Builders' Day - Best Practises for S3 - BL

Best Practices for S3
Bruno Laurenti
Solutions Architect

• Storage Classes
• Bucket Settings & Features
• Managing Data at Scale
• Performance
• Data Transfer
Agenda

Enterprise
applicationsAnalytics
Archiving
Backup &
restore
Origin storage
for CDN
Benefits of Amazon S3
Website hosting
Mobile sync and
storage

Decreasing prices and more storage options
1 2
Decreasing storage prices
S3 Standard
(2006)
Glacier
(2012)
S-IA
(2015)
Z-IA
(H1-2018)
INT
(Q4-2018)
Accelerating innovation
2006 2018

Choose the storage class that fits best
≥ 3 AZs 1 AZ
99.99% 99.5%
Milliseconds Hours
Hours YearsFrequent Infrequent
0 Bytes 5 Terabytes
Reduce storage cost > 80% by choosing the
storage class option that best fits your use case
2 Regions
99.9%

Your choice of Amazon S3 storage classes
Access FrequencyFrequent Infrequent
• Active, frequently
accessed data
• Milliseconds access
• > 3 AZ
• From: $0.0210/GB
• Data with changing access
pattern
• > 3 AZ
• From: $0.0210 to
$0.0125/GB
• Monitoring fee per obj.
• Min storage duration
• Infrequently accessed
data
• > 3 AZ
• From: $0.0125/GB
• Retrieval fee per GB
• Min object size
S3 Standard S3 Standard-IA S3 One Zone-IA S3 Glacier
• Re-creatable less accessed
data
• 1 AZ
• From: $0.0100/GB
• Min object size
• Archive data
• Minutes to hours
access
• > 3 AZ
• From: $0.0040/GB
• Min object size
S3 Intelligent-
Tiering
S3 Glacier
Deep Archive
• Archive data
• Hours access
• > 3 AZ
• From: $0.00099/GB
• Min object size

S3 Storage Class Analysis and S3 Lifecycle Policy
Use S3 Storage Class Analysis to identify
storage age groups that are less
frequently accessed
Set S3 Lifecycle Policy to tier storage to
lower cost storage classes and expire
storage based on age of object
Great for predictable workloads (object
age indicates access frequency)
Fine tune analysis by bucket, prefix, or
object tag

Set S3 Lifecycle Policy to tier and
expire storage
S3 Lifecycle Policy to tier to lower
cost storage classes and expire
storage
S3 Storage Class Analysis results
help set up a S3 Lifecycle Policy
Policies are based on age of object
and set by bucket, prefix, or object
tag
S3 Standard S3 S-IA S3 Glacier

S3 Intelligent-Tiering
Automatically optimizes storage costs for
data with changing access patterns
Moves objects between two storage tiers:
• Frequent Access Tier
• Infrequent Access Tier
Monitors access patterns and auto-tiers on
granular object level
Milliseconds access, > 3 AZ, Monitoring fee
per Object, minimum storage duration

Ideal use cases for S3 Intelligent-Tiering
Dynamic cost optimization with no performance impact and no operational overhead
Big Data, Data Lakes
Storage with changing access
patterns used by multiple applications
Enterprises
Storage accessed by fragmented
applications from various
organizations
Startups
Constrained on resources and
experience to optimize storage
themselves
Amazon S3

Permissions
Permissions
• IAM Policies
• S3 Bucket Policies
• S3 ACLs
As a general rule, AWS recommends using S3 bucket
policies or IAM policies for access control. S3 ACLs is a
legacy access control mechanism that predates IAM.

Use IAM policies if:
• You need to control access to AWS services other than S3. IAM policies will be easier to manage since you
can centrally manage all of your permissions in IAM, instead of spreading them between IAM and S3.
• You have numerous S3 buckets each with different permissions requirements. IAM policies will be easier
to manage since you don’t have to define a large number of S3 bucket policies and can instead rely on
fewer, more detailed IAM policies.
• You prefer to keep access control policies in the IAM environment.
Use S3 bucket policies if:
• You want a simple way to grant cross-account access to your S3 environment, without using IAM roles.
• Your IAM policies bump up against the size limit (up to 2 kb for users, 5 kb for groups, and 10 kb for roles). S3
supports bucket policies of up 20 kb.
• You prefer to keep access control policies in the S3 environment.
Permissions

With a few clicks in the S3
management console, you can
apply S3 Block Public Access to
every bucket in your account –
both existing and any new
buckets created in the future –
and make sure that there is no
public access to any object
S3 Block Public Access
Set at the account or bucket-level

Versioning
Protect your data from accidental deletion
• Create a new version with every upload
• Previous versions are retained, not overwritten
• Protect from unintended user deletes
• Making delete requests without a version ID removes
access to objects, but keeps the data
• Manage previous versions with lifecycle
• Transition or expire objects a specified number of
days after they are no longer the current version

S3 Object Lock
Immutable S3 Objects
• Write Once Read Many (WORM) Protection for S3 Objects
• Object or bucket control of WORM & retention attributes
Retention Management Controls
• Define retention periods in your app or with bucket-level defaults
• Objects Locked for the Duration of the Retention Period
• Support for Legal Hold scenarios
Data Protection and Compliance
• Assessed for use in SEC 17a-4, CFTC, and FINRA environments
• Extra protection against accidental or malicious delete

S3 Object Lock Modes
Compliance
Mode
• Intended for Compliance
• Deletes disallowed, even for root account
• Assessed for SEC 17a-4 by Cohasset Associates
Governance
Mode
• Intended for Data Protection
• Enables privileged delete of WORM-protected objects
• Protects against account compromise & rogue actors
• Retention can be changed to Compliance Mode

Amazon S3 Glacier Enhancements
Restore
Notifications
Notifications fire when a S3 Glacier restore
starts and completes
Restore
Speed Upgrade
Upgrade an in-progress restore to a faster restore
speed
Direct
PUT
Direct access to S3 Glacier through the S3 PUT API
CRR direct to
Glacier
Replicate data direct to S3 Glacier in a
secondary AWS region

Object Tags
Add up to ten tags to your objects to control access and drive actions
For example:
• Grant an IAM user permissions to read only objects with specific tags
• Use tags to indicate which objects should be replicated
• Apply tags to specify granular lifecycle policies
• Filter metrics and reports based on tags
photos/photo1.jpg
project/projectX/document.pdf
project/projectY/document2.pdf
projectX

Cross-Region Replication
Flexibility to replicate data:
• At the bucket, prefix, or object level
• From any region to any region
• To any storage class
• Across AWS accounts
• Change the object owner in the destination region

Amazon S3 Batch Operations
Take large-scale actions on Amazon S3 objects

S3 Batch Operations
Perform API actions across thousands, millions, or billions of objects

S3 Batch Operations
Choose
Objects
Select an
Operation
View
Progress
Perform API actions across thousands, millions, or billions of objects

Amazon S3 performance optimization
• What we hear from you …
§ How do I get the highest request rates?
§ How do I saturate my compute, network, and storage resources?
§ How do I maximize my single-threaded throughput?
§ How do I achieve more predictable outlier performance?
§ How do I optimize data query performance against Amazon S3?
• Where do you start?
§ Your object naming scheme!
§ We’ll review this first, then walk through a streaming video workflow use
case as an example.

Amazon S3 performance increase
Amazon S3 for data analytics
BEFORE
Compute
W R I T E T I M E R E A D T I M E
5TB of 2MB objects
S3
1with prefix

Amazon S3 request performance increase
NOW
Compute
S3
41m 40s 13m 52s
5TB of 2MB objects
1with prefix0

Amazon S3 request performance increase
PARALLEL PROCESSING
Compute
S3
12m 00s 7m 00s
41m 40s 13m 52s
5TB of 2MB objects
1with 0 prefix

Object naming scheme
ExampleAWSbucket/Logistics/packing-list.pdf

Up to 3,500 PUT* tps
Up to 5,500 GET tps
ExampleAWSbucket
Let’s look at how prefixes scale
request rate performance
BucketName/Prefix:
ExampleAWSbucket/LogFiles/
ExampleAWSbucket/Logistics/
ExampleAWSbucket/…
* PUT, POST, and DELETE are all included in the PUT tps
tps = transactions per second
Initial partition

3,500 PUT tps
5,500 GET tps
3,500 PUT tps
5,500 GET tps
2nd partition
Initial partition
ExampleAWSbucket
BucketName/Prefix:
/Log
/…
PUT, POST, and DELETE are all included in the PUT tps

3,500 PUT tps
5,500 GET tps
3,500 PUT tps
5,500 GET tps
3,500 PUT tps
5,500 GET tps
2nd partition
Files/
istics/
3rd partition
3,500 PUT tps
5,500 GET tps
…
ExampleAWSbucket
BucketName/Prefix:
/Log
/…
Initial partition

3,500 PUT tps
5,500 GET tps
3,500 PUT tps
0 GET tps
0 PUT tps
5,500 GET tps
Request rate performance is allocated proportionally

Flexible Data Transfer
More ways to get data into Amazon S3
Database
Migration
Service

AWS Transfer for SFTP
Fully-managed service enabling transfer
of data over SFTP, while stored in Amazon S3
Seamless migration
of existing workflows
Native integration
with AWS services
Simple
to use
Cost
effective
Secure and CompliantFully managed
in AWS

AWS
integrated
AWS
Transfer service that simplifies, automates, and accelerates data movement
Transfers up
to 10 Gbps
per agent
Pay as you
go
Secure and
reliable
transfers
Replicate data to AWS
for business continuity
Transfer data for timely
in-cloud analysis
Migrate active application
data to AWS
Combines the speed and reliability of network acceleration
software with the cost-effectiveness of open source tools
Simple data
movement to S3
or Amazon EFS
AWS DataSync

Bruno Laurenti
Solutions Architect
brulau@amazon.com

Builders' Day - Best Practises for S3 - BL

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Builders' Day - Best Practises for S3 - BL

Similar a Builders' Day - Best Practises for S3 - BL (20)

Más de Amazon Web Services LATAM

Más de Amazon Web Services LATAM (20)

Último

Último (20)

Builders' Day - Best Practises for S3 - BL