S3 Concepts – Buckets

A bucket is a container for objects.  To upload objects, you must first create a bucket and then upload objects to the bucket. Every single object uploaded to S3 is stored in a bucket. You can upload any number of objects to a bucket.

By default each AWS account is allowed to create up-to 100 buckets. If you need additional buckets, you can submit a service limit increase to AWS to increase your bucket limit.

Buckets are useful for organizing data. There is no performance difference whether you upload all objects to 1 bucket or spread them across several buckets.

Buckets are region specific. You must specify a region for the bucket during creation. For low latency and minimal costs, always choose a region that is geographically closest to you. You cannot change the region of the bucket after it is created.

Any objects uploaded to the bucket will stay in the specified region.Unless you explicitly transfer objects to another region, objects uploaded to a bucket in a region never leave that region.

Bucket names are globally unique. You can only create a bucket with a name that is not already taken by any AWS account. Bucket names identify the account responsible for charges. Here are the rules for naming S3 buckets:

    • Bucket names must not contain uppercase characters or underscores
    • Must be 3 to 63 characters long
    • Must start with a lower case letter or a number
    • Can contain lower case characters, numbers and hyphens
    • Must not be formatted as IP address
    • Must comply with DNS naming conventions
    • Must be a series of labels separated by a single period(.). Each label must start and end with lower case letter of number.
See also  IAM - Users, Groups, Roles, Policies

Bucket ownership is not transferable and you cannot change the name of the bucket once it is created. You can however delete a bucket. After a bucket is deleted, the name becomes available for reuse but you might not be able to create bucket with the same name as there is a possibility that some other account might create a bucket with that name before you.

Although you can use root user credentials to perform any S3 operations, AWS recommends using IAM users for all S3 operations. The bucket created by an IAM user is owned by the AWS account itself and not the IAM user that performed the operation.

Bucket owner can grant cross account permissions to other AWS accounts to upload objects. AWS account that uploads the objects owns the objects, although the  bucket is owned by a different AWS account. In this case, the bucket owner will not have permissions to the objects owned by another AWS account, however the bucket owner can delete the objects from his bucket.

Amazon S3 provides APIs to manage buckets and objects. You can either use S3 APIs or S3 Console to perform operations on the buckets. The Management console uses S3 APIs to send requests to S3.

Creating a bucket

While creating a bucket you must provide bucket name and region for the bucket location. Amazon S3 provides APIs for creating and managing buckets. You can create bucket either from Console or using AWS SDKs. Click here to learn how to create S3 bucket using console.

When using AWS SDKs, you must create a client which will be used to send a request for bucket creation. During client creation, you can specify an AWS region for bucket location, US East (N.Virginia) is the default. If your client was created by specifying US East (N.Virginia) region, you can create bucket in any region by specifying region in your request for bucket creation. If your client was created by specifying any other region(other than US East (N.Virginia), you can only create bucket in that particular region. S3 returns an error if you specify any other region for bucket creation.

See also  AWS Global Infrastructure

Accessing a bucket

You can access and perform all bucket operations from AWS Management Console as well as programmatically. For programmatic access, S3 supports both virtual-hosted-style url as well as path-style url for the buckets. In a virtual-hosted-style url, bucket name is part of the url and DNS is able to route traffic to the appropriate region. Eg:http://bucket.s3.amazonaws.com . Thus region-specific end-point need not be used to access the bucket. In a path-style url, bucket name is not part of the url and the end-point must match the region where the bucket is located. Eg: http://s3-aws-region.amazonaws.com/bucket.

Deleting a bucket

You can delete an empty bucket using Console or AWS CLI or programmatically using AWS SDKs.

You can use AWS SDKs to programmatically delete a non-empty bucket that does not have versioning enabled. Using AWS CLI, you can use –force option with the rb(remove bucket) command, which first deletes all the objects and later removes the bucket. You can also delete all objects using lifecycle configuration and later delete the bucket from the console.

You can delete a non-empty bucket with versioning enabled using AWS SDKs. You can also use bucket’s lifecycle configuration to empty the bucket and later delete it from the console.

Transfer Acceleration

Transfer acceleration is useful in transferring files over long distances when the bucket is not located in the geographically closest region. Transfer acceleration securely transfers files by taking advantage of Amazon’s Edge Locations. The data that arrives at edge locations is transferred to S3 buckets via Amazon’s highly optimized network.

Bucket owner can enable transfer acceleration on the bucket. To enable transfer acceleration, bucket name must not contain a period(.). Additional data transfer charges may apply when using transfer acceleration. To compare the accelerated and non-accelerated upload speeds you can use Amazon S3 Transfer Acceleration Speed Comparison tool.

See also  Shared Responsibility Model

Requester Pays buckets

By default, bucket owner is responsible for all the charges incurred on a bucket. However, as a bucket owner, you have the option to configure your bucket as a Requester Pays bucket, where the requester pays the cost of requests and data downloads while the bucket owner pays the storage cost.

Anonymous access is not allowed on a requester pays bucket. All requests must be authenticated which enables S3 to identify the requester. The requester can assume an IAM role in which case the AWS account that owns the role will be charged.