Amazon S3: A Comprehensive Guide to Understanding its Functionality.

 Amazon S3: A Comprehensive Guide to Understanding its Functionality (How Amazon S3 works).

  • Amazon S3 is an object storage service that stores data as objects within buckets. An object is a file and any metadata that describes the file. A bucket is a container for objects.
  • In order to store your data in Amazon S3, the first step is to create a bucket. During this process, you need to provide a bucket name and select an AWS Region.
  • Once the bucket is created, you can proceed to upload your data as objects into Amazon S3. Each object is assigned a key (or key name), which serves as its unique identifier within the bucket.
  • S3 offers configurable features that cater to your specific needs. For instance, S3 Versioning allows you to maintain multiple versions of an object within the same bucket. This feature enables you to recover accidentally deleted or overwritten objects.
  • Both buckets and the objects they contain are private, and access is only granted when explicit access permissions are provided. You have various options to manage access, such as bucket policies, AWS Identity and Access Management (IAM) policies, access control lists (ACLs), and S3 Access Points.


  • A bucket is a container for objects stored in Amazon S3. You can store any number of objects in a bucket and can have up to 100 buckets in your account.
  • A bucket contains every object. For instance, when an object like "photos/cybersploit.jpg" is stored in the bucket named "DOC-EXAMPLE-BUCKET" located in the US West (Oregon) Region, it can be accessed using the URL "
  • Upon creating a bucket, you provide a name for it and select the AWS Region in which it will be located. Once the bucket is created, altering its name or Region becomes impossible.
  • The name and Region of a bucket are specified during its creation, and these cannot be modified afterwards. It is essential to adhere to the prescribed naming rules for buckets.
  • Additionally, it is possible to enable S3 Versioning or utilize other storage management functionalities when configuring a bucket.

Buckets have the following functions as well:

  • They arrange the Amazon S3 namespace at the topmost level.
  • They determine the account accountable for storage and data transfer expenses.
  • They offer access control choices, including bucket policies, access control lists (ACLs), and S3 Access Points, which enable you to govern access to your Amazon S3 resources.
  • They function as the primary unit for aggregating usage reports.


Amazon S3 stores fundamental entities called objects, which comprise object data and metadata. Metadata, which is a collection of name-value pairs, describes the object and includes default metadata like the last modified date, as well as standard HTTP metadata such as Content-Type. Additionally, when storing an object, you have the option to specify custom metadata. An object is uniquely identified within a bucket by a key (name) and a version ID  (if S3 Versioning is enabled on the bucket). 


An object key (also known as key name) serves as the exclusive identifier for an object residing in a bucket. Each object in a bucket possesses a single key. The amalgamation of a bucket, object key, and potentially a version ID (in case S3 Versioning is enabled for the bucket) provides a unique identification for every object. Therefore, one can perceive Amazon S3 as a fundamental data mapping system that connects "bucket + key + version" to the actual object.

Each object in Amazon S3 can be specifically accessed using the web service endpoint, bucket name, key, and optionally a version. For instance, in the URL, "DOC-EXAMPLE-BUCKET" denotes the name of the bucket, and "photos/cybersploit.jpg" represents the key.

S3 Versioning

You can use S3 Versioning to keep multiple variants of an object in the same bucket. With S3 Versioning, you can preserve, retrieve, and restore every version of every object stored in your buckets. You can easily recover from both unintended user actions and application failures.

Version ID

When you enable S3 Versioning in a bucket, Amazon S3 generates a unique version ID for each object added to the bucket. Objects that already existed in the bucket at the time that you enable versioning have a version ID of null. If you modify these (or any other) objects with other operations, such as CopyObject and PutObject, the new objects get a unique version ID

Bucket policy

  • A bucket policy in AWS Identity and Access Management (IAM) is a resource-based policy used to grant access permissions to a bucket and its objects.
  • Only the bucket owner has the authority to associate a policy with a bucket.
  • The permissions assigned to the bucket apply to all objects within the bucket that are owned by the bucket owner.
  • Bucket policies have a maximum size limit of 20 KB.
  • Bucket policies utilize a JSON-based access policy language that is standardized across AWS.
  • These policies can be employed to allow or deny permissions for objects within a bucket.
  • Bucket policies can control requests based on various policy elements, such as the requester, S3 actions, resources, and specific conditions (e.g., IP address used for the request).
  • For instance, a bucket policy can be created to authorize cross-account permissions for uploading objects to an S3 bucket, while ensuring that the bucket owner retains full control over the uploaded objects.

S3 Access Points

  • Amazon S3 Access Points are network endpoints with dedicated access policies.
  • Access Points are attached to buckets and enable S3 object operations.
  • Access Points simplify data access management for shared datasets in Amazon S3.
  • Each access point has its own access point policy.
  • Block Public Access settings can be configured for each access point.
  • Access points can be configured to accept requests only from a virtual private cloud (VPC) to restrict data access to a private network.

Access control lists (ACLs)

  • ACLs can be utilized to authorize users with read and write permissions for specific buckets and objects.
  • Each bucket and object possesses its own ACL, functioning as a subresource.
  • The ACL determines the access privileges and specifies the authorized AWS accounts or groups.
  • ACLs are an access control mechanism that existed before IAM, serving as a means to regulate access.
  • Amazon S3 Object Ownership is a setting at the bucket level in Amazon S3.
  • It allows you to control the ownership of objects uploaded to your bucket and enable or disable ACLs (Access Control Lists).
  • By default, Object Ownership is set to the bucket owner enforced setting, with ACLs disabled.
  • When ACLs are disabled, the bucket owner has full ownership of all objects in the bucket.
  • Access to these objects is managed solely through access-management policies.
  • The majority of contemporary applications using Amazon S3 do not need ACLs anymore.
  • It is advised to keep ACLs turned off, except in exceptional situations where access control is required for each object separately.
  • By disabling ACLs, you can utilize policies to manage access for all objects within your bucket, regardless of the uploader.

Post a Comment