• S3 Encrytion for objects
    • SSE-S3
    • SSE-KMS
      • any api through kms’
      • objects made public can never be read
      • on s3:PutObject, make the permission kms:GenerateDataKey is allowed
    • SSE-C : Your own encrytion keys
      • Client-Side ECRYPTION
    • Glacier : all data is AES-256 encrypted, key under AWS control
  • Encrpytion in transit(SSL / TLS)
    • Amazon S3 exposes
      • https endpoint : encrytion in flight
      • https is mandatory for SSE-C
      • to enforce HTTPS → Bucket policy → aws:secureTransport
  • events in S3 Buckets
    • S3 Access Logs : take hours to deliver
    • S3 event notification
      • ex> when new objects created, replication evnets, removal, resotre object
      • destination : sns, sqs, lambda
      • if versioning is enabled
    • trusted advisor
    • eventbridge
      • need to enable cloud trail object loggin on s3 firs
  • S3 security
    • user based
      • IAM Policies : which api calls should be allowed for a specific user from IAM Console
    • Resource based
      • bucket policies : bucket wide rules from the s3 console - allow corss account
        • grant public access to the bucket
        • force objects to be encrypted at upload
        • grant access to anothe account(Cross Account)
        • optional condition
          • sourceIP : Public ip or elastic ip | VpcSourceIp : private IP(through VPC Endpoint)
          • source VPC or source VPC Endpoint - only works with vpc endpoints
          • cloudfront origin identity
          • MFA
      • object access control list, bucket access control list(여기까지 안간다고 함)
  • S3 pre-signed URLs
    • generate using SDK or CLI
    • downloads → csl, uploads → sdk
    • vaild for 1 hour , —expires-in available
  • vpc endpoint gateway for s3
    • private instance → vpc endpoint gateway → aws:sourceVpce, aws:sourceVpc
  • s3 object lock & glacier valut lock
  • s3 access points
    • access point policy to create access point
    • it has its own dns name
    • vpc origin
      • only from within the vpc
      • create a vpc endpoint to access the access point
      • vpc endpoint policy
    • s3 multi-region access point
      • must enable bucket versioning
      • global endpoint that span s3 buckets in cultiple aws region
      • request nearest s3 bucket → lowest latency
      • bi-deirectional cross-region replication
      • failover controls
        • regional traffic distruption → bed outage
        • arn .. alias …
    • s3 object lambda
      • s3 bucket : to modify data
      • use aws lambda functions to change the object before it is retrieved by the callar application
      • create s3 access point, s3 object lambda access point