Amazon S3

Definition

Amazon Simple Storage Service (S3) is AWS’s object store: buckets hold objects (up to 5 TB each) addressed by keys, with 11-nines durability for Standard storage across multiple Availability Zones. S3 underpins backups, static sites, data lakes, ML datasets, and application assets. Access is HTTPS-native (s3:// or REST APIs); authorization combines IAM, bucket policies, ACLs (legacy), and optional VPC endpoints for private traffic.

Beyond Standard, storage classes trade cost for retrieval latency and AZ scope. S3 Intelligent-Tiering automates tier movement for unpredictable access. Specialized bucket types in 2026 extend S3 into analytics and AI: S3 Tables (managed Apache Iceberg), S3 Vectors (embedding storage), and S3 Express One Zone (single-AZ, millisecond latency). Lifecycle policies, versioning, replication (CRR/SRR), Object Lock (WORM), and Event Notifications integrate S3 into event-driven and compliance architectures.

When to use it

• Durable object storage for any size — media, logs, backups, artifacts, and data lake landing zones.
• Static website hosting, CDN origins (CloudFront), and user-generated content with pre-signed upload URLs.
• Event-driven pipelines via S3 Event Notifications → Lambda, SQS, or SNS on PutObject.
• Compliance retention with versioning + Object Lock for WORM and legal hold requirements.

When not to use it

• POSIX file semantics or shared mutable files — use EFS, FSx, or block storage on EC2.
• Low-latency random read/write on small keys at OLTP rates — DynamoDB or ElastiCache fit better.
• Single-digit-ms latency for millions of small objects without Express One Zone — Standard S3 optimizes for throughput and durability, not microsecond tail latency.

Tips

• Enable S3 Block Public Access at the account level; grant access with IAM roles and bucket policies, not "Principal": "*".
• Turn on versioning for buckets that hold irreplaceable data — deletes become delete markers, not permanent loss.
• Default new buckets to SSE-KMS with a customer managed key when you need CloudTrail audit of decrypt events per object class.
• Implement lifecycle rules early: transition to IA/Glacier after N days and expire incomplete multipart uploads after 7 days.
• Use S3 Inventory + Storage Lens quarterly to find Standard objects that have not been read in 90+ days — prime candidates for Intelligent-Tiering or IA.

Gotchas

• Serious: A misconfigured bucket policy exposing ListBucket + GetObject to the internet is still a top AWS breach pattern — Block Public Access does not fix intentional overly broad policies.
• Serious: Cross-Region Replication does not replicate delete markers unless configured — DR drills that assume bidirectional mirror semantics fail silently.
• Regular: Request costs dominate for small-object-heavy workloads — billions of LIST operations on prefix-heavy buckets burn budget faster than storage GB-months.
• Regular: Strong read-after-write consistency applies globally now, but list operations still lag behind highly concurrent write/delete patterns in some analytics jobs — design idempotent consumers.
• Regular: Replacing an object without versioning increments storage silently if old versions accumulate — lifecycle rules must include noncurrent version expiration.

Official references

• S3 security best practices — encryption, access points, and logging.
• S3 Lifecycle configuration — transitions and expirations.

Related FactualMinds content

• Cloud Cost Optimization Services
• FinOps Consulting
• AWS Data Analytics
• S3 Tables · S3 Vectors · S3 Express One Zone
• AWS Well-Architected Review Checklist