S3 Bucket + Encryption

Storage / S3

S3 (Objects stroage) 是什麼?

  • S3 is a safe place to store your files by objects.
  • It is Object-based stroage.
  • The data is spread across mutiple devices and mutiple facilities.

The Basics 基礎

  • S3 is Object-based - i.e. allows you to upload files.
  • Files can be from 0 byte to 5TB.
  • There is un unlimited stroage.
  • Files are stored in Buckets (folder).
  • S3 is a univeral namespace. That is, names must be unique globally.
  • Upload file to S3, if success will receive HTTP 200 code.

Objects

S3 is Object based. Think of Objects just as files.

  • Key (This is simply the name of object)

  • Value (This is simply the data and is made up of a sequence of bytes).

  • Varsion ID (Important for versioning)

  • Metadata (Data about data you are storing)

  • Subresources

    • Access Control Lists(ACL)
    • Torrent

    (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingObjects.html)

    S3 如何儲存資料?

  • Read after Write consistency for PUTS of new objects

  • Eventual Consistency for overwrite PUTS and DELETES (will take some time to propagate)

https://docs.aws.amazon.com/redshift/latest/dg/managing-data-consistency.html

S3 Guarantees

  • Built for 99.99% availability for the S3 platform.
  • Amazon guarantee 99.99% availability.
  • Amazon guarantee 99.999999999% durability for S3 information (11 * 9’s).

https://aws.amazon.com/tw/s3/faqs/

S3 Feature

  • Tiered Stroage Available
  • Lifecycle Management
  • Versioning
  • Encryption
  • MFA delete
  • Secure your data using Access Control Lists and Buckets Policies

https://www.amazonaws.cn/en/s3/features/

建立 S3 Bucket

  1. 點選 Stroage / S3 後,可以看到 Amazon S3 的頁面,如果是還沒有建立過 buckets 的帳戶,會顯示 No buckets, You don’t have any buckets

IMAGE

  1. 再來點選 Create Bucket 來建立,記得前面 Basics 所提的 S3 is a univeral namespace. That is, names must be unique globally.:Buckets 的名字不能與任何一個 Buckets 有重複的名稱,如果這邊也人先取過了,那必須要換一個名稱才行,之後就可以建立完成 S3 Bucket。

IMAGE

  1. 建立完成後,可以看到我們現在的 Bucket 還是空的,所以來 Upload 一些檔案上去吧!

IMAGE

當完成上傳後,伺服器會回傳 200 給使用者 (Basic),這時就可以選取想看的檔案名稱,來看檔案內容。其中值得注意的有以下兩點:

  • 可以看到 Key 的名字與檔案的名稱是相同的。
  • Object URL https://chestertang1231.s3.amazonaws.com/Chester.jpg 這段可以看出這張照片現在的 domain name,這也是為什麼上述 Bucket name 不能相同的原因

IMAGE

有沒有點進去連結想看照片,結果什麼都沒有呢?(沒錯,因為少了點設定…

1
2
3
4
5
6
7
8
9
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
  <Code>AccessDenied</Code>
  <Message>Access Denied</Message>
  <RequestId>3436A43898A832D2</RequestId>
    <HostId>
    ajZsWrnWWZJVaby4VOG0/Sgv2+bsOOq9Z9y+iNKscFNvMYI8RIklkCVh4U0le4KN1sDR9b7D/9I=
    </HostId>
</Error>
  1. 點選 Actions 按鈕來對這張被選取的照片進行其他動作,但是會發現 Make Public 顯示灰色不給你點選,原因是你現在的 S3 在一開始是設定為不公開的(上述 Create Bucket 步驟中的 Block all public setting),因此這張照片也無法被公開!

IMAGE

  1. 點選 Permissions 按鈕可以看到 Block public access 的一些設定內容,這跟當初在 Create Bucket 時是相同的,因此只要選取右方的 Edit 按鈕並把 Block all public access 反勾選在 Save 起來就可以!(會要你確定嗎?confirm,只需打上 comfirm 即可)

IMAGE

  1. 完成後再點選 Actions 按鈕,把它設定為 Make Public 就可以進去剛剛的連結啦!

補充 > 可以選擇檔案放在哪種 Storage Classes 的儲存空間:S3 Stroage Classes

Security And Encryption

The Basics 基礎

Amazon S3 預設加密提供一種為 Amazon S3 儲存貯體設定預設加密行為的方式。可以在儲存貯體上設定預設加密,讓所有物件在存放於儲存貯體中時維持加密狀態。這些物件的加密,是使用伺服器端加密搭配 Amazon S3 受管金鑰 (SSE-S3) 或 AWS Key Management Service (AWS KMS) 客戶主金鑰 (CMK)。

所有新建立的 buckets 都是 PRIVATE 的,可以透過以下兩種方式來控制權限:

  • Bucket Policies
  • Access Control Lists

Encryptions In Transit is achieved by

  • SSL / TLS

Encryptions At Rest (Server side) is achieved by

  • S3 Managed Keys - SSE-S3
  • AWS Key Management Service, Managed Keys - SSE-KMS
  • Server Side Encryption with Customer Provided Keys - SSE-C

Client Side Encryption

Encryption 加密

  1. ㄧ樣來對我們剛剛 Upload 的圖片來做加密的動作,從 Properties 可以看到目前的 Encryption 是沒有加密過的,只要點選 Encryption 就能更改目前的狀態。

IMAGE

  1. 這邊可以選擇:(1)AES-256、(2)AWS-KMS 兩種方式(以下就直接以(1)的方式來加密)

IMAGE

  1. 點選 Save 按鈕後,就完成了加密啦!

IMAGE

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html

Default Encryption 加密

除了單張照片加密之外,也可以預設加密的方法,其實與上述都大同小異,可以點選 PropertiesDefault Encryption 然後選取 AES-256 也就完成。

IMAGE

總結

  • Simple creating of S3 Bucket and Permissions of the Block public access
  • Buckets are a universal name space
  • Upload an object to S3 receive a HTTP 200 Code
  • S3, S3-IA, S3-IA (One Zone), Glacier
  • Control access to buckets using either a bucket ACL or using Bucket Polices