Cargando...
Cargando...
Infinitely scalable, durability-first object storage that powers virtually every AWS architecture
Amazon S3 (Simple Storage Service) is AWS's foundational object storage service offering industry-leading 99.999999999% (11 nines) durability and 99.99% availability for the Standard storage class. It stores data as objects within buckets, supports virtually unlimited storage capacity, and integrates natively with nearly every AWS service. S3 is not a file system or block storage — it is an object store accessed via HTTP/S APIs, making it ideal for static assets, data lakes, backups, and event-driven architectures.
Durable, scalable, cost-effective object storage for any data type at any scale — from a single file to exabytes — with rich access control, lifecycle management, and native AWS integration.
Use When
Avoid When
S3 Standard
General-purpose storage; 99.99% availability, 11 nines durability, no retrieval fee
S3 Intelligent-Tiering
Automatically moves objects between access tiers based on usage patterns; no retrieval fees; small monitoring fee per object
S3 Standard-IA (Infrequent Access)
Lower storage cost but per-GB retrieval fee; minimum 30-day storage duration; minimum 128 KB object size billing
S3 One Zone-IA
Single AZ only; 20% cheaper than Standard-IA; NOT resilient to AZ loss — do NOT use for primary copies of irreplaceable data
S3 Glacier Instant Retrieval
Millisecond retrieval; minimum 90-day storage; higher retrieval cost than Standard-IA
S3 Glacier Flexible Retrieval
Minutes to hours retrieval (Expedited: 1–5 min, Standard: 3–5 hr, Bulk: 5–12 hr); minimum 90-day storage
S3 Glacier Deep Archive
Lowest cost; 12–48 hour retrieval; minimum 180-day storage; designed for 7–10 year retention
S3 Versioning
Preserves all versions of every object; enables recovery from accidental deletion or overwrites
S3 Replication (CRR & SRR)
Cross-Region Replication (CRR) and Same-Region Replication (SRR); requires versioning enabled on source and destination
S3 Object Lock
WORM (Write Once Read Many) protection; Governance and Compliance modes; can be set at object or bucket level
S3 MFA Delete
Requires MFA for permanent deletion of versioned objects; can only be enabled by root account
S3 Transfer Acceleration
Uses CloudFront edge locations to accelerate uploads over long distances; separate per-GB pricing
S3 Select & Glacier Select
Query subset of object data using SQL expressions; reduces data transfer and processing costs
S3 Access Points
Named network endpoints with dedicated access policies; simplifies access management for shared datasets
S3 Multi-Region Access Points
Single global endpoint routing to closest S3 bucket; uses AWS Global Accelerator network
S3 Batch Operations
Perform bulk operations (copy, tag, restore, invoke Lambda) on billions of objects with a single API call
S3 Inventory
Scheduled reports of objects and metadata; alternative to LIST API for large buckets
S3 Storage Lens
Organization-wide storage analytics and recommendations; default dashboard free, advanced metrics paid
S3 Event Notifications
Triggers to Lambda, SNS, SQS, or EventBridge on object create/delete/restore/replication events
Server-Side Encryption (SSE-S3, SSE-KMS, SSE-C, DSSE-KMS)
SSE-S3: AWS-managed keys (AES-256); SSE-KMS: customer-managed KMS keys with audit trail; SSE-C: customer-provided keys; DSSE-KMS: dual-layer encryption
Client-Side Encryption
Encrypt before upload; AWS has no access to plaintext
S3 Block Public Access
Account-level and bucket-level settings to prevent public access; can override bucket/object ACLs
S3 Static Website Hosting
Serves static content via HTTP (not HTTPS natively); use CloudFront in front for HTTPS and custom domains
S3 Requester Pays
Data transfer and request costs charged to the requester, not the bucket owner
S3 Object Lambda
Transform object content on-the-fly as it is retrieved; no need to store multiple derived versions
S3 Lifecycle Policies
Automatically transition objects between storage classes or expire them based on age or object count
S3 CORS
Cross-Origin Resource Sharing configuration for browser-based clients accessing S3 directly
VPC Endpoint for S3 (Gateway)
Free gateway-type VPC endpoint; traffic stays on AWS network; does not require NAT Gateway for S3 access
S3 Access Analyzer
Identifies buckets accessible outside your account or organization; integrates with IAM Access Analyzer
Event-Driven Object Processing
high freqS3 triggers Lambda on object creation (s3:ObjectCreated:*) for real-time processing — image resizing, ETL, virus scanning. Lambda is invoked asynchronously; use S3 Event Notifications or EventBridge for routing. For fan-out, use SNS between S3 and multiple Lambda functions.
Global Static Content Delivery with HTTPS
high freqCloudFront distributes S3 content globally via edge locations. Use Origin Access Control (OAC, successor to OAI) to restrict S3 bucket access to CloudFront only — bucket remains private. Enables HTTPS for static websites (S3 native static hosting is HTTP only). CloudFront also adds caching, signed URLs, and WAF integration.
S3 API Audit Logging
high freqCloudTrail logs S3 management events (bucket-level) by default. S3 data events (object-level GET, PUT, DELETE) must be explicitly enabled — they are NOT logged by default and cost extra. Essential for compliance, forensics, and detecting unauthorized access.
Server-Side Encryption with Customer-Managed Keys
high freqSSE-KMS uses KMS CMKs for envelope encryption. Every S3 object operation (GET/PUT) generates a KMS API call. Use KMS key policies to control access independently of S3 bucket policies. Bucket key feature reduces KMS API calls by ~99% by generating a bucket-level data key.
Serverless Data Lake Query
high freqAthena queries data directly in S3 using standard SQL — no data loading required. Partition data by date/region in S3 key prefix structure to reduce scan costs. Use Parquet or ORC columnar formats with compression for maximum cost efficiency. Glue Data Catalog provides schema management.
ETL and Data Catalog for Data Lakes
high freqGlue crawlers discover S3 data and populate the Glue Data Catalog. Glue ETL jobs transform data in S3 (CSV → Parquet, denormalization, etc.). Catalog is shared with Athena, Redshift Spectrum, and EMR for unified metadata.
Hybrid Cloud Storage Bridge
high freqStorage Gateway (File Gateway mode) presents S3 buckets as NFS/SMB file shares to on-premises applications. Data is cached locally for low-latency access and asynchronously synced to S3. Ideal for lift-and-shift migrations and backup to cloud without changing on-premises workflows.
Application Data Store with VPC Endpoint
high freqEC2 instances access S3 via a Gateway VPC Endpoint (free) to avoid public internet routing and NAT Gateway costs. IAM roles on EC2 grant least-privilege S3 access without embedding credentials. S3 is commonly used as a shared data store for stateless EC2 fleets.
S3 Metrics and Alerting
medium freqS3 publishes storage metrics to CloudWatch daily (free). Request metrics (per-prefix) require opt-in and incur CloudWatch charges. Use CloudWatch alarms on 4xxErrors, 5xxErrors, or BucketSizeBytes for operational visibility.
Reliable Event-Driven Pipeline with Dead Letter Queue
medium freqS3 → SQS → Lambda decouples ingestion from processing. SQS provides buffering and retry logic. Configure DLQ on SQS for failed processing. More reliable than direct S3 → Lambda for high-volume or failure-sensitive workloads.
High-Speed Data Migration
medium freqDataSync accelerates data transfer from on-premises NAS/file servers or other cloud storage to S3. Handles scheduling, encryption, integrity verification, and bandwidth throttling. Faster and more automated than using the AWS CLI or custom scripts.
Sensitive Data Discovery and Classification
medium freqMacie uses ML to automatically discover and classify sensitive data (PII, financial data) stored in S3. Generates findings for buckets with public access, unencrypted objects, or shared access. Essential for compliance with GDPR, HIPAA, PCI-DSS.
Multipart Upload is REQUIRED for objects >5 GB (single PUT limit) and RECOMMENDED for objects >100 MB. Any exam scenario mentioning large file uploads should trigger 'Multipart Upload' as the answer.
S3 is NOT a file system. It does not support true POSIX semantics, file locking, or atomic rename operations. When a scenario requires shared file system access with concurrent mounts, choose EFS (Linux) or FSx for Windows. When block storage is needed for a database, choose EBS.
S3 Bucket names are GLOBALLY unique across ALL AWS accounts and ALL regions. A bucket name taken by any account anywhere in the world is unavailable to you. Bucket names follow DNS naming rules: lowercase, 3–63 chars, no underscores, no IP address format.
S3 data events (object-level: GET, PUT, DELETE) are NOT logged by CloudTrail by default — you must explicitly enable them and pay additional costs. Management events (bucket-level operations) ARE logged by default. Exam questions about auditing who downloaded a specific object require data events to be enabled.
Versioning can be SUSPENDED but NEVER disabled once enabled. Suspended versioning stops creating new versions but ALL existing versions remain and continue to incur storage costs. MFA Delete can only be enabled/disabled by the ROOT account user — not IAM users.
Any file >5 GB requires Multipart Upload (hard limit). Any scenario asking how to upload large files to S3 = Multipart Upload. Recommended for >100 MB.
S3 data events (object GET/PUT/DELETE) are NOT logged by CloudTrail by default — must be explicitly enabled. Management events (bucket operations) ARE logged by default. Compliance/forensics scenarios always require data events.
S3 is strongly consistent since December 2020 — ALL reads (including after overwrites and deletes) are strongly consistent. Any answer suggesting S3 eventual consistency workarounds is WRONG for current exams.
Use Origin Access Control (OAC) — NOT Origin Access Identity (OAI) — for new CloudFront + S3 integrations. OAC is the modern replacement for OAI, supports SSE-KMS, all S3 regions, and all HTTP methods. OAI is legacy. Exam may still reference both — know that OAC is the recommended current approach.
S3 Transfer Acceleration uses CloudFront EDGE LOCATIONS to accelerate uploads — it is for UPLOADS to S3 over long distances. It is NOT the same as CloudFront distribution (which is for DOWNLOADS/content delivery). The endpoint format is: bucket.s3-accelerate.amazonaws.com.
S3 Object Lock Compliance mode: NO ONE (including root) can delete or modify objects during the retention period. Governance mode: users with s3:BypassGovernanceRetention permission CAN override. For regulatory WORM requirements, always choose Compliance mode.
Cross-Region Replication (CRR) does NOT replicate existing objects — only NEW objects written after replication is enabled. To replicate existing objects, use S3 Batch Replication. Replication also does NOT replicate delete markers by default (must be explicitly enabled).
S3 Intelligent-Tiering is NOT always the cheapest option. It charges a per-object monitoring fee (~$0.0025/1,000 objects/month). For very small objects (<128 KB) or objects known to be accessed frequently or infrequently consistently, Standard or Standard-IA is more cost-effective.
VPC Gateway Endpoint for S3 is FREE and routes traffic through the AWS private network — no NAT Gateway, no internet gateway required. This is the correct answer for 'reduce cost of EC2 accessing S3' or 'keep S3 traffic off the public internet' scenarios.
SSE-KMS with the S3 Bucket Key feature reduces KMS API call costs by ~99% by generating a bucket-level data encryption key. Without Bucket Key, EVERY object GET/PUT calls KMS — at high request rates this creates significant KMS costs and potential throttling.
S3 Static Website Hosting serves content over HTTP only — NOT HTTPS. To serve a static site over HTTPS with a custom domain, you MUST use CloudFront in front of S3. This is a very common exam scenario.
Presigned URLs grant access using the CREATOR's permissions at the time of access — if the IAM user or role that signed the URL loses permissions AFTER the URL is created, the URL may no longer work. If signed with STS temporary credentials, the URL expires when the credential expires, regardless of the URL's own expiry.
S3 Standard-IA and One Zone-IA have a MINIMUM BILLABLE OBJECT SIZE of 128 KB. Objects smaller than 128 KB are billed AS IF they were 128 KB. Do not use IA classes for storing millions of tiny objects — use S3 Standard instead.
Common Mistake
S3 provides strong consistency only for new objects — reads after overwrites or deletes may return stale data
Correct
Since December 2020, Amazon S3 provides strong read-after-write consistency for ALL operations — PUTs of new objects, overwrites, and DELETEs. LIST operations are also strongly consistent. There is NO eventual consistency window in S3 anymore.
This was true before December 2020 and many study materials still reference the old behavior. Exam questions testing 'what happens when you read immediately after a PUT' now have a clear answer: you get the latest data. Don't design workarounds for eventual consistency in S3 — they're unnecessary and will be wrong answers.
Common Mistake
Using S3 for storing secrets, API keys, database passwords, or credentials (even with encryption) is a best practice
Correct
S3 is NOT designed for secret management. Use AWS Secrets Manager for secrets requiring automatic rotation, or AWS Systems Manager Parameter Store (SecureString) for configuration values. S3 lacks built-in secret rotation, fine-grained access auditing per secret, and automatic expiry. Exam questions about credential management always prefer Secrets Manager over S3.
This maps directly to a top misconception in the exam question bank. The trap is that S3 with SSE-KMS 'feels secure enough' — but it lacks the operational controls (rotation, versioning of secrets, per-secret IAM policies, automatic expiry notifications) that purpose-built secret stores provide.
Common Mistake
CloudFront and S3 Transfer Acceleration do the same thing — both accelerate S3 content delivery
Correct
CloudFront is a CDN that CACHES content at edge locations for DOWNLOADS/reads — ideal for content delivery to end users globally. S3 Transfer Acceleration uses edge locations to accelerate UPLOADS to S3 from distant clients — it does NOT cache content. They solve opposite problems. Using CloudFront does NOT accelerate uploads; using Transfer Acceleration does NOT cache content.
This confusion appears directly in exam questions comparing CloudFront vs Global Accelerator vs Transfer Acceleration. Remember: CloudFront = cache + download acceleration; Transfer Acceleration = upload acceleration; Global Accelerator = network routing optimization for dynamic content (not S3 specific).
Common Mistake
S3 replication automatically replicates all existing objects and delete operations
Correct
S3 replication (CRR/SRR) only replicates NEW objects written AFTER replication is configured. Existing objects are NOT replicated automatically — use S3 Batch Replication for existing objects. Delete markers are NOT replicated by default (must be explicitly enabled). Permanently deleted versions are NEVER replicated (to protect against malicious deletion).
This is a common trap in migration and DR scenarios. Candidates assume enabling CRR on an existing bucket with data will sync everything — it won't. Always pair CRR setup with S3 Batch Replication for existing data.
Common Mistake
Making an S3 bucket public via ACL or bucket policy is sufficient to serve a static website over HTTPS
Correct
S3 static website hosting only supports HTTP, not HTTPS. To serve content over HTTPS (required for modern browsers, SEO, and security), you must place CloudFront in front of S3. CloudFront handles SSL/TLS termination and can use ACM certificates for free. The S3 bucket itself should remain PRIVATE with OAC restricting access to CloudFront only.
Many developers assume S3 can serve HTTPS natively. Exam scenarios asking for 'secure static website hosting with custom domain and HTTPS' always require CloudFront + S3 + ACM, not just S3 alone.
Common Mistake
S3 One Zone-IA is a cost-effective replacement for S3 Standard-IA for any infrequently accessed data
Correct
S3 One Zone-IA stores data in a SINGLE Availability Zone. If that AZ fails or is destroyed, your data is LOST. It is appropriate ONLY for data that can be recreated (thumbnails, transcoded media, derived analytics results) or data already replicated elsewhere. Never use One Zone-IA as the sole copy of important or irreplaceable data.
The 20% cost savings is tempting, but the single-AZ risk is a critical architectural flaw for primary data storage. Exam questions often present One Zone-IA as a cost-saving option and test whether candidates understand the durability trade-off.
Common Mistake
S3 bucket policies and IAM policies work independently — you need both to allow access
Correct
S3 access is evaluated using a UNION of IAM policies AND bucket policies. Access is granted if EITHER the IAM policy OR the bucket policy allows it (and neither explicitly denies it). For cross-account access, BOTH the bucket policy (on the resource side) AND the IAM policy (on the identity side) must allow the action. Block Public Access settings can OVERRIDE both.
Understanding the S3 access evaluation logic is critical for security questions. The key nuance: same-account access needs IAM OR bucket policy; cross-account access needs BOTH. Block Public Access is an additional override layer that even overrides explicit 'Allow' statements for public access.
Common Mistake
Enabling SSE-S3 (AES-256) encryption on S3 provides the same compliance and audit capabilities as SSE-KMS
Correct
SSE-S3 uses AWS-managed keys with no customer visibility into key usage, rotation, or audit logs. SSE-KMS uses KMS CMKs, which provide CloudTrail audit logs of every key usage, customer-controlled key rotation, key policies, and the ability to revoke access by disabling the key. For compliance frameworks requiring key management audit trails (HIPAA, PCI-DSS, FedRAMP), SSE-KMS is required.
Both encrypt data at rest, but SSE-KMS provides governance, auditability, and control that SSE-S3 does not. Exam questions about compliance, audit trails, or 'who accessed encrypted data' always point to SSE-KMS, not SSE-S3.
S3 Storage Classes by cost (high→low): Standard → Intelligent-Tiering → Standard-IA → One Zone-IA → Glacier Instant → Glacier Flexible → Glacier Deep Archive. Memory trick: 'Some Intelligent Students One Grade Fails Deeply'
Multipart Upload triggers: REQUIRED >5 GB, RECOMMENDED >100 MB. Remember '5 and 100': 5 GB = must, 100 MB = should.
CRR does NOT copy the PAST — only the FUTURE. Existing objects need Batch Replication.
OAC > OAI: Origin Access CONTROL is the new CORRECT choice for CloudFront+S3. OAI = Old And Inferior.
SSE types: SSE-S3 (AWS owns keys, simple), SSE-KMS (You control keys, auditable), SSE-C (You provide keys, AWS never stores them), DSSE-KMS (Double encryption, highest compliance). Remember: S=Simple, K=Key-controlled, C=Customer-provided, D=Double.
S3 consistency model post-2020: 'S3 is NOW strongly consistent — no more eventual consistency excuses.' Any answer mentioning S3 eventual consistency is WRONG for current AWS.
Glacier retrieval speeds: Expedited (1-5 min) = Express lane, Standard (3-5 hr) = Regular highway, Bulk (5-12 hr) = Slow truck. Deep Archive adds 12-48 hours — it's in a deep cave.
CertAI Tutor · DEA-C01, SAP-C02, CLF-C02, SAA-C03, DVA-C02, DOP-C02, SCS-C02 · 2026-02-21
In the Same Category
Comparisons