Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Object storage: An exploration of AWS S3

Object storage: An exploration of AWS S3

Cc95ef8bf38403916f40854c4ede4853?s=128

Pierre GOUDJO

January 20, 2022
Tweet

More Decks by Pierre GOUDJO

Other Decks in Technology

Transcript

  1. Object storage Pierre GOUDJO An exploration of AWS S3

  2. Let’s explore the different types of storage architectures

  3. None
  4. https://stone fl y.com/resources/what-is- fi le-level-storage-vs-block-level-storage Block level storage, or block

    storage, is storage used for structured data and is commonly deployed in Storage Area Network (SAN) systems
  5. https://stone fl y.com/resources/what-is- fi le-level-storage-vs-block-level-storage Block storage uses blocks, which

    are a set of sequence of bytes, to store structured workloads.
  6. None
  7. None
  8. None
  9. https://stone fl y.com/resources/what-is- fi le-level-storage-vs-block-level-storage File level storage, or file

    storage, is storage used for unstructured data and is commonly deployed in Network Attached Storage (NAS) systems
  10. https://stone fl y.com/resources/what-is- fi le-level-storage-vs-block-level-storage File storage, as opposed to

    block storage, stores data in a hierarchical architecture; as such that the data and its metadata are stored as is – in the form of files and folders.
  11. None
  12. None
  13. None
  14. https://cloud.google.com/learn/what-is-object-storage Object storage is a data storage architecture for large

    stores of unstructured data
  15. https://cloud.google.com/learn/what-is-object-storage It designates each piece of data as an object,

    keeps it in a separate storehouse, and bundles it with metadata and a unique identifier for easy access and retrieval.
  16. None
  17. None
  18. Let’s focus on object storage

  19. None
  20. None
  21. None
  22. None
  23. Amazon S3 concepts

  24. • Container of objects stored in Amazon S3 • Play

    a role in access control • Serve as unit of aggregation for usage reporting Buckets
  25. • Fundamentals entities stored in Amazon S3 • Objects consist

    of object data and metadata • The metadata is a set of name- value pairs that describe the object • The metadata can be default ones (date last modi fi ed, standard HTTP metadata such as Content-Type) or custom ones Objects
  26. Keys • Every object in a bucket has exactly one

    key • The combination of a bucket, key, and version ID uniquely identi fi es each object • Eg. in https://doc.s3.amazonaws.com/2006-03-01/AmazonS3.wsdl, doc is the name of the bucket and 2006-03-01/AmazonS3.wsdl is the key
  27. • You can chose the AWS Region where S3 stores

    the buckets • A region might be chosen to optimise latency, minimise costs or address regulatory requirements Regions
  28. S3 consistency model • Strong read-after-write consistency for PUTs and

    DELETEs • Strongly consistent read operations on Amazon S3 Select, Amazon S3 Access Control Lists, Amazon S3 Object Tags, and object metadata • Updates to a single key are atomic
  29. Atomic Last write wins Read-after-write

  30. Storage classes

  31. Data durability vs availability • Availability refers to system uptime,

    i.e. the storage system is operational and can deliver data upon request • Durability, on the other hand, refers to long-term data protection, i.e. the stored data does not su ff er from bit rot, degradation or other corruption
  32. Storage classes • Each object has a storage class •

    You choose a class depending on your use case scenario and performance access requirements • All storage classes o ff er high durability
  33. 99.999999999% Durability

  34. Frequently Accessed Objects • S3 Standard: The default storage class

    • 99.99% (Four 9s) Availability • Reduced Redundancy: Storage class designed for non-critical, reproducible data. • 99.99% Durability • 99.99% (Four 9s) Availability • Not Recommended as less cost e ff ective than S3 Standard
  35. Infrequently Accessed Objects • S3 Standard-IA: for data that is

    accessed less frequently, but requires rapid access when needed. • Same low latency and high throughput performance of S3 Standard • 99.9% (Three 9s) availability • S3 One Zone-IA: Amazon S3 stores the object data in only one Availability Zone, which makes it less expensive than S3 Standard-IA • Same low latency and high throughput performance of S3 Standard • 99.5% (Two and half 9s) availability
  36. Infrequently Accessed Objects Notes and Recommendations • S3 Standard-IA and

    S3 One Zone-IA are suitable for objects larger than 128KB that you plan to store for at least 30 days • S3 Standard-IA — Use for your primary or only copy of data that can't be re- created. • S3 One Zone-IA — Use if you can re-create the data if the Availability Zone fails, and for object replicas
  37. Archiving objects • S3 Glacier: Use for archives where portions

    of the data might need to be retrieved in minutes • Low cost • Con fi gurable retrieval times, from minutes to hours • S3 Glacier Deep Archive: Use for archiving data that rarely needs to be accessed • Lowest cost • Retrieval times from 12 hours to 48 hours
  38. Archiving objects Notes and Recommendations • Minimum storage duration: •

    90 days for S3 glacier • 180 days for S3 Glacier Deep Archive • Retrieval times ranked by fastest/expensive: • Bulk • Standard • Expedite • You can directly upload data in glacier as archives inside vaults using the Glacier API
  39. S3 Intelligent-Tiering • S3 Intelligent-tiering optimises storage cost by automatically

    moving data to the most cost e ff ective access tier • It works by monitoring access patterns • The objects are moved rolling the pattern: • After 30 days of non access : move to infrequent access tier • After 90 days of non access: move to archive access tier • After 180 days of non access: move to deep archive access tier
  40. Storage Class Availability Durability Retrieval time Standard 99,999999999 % 99,99

    % Immediate Standard-IA 99,999999999 % 99,9 % Immediate S3 Intelligent-Tiering 99,999999999 % 99,9 % Immediate One Zone-IA 99,999999999 % 99,5 % Immediate Glacier 99,999999999 % 99,99 % Minutes to Hours Deep Glacier Archive 99,999999999 % 99,99 % Hours
  41. None
  42. Storage lifecycle

  43. S3 Lifecycle • An Amazon S3 Lifecycle is a set

    of rules that de fi ne actions S3 applies to a group of objects • There are two types of actions: • Transition actions: De fi ne when objects transition from a storage class to another • Expiration actions: De fi ne when objects expire and should be deleted by S3 • Lifecycle con fi guration fi les are XML documents
  44. Transitions between storage classes

  45. <LifecycleConfiguration> <Rule> <ID>Transition and Expiration Rule</ID> <Filter> <Prefix>tax/</Prefix> </Filter> <Status>Enabled</Status>

    <Transition> <Days>365</Days> <StorageClass>S3 Glacier</StorageClass> </Transition> <Expiration> <Days>3650</Days> </Expiration> </Rule> </LifecycleConfiguration> Example of lifecycle con fi guration
  46. Amazon S3 Versioning

  47. Amazon S3 versioning • Versioning in Amazon S3 allows keeping

    multiple versions of the same object in the same bucket • If S3 receives multiple write requests for the same object, it stores all of those objects • When versioning is activated: • A simple GET request retrieves the current version of the object. To retrieve a speci fi c version, you have to specify the version ID • A simple DELETE request cannot delete an object. To delete version object de fi nitely, you have to also specify the version ID
  48. Object locking • With S3 Object Lock it is possible

    to prevent objects for being deleted or overwritten • Works only in versioned buckets and applies to individual object versions • There is two types of object locking: • Retention period: Speci fi es a fi xed amount of time during which the object remains locked • Legal hold: Provides the same protection as retention period but has no expiration date. Legal holds remain in place until explicitly removed.
  49. Security

  50. Data encryption • Amazon S3 uses SSL/TLS to protect data

    in-transit • Amazon S3 allows the following options for protection data at rest: • Server-side encryption: Requesting S3 to encrypt your objects before saving them on disks in the data centres • Client-side encryption: Encrypt data client-side and upload the encrypted data to Amazon S3.
  51. Data encryption Server-side Encryption • Server-Side Encryption with Amazon S3-Managed

    Keys (SSE-S3): AES-256 keys is used to encrypt object and the master key is managed and rotated by S3 • Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS): Uses a customer managed master key with AWS KMS. It allows audit trail (who and when the key was used) • Server-Side Encryption with Customer-Provided Keys (SSE-C): Uses AES-256 encryption keys provided by the customer when uploading to encrypt the object. When retrieving the object, the same key must be provided in order to allow Amazon S3 to decrypt and return the object data
  52. Customer master key vs Data key

  53. Data encryption Client-side encryption • The client encrypts the data

    before sending them to S3 • It can be done by: • Using a customer master key (CMK) stored in KMS • Using a master key that you store in your application • When uploading an object, a symmetric key is generated using the CMK ID via KMS or the owned master key via AWS Encryption SDK. The plainkey is used to encrypt the data and the encrypted one is stored in object metadata • When downloading an object, the encrypted key is retrieved from the object metadata, decrypted with the master key and used to decrypt the object data
  54. Identity and Access Management • By default all Amazon S3

    resources are private. Only the resource owner can access the resource • You can create and con fi gure bucket policies to grant permission to your Amazon S3 resources. Bucket policies use JSON-based access policy language • You can use ACLs to grant basic read/write permissions to other AWS account
  55. Bucket Policies

  56. ACL

  57. Blocking Public Access

  58. Additional Features

  59. Replication • Replication enables automatic, asynchronous copying of objects across

    Amazon S3 buckets. • Object may be replicated to a single destination bucket or multiple destination buckets • Original metadata are replicated across buckets • Note: Object created with SSE-C encryption keys are not replicated
  60. Amazon Select S3 • With Amazon S3 Select, you can

    use SQL statements to fi lter the contents of an Amazon S3 object (on S3 or Glacier) and retrieve just the subset of data that you need • Works on objects stored in CSV, JSON or Apache Parquet. It also works on objects compressed with GZIP or BZIP2 and server-side encrypted objects. • The following standard clauses are supported: • SELECT list • FROM clause • WHERE clause • LIMIT clause (Amazon S3 Select only)
  61. Batch Operations • S3 Batch Operations can perform a single

    operation on lists of Amazon S3 objects that you specify • Can be used to copy objects, set tags, access control lists or invoke lambda to perform custom actions using your objects • S3 Batch terminology • Job: A basic unit of work for S3 batch operations • Operation: The type of API action (copying objects, call Lambda) that you want the batch operation to run • Task: The unit of execution for the job. A task represents a single call to an Amazon S3 or AWS Lambda API
  62. Static Web Hosting • You can use Amazon S3 to

    host a static website (static HTML, SPA web app) • Only http available, to provide https you can use Cloudfront • For your customers to access content at the website endpoint, you must make all your content publicly readable • You can optionally enable Amazon S3 server access logging
  63. S3 Transfer Acceleration • S3 Transfer Acceleration enables fast, easy

    and secure transfer of fi le over long distance • S3 Transfer Acceleration uses CloudFront distributed edge location and routes data to S3 using an optimised network • Works both with IPv4 (bucketname.s3-accelerate.amazonaws.com) and IPv6 (bucketname.s3-accelerate.dualstack.amazonaws.com) • S3 Transfer Acceleration Speed Comparison tool can be used to benchmark accelerated vs non-accelerated S3 upload across AWS Regions