Certified_SysOps_Administrator_%E2%80%93_Associate_Certification_exam\" >Important Points to Remember for the AWS Certified SysOps Administrator \u2013 Associate Certification exam<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Context\"><\/span><span lang=\"EN-US\">Context<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span lang=\"EN-US\">Cloud security at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. The access to your AWS resources should be following always the least privilege. It will warrant a better integrity, confidentiality and availability of your AWS resources and data\/information.<\/span><\/p>\n<p><span lang=\"EN-US\">Amazon Web Services Cloud Compliance enables customers to understand the robust controls in place at AWS to maintain security and data protection in the cloud. As systems are built on top of AWS cloud infrastructure, compliance responsibilities will be shared.<\/span><\/p>\n<p><span lang=\"EN-US\">You\u2019re responsible for securing your data, establishing access control list and encrypting your data for avoiding information risks. AWS provides you several alternatives to secure your data files when you\u2019re using the Amazon Simple Storage Service (Amazon S3) as follow.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"What_is_Amazon_S3\"><\/span><span lang=\"EN-US\">What is Amazon S3?<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span lang=\"EN-US\">Amazon Simple Storage Service (Amazon S3) <\/span><span lang=\"EN-US\">is storage for the Internet. You can use Amazon S3 to store and retrieve any amount of data at any time, from anywhere on the web.<br \/>\nIt\u2019s a simple storage service that offers software developers a highly-scalable, reliable, and low-latency data storage infrastructure at very low costs.<\/span><span lang=\"EN-US\"> <\/span><\/p>\n<p><span lang=\"EN-US\">You can store virtually any kind of data in any format.<\/span><span lang=\"EN-US\"> <\/span><span lang=\"EN-US\">The total volume of data and number of objects you can store are unlimited. Individual Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5 terabytes.<\/span><span lang=\"EN-US\"> <\/span><span lang=\"EN-US\">The largest object that can be uploaded in a single PUT is 5 gigabytes. For objects larger than 100 megabytes, customers should consider using the Multipart Upload capability. <\/span><\/p>\n<p><span lang=\"EN-US\">You can accomplish these tasks using the simple and intuitive web interface of the AWS Management Console.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_to_use_S3\"><\/span><span lang=\"EN-US\">How to use S3?<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span lang=\"EN-US\">Amazon S3 provides a simple web service interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web.<\/span><span lang=\"EN-US\"> <\/span><span lang=\"EN-US\">Amazon S3 is also designed to be highly flexible.<\/span><\/p>\n<p><span lang=\"EN-US\">There are many of the ways you can use Amazon S3 like:<\/span><\/p>\n<ul>\n<li><span lang=\"EN-US\"> <\/span><i><span lang=\"EN-US\">Backup and Storage:<\/span><\/i><span lang=\"EN-US\"> Provide data backup and storage services for others.<\/span><\/li>\n<li><span lang=\"EN-US\"> <\/span><i><span lang=\"EN-US\">Application Hosting<\/span><\/i><span lang=\"EN-US\">: Provide services that deploy, install, and manage web applications.<\/span><\/li>\n<li><span lang=\"EN-US\"> <\/span><i><span lang=\"EN-US\">Media Hosting<\/span><\/i><span lang=\"EN-US\">: Build a redundant, scalable, and highly available infrastructure that hosts video, photo, or music uploads and downloads.<\/span><\/li>\n<li><span lang=\"EN-US\"> <\/span><i><span lang=\"EN-US\">Software Delivery: <\/span><\/i><span lang=\"EN-US\">Host your software applications that customers can download.<\/span><\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Controlling_the_access_to_your_files\"><\/span><span lang=\"EN-US\">Controlling the access to your files<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Amazon S3 provides authentication mechanisms to secure data stored in Amazon S3 against unauthorized access. By default, all Amazon S3 resources\u2014buckets, objects, and related subresources\u2014 are private: only the resource owner, an AWS account that created it, can access the resource. The resource owner can optionally grant access permissions to others by writing an access policy.<\/p>\n<p><span lang=\"EN-US\">Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies.<\/span><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"168\" valign=\"top\"><b><span lang=\"EN-US\">Type<\/span><\/b><\/td>\n<td width=\"456\" valign=\"top\"><b><span lang=\"EN-US\">Brief description<\/span><\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"168\" valign=\"top\"><i><span lang=\"EN-US\">Resource-based policies<\/span><\/i><\/td>\n<td width=\"456\" valign=\"top\"><span lang=\"EN-US\">Access policies you attach to your resources (buckets and objects) are referred to as resource-based policies. <\/span><span lang=\"EN-US\">Both bucket policies and access control lists (ACLs) are resource-based policies.<\/span><span lang=\"EN-US\">Each bucket and object have an ACL associated with it. An ACL is a list of grants identifying grantee and permission granted.<\/span><span lang=\"EN-US\">For your bucket, you can add a bucket policy to grant other AWS accounts or IAM users permissions for the bucket and the objects in it.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"168\" valign=\"top\"><i><span lang=\"EN-US\">User policies<\/span><\/i><\/td>\n<td width=\"456\" valign=\"top\"><span lang=\"EN-US\">Access policies you attach to your users in your account are called user policies.<\/span><span lang=\"EN-US\">You can use AWS Identity and Access Management (IAM) to manage access to your Amazon S3 resources. Using IAM, you can create IAM users, groups, and roles in your account and attach access policies to them granting them access to AWS resources including Amazon S3.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p align=\"center\"><b><i><span lang=\"EN-US\">Table # 1. Type of policies related<\/span><\/i><\/b><\/p>\n<p><span lang=\"EN-US\">You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources. Amazon S3 supports user authentication to control access to data. A bucket policy is a JSON access policy options available for you to grant permission to your Amazon S3 resources:<\/span><\/p>\n<figure id=\"attachment_26210\" aria-describedby=\"caption-attachment-26210\" style=\"width: 1513px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/s3_bucketpolicy.png\"><img decoding=\"async\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/s3_bucketpolicy.png\" alt=\"A S3 Bucket Policy sample\" width=\"1513\" height=\"638\" class=\"size-full wp-image-26210\" \/><\/a><figcaption id=\"caption-attachment-26210\" class=\"wp-caption-text\">A S3 Bucket Policy sample<\/figcaption><\/figure>\n<p align=\"center\"><b><i><span lang=\"EN-US\">Figure #2. A bucket Policy sample<\/span><\/i><\/b><\/p>\n<p><span lang=\"EN-US\">You can use access control mechanisms such as bucket policies and Access Control Lists (ACLs) to selectively grant permissions to users and groups of users. You can securely upload\/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol. If you need extra security you can use the Server Side Encryption (SSE) option or the Server Side Encryption with Customer-Provide Keys (SSE-C) option to encrypt data stored-at-rest. Amazon S3 provides the encryption technology for both SSE and SSE-C. Alternatively, you can use your own encryption libraries to encrypt data before storing it in Amazon S3.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Availability_and_Durability_according_to_Type\"><\/span><span lang=\"EN-US\">Availability and Durability according to Type<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>For data protection, the best practice is to have a backup and to put in place safeguards against malicious or accidental user\u2019s errors. For S3 data files, that best practice includes secure access permissions, Cross-Region Replication, versioning and a functioning, regularly tested backup.<\/p>\n<p><span lang=\"EN-US\">The S3 Standard is designed for 99.99% availability and the Amazon S3 buckets in all Regions provide read-after-write consistency for PUTS of new objects and eventual consistency for overwrite PUTS and DELETES.<\/span><\/p>\n<figure id=\"attachment_26211\" aria-describedby=\"caption-attachment-26211\" style=\"width: 1160px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/s3_types.png\"><img decoding=\"async\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/s3_types.png\" alt=\"Durability and Availability characteristics according to S3 type\" width=\"1160\" height=\"461\" class=\"size-full wp-image-26211\" \/><\/a><figcaption id=\"caption-attachment-26211\" class=\"wp-caption-text\">Durability and Availability characteristics according to S3 type<\/figcaption><\/figure>\n<p align=\"center\"><b><i><span lang=\"EN-US\">Figure #3. Durability and Availability characteristics according to S3 type<\/span><\/i><\/b><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Versioning_Data_Files\"><\/span><span lang=\"EN-US\">Versioning Data Files<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span lang=\"EN-US\">Versioning is a means of keeping multiple variants of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. With versioning, you can easily recover from both unintended user actions and application failures.<br \/>\nVersioning-enabled buckets enable you to recover objects from accidental deletion or overwrite. You can enable versioning following the instructions:<\/span><\/p>\n<p><b><span lang=\"EN-US\">To enable or disable versioning on an S3 bucket<\/span><\/b><span lang=\"EN-US\"><\/span><\/p>\n<ol>\n<li><span lang=\"EN-US\"> <\/span><span lang=\"EN-US\">Sign in to the AWS Management Console and open the Amazon S3 console at <\/span><a href=\"https:\/\/console.aws.amazon.com\/s3\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">https:\/\/console.aws.amazon.com\/s3\/<\/span><\/a><span lang=\"EN-US\">.<\/span><\/li>\n<li><span lang=\"EN-US\"> <\/span><span lang=\"EN-US\">In the<span><\/span><b>Bucket name<\/b><span>\u00a0<\/span>list, choose the name of the bucket that you want to enable versioning for.<\/span><\/li>\n<li><span lang=\"EN-US\"> <\/span><span lang=\"EN-US\">Choose<span><\/span><b>Properties <\/b>and select the option<b> Versioning<\/b>. <\/span><\/li>\n<li><span lang=\"EN-US\"> <\/span><span lang=\"EN-US\">Choose<span><\/span><b>Enable versioning<\/b><span>\u00a0<\/span>or<span>\u00a0<\/span><b>Suspend versioning<\/b>, and then choose<span>\u00a0<\/span><b>Save,<\/b> as you can see in the following figure:<\/span><\/li>\n<\/ol>\n<figure id=\"attachment_26213\" aria-describedby=\"caption-attachment-26213\" style=\"width: 1513px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/s3_bucketversioning.png\"><img decoding=\"async\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/s3_bucketversioning.png\" alt=\"Enabling or Suspending Versioning into a S3 bucket\" width=\"1513\" height=\"622\" class=\"size-full wp-image-26213\" \/><\/a><figcaption id=\"caption-attachment-26213\" class=\"wp-caption-text\">Enabling or Suspending Versioning into a S3 bucket<\/figcaption><\/figure>\n<p align=\"center\"><b><i><span lang=\"EN-US\">Figure #4. Enabling or Suspending Versioning into an S3 bucket<\/span><\/i><\/b><\/p>\n<p><span lang=\"EN-US\">Remember that if you suspend versioning into a bucket, from that moment you&#8217;re suspending the creation of new object versions, but it preserves object versions created before.<\/span><\/p>\n<p><span lang=\"EN-US\">You can optionally add another layer of security by configuring a bucket to enable MFA (Multi-Factor Authentication) Delete, which requires additional authentication for either of the following operations:<\/span><span lang=\"EN-US\"> <\/span><\/p>\n<ul>\n<li><span lang=\"EN-US\"> <\/span><span lang=\"EN-US\">Change the versioning state of your bucket<\/span><\/li>\n<li><span lang=\"EN-US\"> <\/span><span lang=\"EN-US\">Permanently delete an object version<\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">Versioning could be integrated and used in conjunction with Lifecycle rules.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Lifecycle_Rules\"><\/span><span lang=\"EN-US\">Lifecycle Rules<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span lang=\"EN-US\">You can set Lifecycle rules to manage the lifetime and the cost of storing multiple versions of your objects.<br \/>\nLifecycle configuration enables you to specify the lifecycle management of objects in a bucket. The configuration is a set of one or more rules, where each rule defines an action for Amazon S3 to apply to a group of objects.<\/span><\/p>\n<p><span lang=\"EN-US\">These actions can be classified as follows:<\/span><\/p>\n<ul>\n<li><span lang=\"EN-US\"> <\/span><b><i><span lang=\"EN-US\">Transition actions<\/span><\/i><\/b><span lang=\"EN-US\">: In which you define when objects transition to another storage class. For example, you may choose to transition objects to the STANDARD_IA (IA, for infrequent access) storage class 30 days after creation or archive objects to the GLACIER storage class one year after creation.<\/span><\/li>\n<li><span lang=\"EN-US\"> <\/span><b><i><span lang=\"EN-US\">Expiration actions:<\/span><\/i><\/b><span lang=\"EN-US\"> In which you specify when the objects expire. Then Amazon S3 deletes the expired objects on your behalf.<\/span><\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Important_Points_to_Remember_for_the_AWS_Certified_SysOps_Administrator_%E2%80%93_Associate_Certification_exam\"><\/span><span lang=\"EN-US\">Important Points to Remember for the AWS Certified SysOps Administrator \u2013 Associate Certification exam<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul type=\"disc\">\n<li><span lang=\"EN-US\">Amazon S3 is a service that provides storage for the internet. You can use it to store and retrieve any amount of data at any time, from anywhere on the web<\/span><span lang=\"EN-US\"><\/span><\/li>\n<li><span lang=\"EN-US\">There is not limit the total volume of data and number of objects you can store<\/span><\/li>\n<li><span lang=\"EN-US\">All S3 objects storage could be accessed directly using an Internet URL<\/span><\/li>\n<li><span lang=\"EN-US\">An Amazon S3 object have 0 bytes to a maximum of 5 terabytes of size<\/span><\/li>\n<li><span lang=\"EN-US\">You should consider using the Multipart Upload capability when you\u2019re uploading big data files (&gt;100 MB)<\/span><span lang=\"EN-US\"> uploading parts in parallel to improve throughput<\/span><span lang=\"EN-US\"><\/span><\/li>\n<li><span lang=\"EN-US\">You can set an S3 Bucket policy to make all data files stored in a bucket, public<\/span><span lang=\"EN-US\"><\/span><\/li>\n<li><span lang=\"EN-US\">Amazon S3 provides the encryption technology for both SSE and SSE-C<\/span><span lang=\"EN-US\"><\/span><\/li>\n<li><span lang=\"EN-US\">You should use versioning to preserve, retrieve, and restore any version of an S3 object stored<\/span><span lang=\"EN-US\"><\/span><\/li>\n<li><span lang=\"EN-US\">You can implement a rollback window for your Amazon S3 objects, combining Lifecycle rules and Versioning.<\/span><\/li>\n<li><span lang=\"EN-US\">You could use Amazon CloudFront to serve content as a method of controlling access to your S3 data file content by requiring users to use signed URLs.<\/span><\/li>\n<li><span lang=\"EN-US\">You can enable MFA delete, it requires and additional authentication before to delete a file <\/span><\/li>\n<\/ul>\n<p><b><span lang=\"EN-US\">Glossary<\/span><\/b><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"107\" valign=\"top\"><b><span lang=\"EN-US\">Term<\/span><\/b><\/td>\n<td width=\"515\" valign=\"top\"><b><span lang=\"EN-US\">Brief description<\/span><\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"107\" valign=\"top\"><span lang=\"EN-US\">Access Control List\u00a0(ACL)<\/span><\/td>\n<td width=\"515\" valign=\"top\">A document that defines who can access a particular bucket or object. Each bucket and object in Amazon S3 has an ACL. The document defines what each type of user can do, such as write and read permissions.<\/td>\n<\/tr>\n<tr>\n<td width=\"107\" valign=\"top\"><span lang=\"EN-US\">Authenticated Encryption<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<td width=\"515\" valign=\"top\"><span lang=\"EN-US\">Encryption that provides confidentiality, data integrity, and authenticity assurances of the encrypted data.<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"107\" valign=\"top\"><span lang=\"EN-US\">S3 Access Policy<\/span><\/td>\n<td width=\"515\" valign=\"top\"><span lang=\"EN-US\">A document defining permissions that apply to a user, group, or role; the permissions in turn determine what users can do into an S3 bucket. A policy typically allows access or can also explicitly deny access.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"107\" valign=\"top\"><span lang=\"EN-US\">Delete Marker<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<td width=\"515\" valign=\"top\"><span lang=\"EN-US\">An object with a key and version ID, but without content. Amazon S3 inserts delete markers automatically into versioned buckets when an object is deleted.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"107\" valign=\"top\"><span lang=\"EN-US\">Private Content<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<td width=\"515\" valign=\"top\"><span lang=\"EN-US\">When using Amazon CloudFront to serve content with an Amazon S3 bucket as the origin, a method of controlling access to your content by requiring users to use signed URLs. Signed URLs can restrict user access based on the current date and time and\/or the IP addresses that the requests originate from.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"107\" valign=\"top\"><span lang=\"EN-US\">Versioning<\/span><\/td>\n<td width=\"515\" valign=\"top\"><span lang=\"EN-US\">Every object in Amazon S3 has a key and a version ID. Objects with the same key, but different version IDs can be stored in the same bucket. Versioning is enabled at the bucket layer using PUT Bucket versioning.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b><span lang=\"EN-US\">\u00a0<\/span><\/b><b><span lang=\"EN-US\">Summary<\/span><\/b><\/p>\n<ul type=\"disc\">\n<li><b><span lang=\"EN-US\">Don\u2019t MISS IT :\u00a0<\/span><\/b><a href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/practice-tests\/\" title=\"AWS Certified SysOps Administrator Associate \u2013 Practice Tests\"><b><span lang=\"EN-US\">420 Practice Questions for SysOps Administrator\u00a0Exam (50% Discount)<\/span><\/b><\/a><span lang=\"EN-US\"><\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">In this article, we have explained about the data integrity and access control associated to data files storage at Amazon S3, and how to use access control lists and policies to secure your vital information using security best practices, guaranteeing high availability, continuity and recovery against a disaster.<\/span><\/p>\n<p><b><span lang=\"EN-US\">References:<\/span><\/b><span lang=\"EN-US\"><\/span><\/p>\n<p><span lang=\"EN-US\">[1] Amazon S3 FAQs. Amazon AWS.\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/s3\/faqs\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">https:\/\/aws.amazon.com\/s3\/faqs<\/span><\/a><span lang=\"EN-US\"><br \/>\n[2] Amazon S3 Documentation. Amazon AWS.\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/documentation\/s3\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">https:\/\/aws.amazon.com\/documentation\/s3<\/span><\/a><span lang=\"EN-US\"><br \/>\n[3] AWS Certified SysOps Administrator \u2013 Associate Certification.<\/span><a href=\"https:\/\/aws.amazon.com\/certification\/certified-sysops-admin-associate\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">https:\/\/aws.amazon.com\/certification\/certified-sysops-admin-associate\/<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you are new to AWS world, we would like to inform you that being certified on AWS has great benefits for your career. Are you preparing for\u00a0AWS Certified SysOps Administrator \u2013 Associate certification exam? \u00a0Are you ready to pass this exam? In this blog, we are writing a series of articles on topics which are covered in the AWS Certified SysOps Associate certification exam. You can subscribe to us for receiving further updates on this topic. The SysOps Associate certification exam is the hardest exam at the associate certification level. We would recommend you pass both solution architect associated [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":96438,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[1408,1441],"class_list":["post-25364","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws-certifications","tag-s3","tag-security"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security.jpg",725,282,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security-150x150.jpg",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security-300x117.jpg",300,117,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security.jpg",725,282,false],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security.jpg",725,282,false],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security.jpg",725,282,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security.jpg",725,282,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security.jpg",24,9,false],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security.jpg",48,19,false],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security.jpg",96,37,false],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security.jpg",150,58,false],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security.jpg",300,117,false],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security-250x250.jpg",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security-640x282.jpg",640,282,true],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security-96x96.jpg",96,96,true],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-s3-data-security-150x58.jpg",150,58,true]},"uagb_author_info":{"display_name":"Pavan Gumaste","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/pavan\/"},"uagb_comment_info":8,"uagb_excerpt":"If you are new to AWS world, we would like to inform you that being certified on AWS has great benefits for your career. Are you preparing for\u00a0AWS Certified SysOps Administrator \u2013 Associate certification exam? \u00a0Are you ready to pass this exam? In this blog, we are writing a series of articles on topics which&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/25364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=25364"}],"version-history":[{"count":6,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/25364\/revisions"}],"predecessor-version":[{"id":96445,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/25364\/revisions\/96445"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/96438"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=25364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=25364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=25364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}