1. Buckets:
Buckets form the top-level namespace for Amazon S3, and bucket names are global. This means that your bucket names must be unique across all AWS accounts, much like Domain Name System (DNS) domain names, not just within your own account. Bucket names can contain up to 63 lowercase letters, numbers, hyphens, and periods.You can create and use multiple buckets; you can have up to 100 per account by default
-
存储桶名称的长度必须为至少 3 个字符,且不能超过 63 个字符。
-
存储桶名称必须是一系列的一个或多个标签。相邻标签通过单个句点 (.) 分隔。存储桶名称可以包含小写字母、数字和连字符。每个标签都必须以小写字母或数字开头和结尾。
-
存储桶名称不得采用 IP 地址格式 (例如,192.168.5.4)。
-
当通过 SSL 使用虚拟托管式存储桶时,SSL 通配符证书仅匹配不包含句点的存储桶。要解决此问题,请使用 HTTP 或编写自己的证书验证逻辑。我们建议您不在存储桶名称中使用句点 (“.”)。
针对 buckets 的属性/properties有: Versioning/logging/Static website hosting/Tags/Transfer acceleration/Events/Requester pays
2. Objects
对象的大小可以是0-5TB, Buckets下Objects数量没有限制。
Metadata:systems metadata and user metadata. user metadata可选,如可以做tag。
针对Object的属性有:Storage class/Encrytion/Metadata
3. Keys
A key can be up to 1024 bytes of Unicode UTF-8 characters, including embedded slashes(/), backslashes(\), dots(.), and dashes(~).
key是在bucket范围内有效, bucket+key是S3 object的唯一标识符。
4. Object URL
样例 bucket=cloudifierpublic
https://s3.eu-central-1.amazonaws.com/clodifierpublic/dog1.jpg
https://clodifierpublic.s3.eu-central-1.amazonaws.com/dog1.jpg
https://clodifierpublic.s3.amazonaws.com/dog1.jpg 同样生效,会重定向到https://clodifierpublic.s3.eu-central-1.amazonaws.com/dog1.jpg
5. Durability and availability
Amazon S3 standard storage is designed for 99.999999999% (11个9) durability and 99.99%(4个9) availability
RRS:Reduced Redundancy Storage (RRS) at a lower cost. RRS offers 99.99% durability with a lower cost of storage than traditional Amazon S3 storage.
*RRS 定价已经高于S3 standerd定价,aws是要放弃RRS类型。
6. Data Consistency
S3提供的是最终一致性系统(eventually consistent)
http://www.allthingsdistributed.com/2008/12/eventually_consistent.html http://mark311.github.io/%E5%88%86%E5%B8%83%E5%BC%8F/%E6%9C%80%E7%BB%88%E4%B8%80%E8%87%B4%E6%80%A7/2014/10/18/eventually-consistent.html
7. S3 inventory(清单)
S3存储清单是S3 提供的一项存储管理工具,S3存储清单可以每天或每周输出指定S3存储桶或存储桶中指定前缀的对象及其相关元数据信息的列表,并以CSV文件的格式存储在指定的S3存储桶中。存储清单遵循最终一致性模型,即列表中可能没有最近添加或删除的对象信息,如果需要确认某一个对象的状态,我们可以使用HEAD Object REST API(或命令行,SDK)来获取该对象的元数据。对于存储桶中有海量文件的用户而言,存储清单可以方便的帮助用户了解当前存储桶中的文件列表而不是像过去那样需要频繁调用GET Bucket API(每次返回最多1000个对象),从而加速一些业务工作流及大数据作业等等。
8. 资源访问的权限控制 ACL & Bucket Plicies and user policies
resource-based policies and user policies/基于资源的策略和用户策略两类
存储桶和对象的权限是相互独立的。对象不继承其存储桶的权限。例如,如果您创建了一个存储桶并授予一个用户写入权限,您将无法访问此用户的对象,除非此用户明确地授予您访问权限。(ACL)。作用在Bucket上的policy对Bucket里面的object有效。
ACL 可以附加到Object和Bucket上。 Policy只有Bucket Policy。存储桶策略 – 对于存储桶,您可以通过添加存储桶策略向其他 AWS 账户或 IAM 用户授予对相应存储桶及其中对象的权限。任何对象权限都仅应用于存储桶拥有者创建的对象。存储桶策略补充 (在很多情况下取代) 基于 ACL 的访问策略。
在运行时将所有相关访问策略 (用户策略、存储桶策略、ACL) 转换为一组策略以进行评估。
何时使用存储桶 ACL: 存储桶 ACL 的唯一建议的使用案例是授予 Amazon S3 日志传输组写入权限,以便将访问日志对象写入您的存储桶 (请参阅服务器访问日志记录 (p. 553))。如果希望 Amazon S3 将访问日志传输到您的存储桶,您需要向日志传输组授予对存储桶的写入权限。向日志传输组授予必要权限的唯一方法是通过存储桶 ACL。
Canonical user ID概念
AWS assigns two unique IDs to each AWS account:
-
An AWS account ID 12-digit number, such as 123456789012
-
A canonical user ID such as
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.
You can use canonical user IDs in an Amazon S3 bucket policy for cross-account access, which means an AWS account can access resources in another AWS account. For example, to grant another AWS account access to your bucket, you specify the account‘s canonical user ID in the bucket‘s policy
9. 加密
服务器端加密三种加密方式互斥,SSE-S3(Server-Side Encryption), SSE-KMS, SSE-C。 SSE-KMS使用CMK(customer master keys)加密,
使用客户端加密保护数据(Client-Side Encryption):Option 1: Using an AWS KMS–Managed Customer Master Key (CMK);Option 2: Using a Client-Side Master Key
10. Static Website Hosting
bucket-name
.s3-website-region
.amazonaws.com或bucket-name
.s3-website.region
.amazonaws.com 取决于不同region,
http://webcasetest.s3-website.eu-central-1.amazonaws.com/, 法兰克福节点表达方式
https://docs.aws.amazon.com/zh_cn/general/latest/gr/rande.html#s3_website_region_endpoints
bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::webcasetest/*"
}
]
}
11. Transfer acceleration:
假定您当前有一个使用 PUT 对象 (该对象在 PUT 请求中使用主机名 mybucket.s3.amazonaws.com) 的 REST API 应用程序。要加速 PUT 操作,您只需将请求中的主机名更改为 mybucket.s3-accelerate.amazonaws.com。要重新使用标准上传速度,只需将名称更改回 mybucket.s3.amazonaws.com
12. S3 advanced features
prefixes and delimiters / Object lifecycle/ storage classes( S3 standard / S3 standard - Infrequent Access (Standeard-IA) /S3 RRS /Glacier / Versioning/ MFA delete/ Pre-Signed URLS/ Multipart upload/ Range gets/ Cross-Region Repliaction/ Logging/ Event Notifications(SNS Topic, SQS Queue, Lambda Function)
13. 其他最佳实践:
Another common pattern is to use Amazon S3 as bulk “blob” ((binary large object, BLOB) storage for data, while keeping an index to that data in another service, such as Amazon DynamoDB or Amazon RDS. This allows quick searches and complex queries on key names without listing keys continually.
Amazon S3 will scale automatically to support very high request rates, automatically re-partitioning your buckets as needed. If you need request rates higher than 100 requests per second, you may want to review the Amazon S3 best practices guidelines in the Developer Guide. To support higher request rates, it is best to ensure some level of random distribution of keys, for example by including a hash as a prefix to key names.
14. 命令行
aws s3api list-buckets
aws s3api list-objects --bucket clodifierpublic
aws s3api get-object --bucket clodifierpublic --key dog1.jpg c:dogshow.jpg
15. S3 工具
S3 Select 和 Glacier Select – 检索对象子集 : https://aws.amazon.com/cn/blogs/china/s3-glacier-select/
如何实现 S3 数据跨区域高效可靠传输: https://aws.amazon.com/cn/blogs/china/amazon-s3-depth-practice-series-ii-how-to-achieve-efficient-and-reliable-transmission-of-s3-data-across-regions/?nc1=b_rp
参考材料
中文Blog https://aws.amazon.com/cn/blogs/china/tag/amazon-s3/
S3 手册 https://docs.aws.amazon.com/zh_cn/AmazonS3/latest/dev/Welcome.html