Monday, July 13, 2020

S3 - ACL, Upload, Copy, Monitoring

ACL
-         https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
-         ACL limitation – can grant permission only to account not to users
-         Resource owner has full control over the resource
-         Access to objects / buckets – each has a default ACL attached
-        
      

-         Object ACL is the only way to control access to object belonging to account B deposited in a bucket belonging to account A
-         Bucket ACL – use this to permission another group to deposit logs into your S3 bucket
-         ACL @ Bucket – permits external (Grantee) accounts (not user) and S3 groups only
-         S3 Groups:
          §  Authenticated users – all logged-in AWS users in the world
          §  All Users – anyone in the world (anonymous)
          §  Log Delivery Group – group able to write server access S2 log

-         Permissions (on buckets and objects):
-         IMPORTANT: ACLs control user or user group access. NOT IAM roles. Use-case from ACL – delivering logs into your bucket. OR controlling cross-account access to an object deposited into a bucket on account A by a user on Account B – in this case ACL is the only way to permit read/write for the object to users on A.

Multi-Part Upload
-         The Multipart upload API enables you to upload large objects in parts. You can use this API to upload new large objects or make a copy of an existing object
-         A three-step process: You initiate the upload, you upload the object parts, and after you have uploaded all the parts, you complete the multipart upload. Upon receiving the complete multipart upload request, Amazon S3 constructs the object from the uploaded parts, and you can then access the object just as you would any other object in your bucket. You can list all of your in-progress multipart uploads or get a list of the parts that you have uploaded for a specific multipart upload
-         Recommended for objects >100MB
-         Required for >5GB
-         Available for 5MB<>5TB
-         Max object size - 5TB

Copying objects
-         Over SDK or REST API, Console (some operations)
          §  Move across REGIONS
          §  Change metadata
          §  Change storage class
          §  Etc.
-         < 5GB – one step operation (not Multi-part); greater than 5 – multi-art
-         Cross regional copy – charges apply
-         HTTP PUT – in return you receive HTTP 200 OK message
-         If requesting encryption at rest and uploading with Customer Provided Key – get 200 OK, encryption algorithm and MD5 has of the encryption key

Monitoring
-         https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html#cloudtrail-logging-vs-server-logs
-         AWS CloudTrail logs provide a record of actions taken by a user, role, or an AWS service in Amazon S3, while Amazon S3 server access logs provide detailed records for the requests that are made to an S3 bucket
-         You can use AWS CloudTrail logs together with server access logs for Amazon S3. CloudTrail logs provide you with detailed API tracking for Amazon S3 bucket-level and object-level operations, while server access logs for Amazon S3 provide you visibility into object-level operations on your data in Amazon S3
-         You can also use CloudTrail logs together with CloudWatch for Amazon S3. CloudTrail integration with CloudWatch Logs delivers S3 bucket-level API activity captured by CloudTrail to a CloudWatch log stream in the CloudWatch log group you specify. You can create CloudWatch alarms for monitoring specific API activity and receive email notifications when the specific API activity occurs


No comments:

Post a Comment