General purpose buckets overview
To upload your data (photos, videos, documents, etc.) to Amazon S3, you must first create an S3bucket in one of the AWS Regions.
There are several types of Amazon S3 buckets. Before creating a bucket, make sure that you choose the bucket type that best fits your application and performance requirements. For more information about the various bucket types and the appropriate use cases for each, seeBuckets.
The following sections provide more information about general purpose buckets, including bucketnaming rules, quotas, and bucket configuration details. For a list of restriction andlimitations related to Amazon S3 buckets see,General purpose bucket quotas, limitations, and restrictions.
Topics
General purpose buckets overview
Every object is contained in a bucket. For example, if the object namedphotos/puppy.jpg is stored in theamzn-s3-demo-bucket general purpose bucket in the US West (Oregon)Region, then it is addressable by using the URLhttps://amzn-s3-demo-bucket.s3.us-west-2.amazonaws.com/photos/puppy.jpg.For more information, seeAccessing aBucket.
General purpose bucket quotas for commercial Regions can only be viewed and managedfrom US East (N. Virginia).
General purpose bucket quotas for AWS GovCloud (US) can only be viewed and managed fromAWS GovCloud (US-West).
In terms of implementation, buckets and objects are AWS resources, and Amazon S3 providesAPIs for you to manage them. For example, you can create a bucket and upload objects usingthe Amazon S3 API. You can also use the Amazon S3 console to perform these operations. The consoleuses the Amazon S3 APIs to send requests to Amazon S3.
This section describes how to work with general purpose buckets. For information about working withobjects, seeAmazon S3 objects overview.
Amazon S3 supports global general purpose buckets, which means that each bucket name must be unique across allAWS accounts in all the AWS Regions within a partition. A partition is a grouping ofRegions. AWS currently has three partitions:aws (Standard Regions),aws-cn (China Regions), andaws-us-gov (AWS GovCloud (US)).
After a general purpose bucket is created, the name of that bucket cannot be used by another AWS accountin the same partition until the bucket is deleted. You should not depend on specific bucketnaming conventions for availability or security verification purposes. For bucket namingguidelines, seeGeneral purpose bucket naming rules.
Amazon S3 creates buckets in a Region that you specify. To reduce latency, minimize costs, oraddress regulatory requirements, choose any AWS Region that is geographically close toyou. For example, if you reside in Europe, you might find it advantageous to create bucketsin the Europe (Ireland) or Europe (Frankfurt) Regions. For a list of Amazon S3 Regions, seeRegions andEndpoints in theAWS General Reference.
Objects that belong to a bucket that you create in a specific AWS Region never leavethat Region, unless you explicitly transfer them to another Region. For example, objectsthat are stored in the Europe (Ireland) Region never leave it.
Common general purpose bucket patterns
When you build applications on Amazon S3, you can use unique general purpose buckets to separatedifferent datasets or workloads. Depending on your use case, there are different designpatterns and best practices for using general purpose buckets. For more information, seeCommon general purpose bucket patterns for building applications on Amazon S3.
Permissions
You can use your AWS account root user credentials to create a general purpose bucket and perform any other Amazon S3operation. However, we recommend that you do not use the root user credentials of yourAWS account to make requests, such as to create a bucket. Instead, create an AWS Identity and Access Management(IAM) user, and grant that user full access (users by default have no permissions).
These users are referred to asadministrators. Youcan use the administrator user credentials, instead of the root user credentials of youraccount, to interact with AWS and perform tasks, such as create a bucket, createusers, and grant them permissions.
For more information, seeAWS account root usercredentials and IAM user credentials in theAWSGeneral Reference andSecurity best practices in IAM in theIAM User Guide.
The AWS account that creates a resource owns that resource. For example, if youcreate an IAM user in your AWS account and grant the user permission to create abucket, the user can create a bucket. But the user does not own the bucket; theAWS account that the user belongs to owns the bucket. The user needs additionalpermission from the resource owner to perform any other bucket operations. For moreinformation about managing permissions for your Amazon S3 resources, seeIdentity and Access Management for Amazon S3.
Managing public access to general purpose buckets
Public access is granted to general purpose buckets and objects through bucket policies, accesscontrol lists (ACLs), or both. To help you manage public access to Amazon S3 resources, Amazon S3provides settings to block public access. Amazon S3 Block Public Access settings can overrideACLs and bucket policies so that you can enforce uniform limits on public access tothese resources. You can apply Block Public Access settings to individual buckets or toall buckets in your account.
To ensure that all of your Amazon S3 general purpose buckets and objects have their public access blocked,all four settings for Block Public Access are enabled by default when you create a newbucket. We recommend that you turn on all four settings for Block Public Access for youraccount too. These settings block all public access for all current and futurebuckets.
Before applying these settings, verify that your applications will work correctlywithout public access. If you require some level of public access to your buckets orobjects—for example, to host a static website, as described atHosting a static website using Amazon S3—you can customizethe individual settings to suit your storage use cases. For more information, seeBlocking public access to your Amazon S3storage.
However, we highly recommend keeping Block Public Access enabled. If you want to keepall four Block Public Access settings enabled and host a static website, you can useAmazon CloudFront origin access control (OAC). Amazon CloudFront provides the capabilities required to setup a secure static website. Amazon S3 static websites support only HTTP endpoints. Amazon CloudFrontuses the durable storage of Amazon S3 while providing additional security headers, such asHTTPS. HTTPS adds security by encrypting a normal HTTP request and protecting againstcommon cyberattacks.
For more information, seeGetting started with a secure static website in theAmazon CloudFront Developer Guide.
If you see anError when you list your general purpose buckets and their publicaccess settings, you might not have the required permissions. Make sure that youhave the following permissions added to your user or role policy:
s3:GetAccountPublicAccessBlocks3:GetBucketPublicAccessBlocks3:GetBucketPolicyStatuss3:GetBucketLocations3:GetBucketAcls3:ListAccessPointss3:ListAllMyBucketsIn some rare cases, requests can also fail because of an AWS Regionoutage.
Managing public access to general purpose buckets
You can add tags to your Amazon S3 buckets to categorize and track your AWS costs or for access control. You can use tags as cost allocation tags to track storage costs in AWS Billing and Cost Management. You can also use tags for attribute-based access control (ABAC), to scale access permissions and grant access to S3 buckets based on their tags.
For more information, seeUsing tags with S3 general purpose buckets
General purpose buckets configuration options
Amazon S3 supports various options for you to configure your general purpose bucket. For example, you canconfigure your bucket for website hosting, add a configuration to manage the lifecycleof objects in the bucket, and configure the bucket to log all access to the bucket. Amazon S3supports subresources for you to store and manage the bucket configuration information.You can use the Amazon S3 API to create and manage these subresources. However, you can alsouse the console or the AWS SDKs.
There are also object-level configurations. For example, you can configureobject-level permissions by configuring an access control list (ACL) specific tothat object.
These are referred to as subresources because they exist in the context of a specificbucket or object. The following table lists subresources that enable you to managebucket-specific configurations.
| Subresource | Description |
|---|---|
cors (cross-origin resource sharing) | You can configure your bucket to allow cross-originrequests. For more information, seeUsing cross-origin resource sharing (CORS). |
event notification | You can enable your bucket to send you notifications of specifiedbucket events. For more information, seeAmazon S3 Event Notifications. |
| lifecycle | You can define lifecycle rules for objects in your bucket thathave a well-defined lifecycle. For example, you can define a rule toarchive objects one year after creation, or delete an object 10years after creation. For more information, seeManaging the lifecycle of objects. |
location | When you create a bucket, you specify the AWS Region where youwant Amazon S3 to create the bucket. Amazon S3 stores this information in thelocation subresource and provides an API for you to retrieve thisinformation. |
logging | Logging enables you to track requests for access to your bucket.Each access log record provides details about a single accessrequest, such as the requester, bucket name, request time, requestaction, response status, and error code, if any. Access loginformation can be useful in security and access audits. It can alsohelp you learn about your customer base and understand your Amazon S3bill. For more information, seeLogging requests with server access logging. |
object locking | To use S3 Object Lock, you must enable it for a bucket. You canalso optionally configure a default retention mode and period thatapplies to new objects that are placed in the bucket. For more information, seeLocking objects with Object Lock. |
policy andACL (accesscontrol list) | All your resources (such as buckets and objects) are private bydefault. Amazon S3 supports both bucket policy and access control list(ACL) options for you to grant and manage bucket-level permissions.Amazon S3 stores the permission information in thepolicy andaclsubresources. For more information, seeIdentity and Access Management for Amazon S3. |
replication | Replication is the automatic, asynchronous copying of objectsacross buckets in different or the same AWS Regions. For moreinformation, seeReplicating objects within and across Regions. |
requestPayment | By default, the AWS account that creates the bucket (the bucketowner) pays for downloads from the bucket. Using this subresource,the bucket owner can specify that the person requesting the downloadwill be charged for the download. Amazon S3 provides an API for you tomanage this subresource. For more information, seeUsing Requester Pays general purpose buckets for storage transfers and usage. |
tagging | You can add tags to your Amazon S3 buckets to categorize and track your AWS costs or for access control. You can use tags as cost allocation tags to track storage costs in AWS Billing and Cost Management. You can also use tags for attribute-based access control (ABAC), to scale access permissions and grant access to S3 buckets based on their tags. For more information, seeUsing tags with S3 general purpose buckets. |
transfer acceleration | Transfer Acceleration enables fast, easy, and secure transfers of filesover long distances between your client and an S3 bucket.Transfer Acceleration takes advantage of the globally distributed edgelocations of Amazon CloudFront. For more information, seeConfiguring fast, secure file transfers using Amazon S3 Transfer Acceleration. |
| versioning | Versioning helps you recover accidental overwrites and deletes. We recommend versioning as a best practice to recover objects frombeing deleted or overwritten by mistake. For more information, seeRetaining multiple versions of objects with S3 Versioning. |
| website | You can configure your bucket for static website hosting. Amazon S3stores this configuration by creating awebsitesubresource. For more information, seeHosting a static website using Amazon S3. |
General purpose buckets operations
The high availability engineering of Amazon S3 is focused onget,put,list, anddelete operations. Becausegeneral purpose bucket operations work against a centralized, global resource space, we recommend that you don't create, delete, or configure buckets on the high availability code pathof your application. It's better to create, delete, or configure buckets in a separateinitialization or setup routine that you run less often.
General purpose buckets performance monitoring
When you have critical applications and business processes that rely on AWSresources, it’s important to monitor and get alerts for your system.Monitoring your data can help maintain the reliability, availability, andperformance of Amazon S3 and your AWS solutions. There are several AWS services that youcan use to collect and aggregates metrics and logs for your S3 buckets.
Depending on your use case, you can choose which AWS service best suits yourorganization’s needs to debug issues, monitor your data, optimize storage costs, ortroubleshoot multi-point issues. For example:
To improve the performance of applications that useS3:Set up CloudWatchalarms to monitor your storage data, replication metrics, or requestmetrics.
To plan for storage usage, optimize storage costs, or tofind out how much storage you have across your entireorganization:UseAmazon S3 Storage Lens. Alternatively, you canuseS3 Storage Lens to improve your data performance by enabling advancedmetrics and using the detailed status-code metrics to get counts for successfulor failed requests.
For a unified view of your operational health:Publish S3 Storage Lens usage and activity metrics to aAmazon CloudWatch dashboard.
The Amazon CloudWatch publishing option is available for S3 Storage Lensdashboards upgraded toAdvanced metrics and recommendations. You can enablethe CloudWatch publishing option for a new or existing dashboardconfiguration in S3 Storage Lens.
To obtain a record of actions taken by a user, role, oran AWS service: Set upAWS CloudTrail logs. You can also use AWS CloudTrail logs to review API calls for Amazon S3 as events.
To receive notifications about when a certain event happens in your S3 bucket:Set up Amazon S3 event notifications.
To obtain detailed records for the requests that aremade to an S3 bucket:Set up S3 accesslogs.
For a list of all the different AWS services that you can use to monitor your data,seeLogging and monitoring in Amazon S3.
