2. Agenda
What is Amazon S3?
Storage Classes
Namespace
Security
Server Side encryption
Access Control
S3 APIs
3. But before that...
- Cloud computing, also on-demand computing, is a kind of
Internet-based computing that provides shared processing
resources.
- Resources being
- Networks
- Servers
- Storage
- Applications and services
What?
Why?
- The term cloud is used as a metaphor for the Internet.
- So it means nothing. Just a nice word and now it's hot....
5. What is amazon S3?
Amazon S3 is acronym stands for Simple Storage Service .
S3 is web store, not a file system, it’s simple write once, read many (WORM) object
store having eventual consistency.
“Write once” means that an object cannot be changed after it is written, and “read many” means that
multiple copies of the object are made across different availability zones.
S3 is secure, durable & highly-scalable. It is accessed Via API’s (SOAP and REST)
Server side encryption
Data is stored with 99.999999999% durability
Stores data ranging from 1B to 5TB
A bedrock architectural component for many applications
Dropbox, Bitcasa, and Tahoe-LAFS-on-S3, among others, use S3 for online backup and synchronization
services.Tumblr, Spotify, and Pinterest host media on S3.
8. Cloud Storage Classes
Standard
Reduced
Redundancy
Storage
Glacier
● Designed to provide high
durability and high availability
● Designed to sustain
concurrent loss of data in two
availability zone.
● Objects you want to have
high durability.
● E.g. Master copy of a movie
media
● Designed to provide lesser
redundancy with availability.
● Reduces cost by storing data at
lower level of redundancy than
in standard storage
● Objects you can afford to lose or
can recreate.
● E.g. Different encoding of movie
media.
● Suitable for archiving data,
where data access is infrequent
and retrieval time of several
hours is acceptable.
● Uses very low cost amazon
glacier service, but managed
through s3.
● Objects you want to put in
archive ( Rare Use).
● E.g. Digital archive of old movie
media.
9. Namespaces
The S3 consists of Buckets and Objects. In a single bucket we can have multiple
Objects.
Globally Unique
bucket name + object name (key) => Uniquely identify each object in a S3 cloud. Every object can be
addressed through bucket and key combination.
Buckets are similar to a directories
Object Name has to be unique within the bucket
Max 1024 bytes UTF-8
Can have ‘path’ prefix
11. Security
S3 provides regional service
Data never leaves region unless you move it
Server Side Encryption
Automatic encryption of data at rest
Strong AES-256
Enabled using simple PUT Header
Self managed i.e no need to manage key store
13. Access Control
S3 provides Policies, ACL’s and IAM (Identity and Access Management)
Use these to define rules for sharing objects or buckets
IAM Bucket Policies ACL’s
● Fine Grained
● Provide Role based
Access
● Apply policies at role,
user and group level.
Allow
Actions:
PutObject
Resource:
arn:aws:s3:::mybucket/*
Bob John
Allow
Bob, John
Actions:
PutObject
Resource:
arn:aws:s3:::mybucket/*
My bucket
● Fine Grained
● Apply Policies on bucket from
AWS console.
● Incorporate user restrictions
without using IAM
● Coarse Grained
● Apply access control at object
or bucket level.
Allow
Bob, John
Actions:
Read
My bucket My Object
14. S3 API
Accessible through SOAP and REST API’s
In S3, The operations can be divided into 3 categories
- Operations on Service/s.
Get list of all buckets owned by the authenticated sender of the request.
- Operations on Bucket/s.
- Operations on Object/s.
User must have Access Key and Secret Access Key
- Provide Temporary access to services
- Keys can be generated through IAM.
String to sign
- Every request has different string to sign.
15. S3 Authentication - Client side
GET /foo/bar.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Mon, 26 Mar 2007 19:37:58 +0000
Request
● Create Request
● Create HMAC-SHA1
Signature
GETn
n
n
Mon, 26 Mar 2007 19:37:58 +0000n
/johnsmith/foo/bar.jpg
String to Sign StringToSign = HTTP-Verb + "n" +
Content-MD5 + "n" +
Content-Type + "n" +
Date + "n" +
Canonicalized Amz
Headers +
CanonicalizedResource;
String to Sign Format
. . .
String to Sign
Secret Access
Key
HMAC
calculation
and Base64
Encoding
Your
Signature
● Send Request
GET /foo/bar.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Mon, 26 Mar 2007 19:37:58 +0000
Authentication: AWS Access Key:Signature
Request
16. S3 Authentication - Server side
● Retrieve Access
Key
● Create HMAC-SHA1
Signature
. . .
String to Sign
Secret Access
Key
HMAC
calculation
and Base64
Encoding
Calculated
Signature
● Compare Two
Signatures
GET /foo/bar.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Mon, 26 Mar 2007 19:37:58 +0000
Authentication: AWS Access Key:Signature
Request
Secret Access
Key
Get Access
key
Get Secret
Access key
Calculated
Signature
Your
Signature
Yes: Request is authenticated
No: Request authentication fails
17. Operations on Buckets
Standard Operations
Put Bucket - Creates bucket if does not exist.
Get Bucket - List all the objects within the bucket.
Delete Bucket - Deletes the bucket. All the objects within the buckets must be deleted.
Other operations
Bucket lifecycle configuration - Set the lifecycle of objects within the bucket
Bucket policies - Set policies on bucket
Bucket location - Set the location of bucket
Bucket notification - Receive notifications when certain events happen in your bucket
Bucket logging - Enable logging for a bucket
Bucket request Payment - Returns the request payment configuration of a bucket.
Bucket versioning - Enable versioning of objects within the bucket
18. Operations on Objects
Standard Operations
Put Object - Creates Object.
Post Object- POST is an alternate form of PUT that enables browser-based uploads.
Get Object - Gets object along with its metadata.
Head object - Gets only metadata.
Delete Object - Deletes the Object.
Multipart Upload
Upload a single object as a set of parts.
Each part is a contiguous portion of the object's data.
Upload for objects from 5 MB to 5 TB in size.
Other operations
Object ACL’s - set the ACL permissions for an object that already exists in a bucket.
Object Copy - Creates a copy of an object
19. Multipart Upload
Initiate Multipart Upload
Initiates a multipart upload and returns an upload ID.
Provide this upload ID in each subsequent upload part requests.
POST /example-object?uploads HTTP/1.1
Host: example-bucket.s3.amazonaws.com
Date: Mon, 1 Nov 2010 20:34:56 GMT
Authorization: authorization string
Request
HTTP/1.1 200 OK
x-amz-id-2: Uuag1LuByRx9e6j5Onimru9pO4ZVKnJ2Qz7/C1NPcfTWAtRPfTaOFg==
x-amz-request-id: 656c76696e6727732072657175657374
Date: Mon, 1 Nov 2010 20:34:56 GMT
Content-Length: 197
Connection: keep-alive
Server: AmazonS3
<?xml version="1.0" encoding="UTF-8"?>
<InitiateMultipartUploadResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Bucket>example-bucket</Bucket>
<Key>example-object</Key>
<UploadId>VXBsb2FkIElEIGZvciA2aWWpbmcncyBteS1tb3ZpZS5tMnRzIHVwbG9hZA</Uplo
adId>
</InitiateMultipartUploadResult>
Responce
20. Multipart Upload
Upload Part
Uploads a part in a multipart upload.
PUT /example-object?partNumber=1&
uploadId=VXBsb2FkIElEIGZvciA2aWWpbmcncyBteS1tb3ZpZS5tMnRzIHVwbG9h
ZA
HTTP/1.1
Host: example-bucket.s3.amazonaws.com
Date: Mon, 1 Nov 2010 20:34:56 GMT
Content-Length: 10485760
Content-MD5: pUNXr/BjKK5G2UKvaRRrOA==
Authorization: authorization string
***part data omitted***
Request
HTTP/1.1 200 OK
x-amz-id-2:
Vvag1LuByRx9e6j5Onimru9pO4ZVKnJ2QRPfTaOFg==
x-amz-request-id: 656c76696e6727732072657175657374
Date: Mon, 1 Nov 2010 20:34:56 GMT
ETag: "b54357faf0632cce46e942fa68356b38"
Content-Length: 0
Connection: keep-alive
Server: AmazonS3
Responce