SPL-65 - Version 2.3.4

© 2020 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.

Errors or corrections? Email us at [email protected].

Other questions? Contact us at  https://aws.amazon.com/contact-us/aws-training/

Overview

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. This means customers of all sizes and industries can use it to store and protect any amount of data for a range of use cases, such as websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. Amazon S3 provides easy-to-use management features so you can organize your data and configure finely-tuned access controls to meet your specific business, organizational, and compliance requirements. Amazon S3 is designed for 99.999999999% (11 9's) of durability, and stores data for millions of applications for companies all around the world.

Visit the Amazon S3 product information page for additional details, capabilities, and a short introduction video about the service.

This lab teaches you the basics of Amazon S3 using the AWS Management Console.

Topics covered

When you finish the lab, you will know how to:

• Create a bucket in Amazon S3
• Add an object to a bucket
• Manage access permissions on an object or a bucket
• Create a bucket policy
• Use bucket versioning

Start Lab

1. At the top of your screen, launch your lab by clicking Start Lab

This will start the process of provisioning your lab resources. An estimated amount of time to provision your lab resources will be displayed. You must wait for your resources to be provisioned before continuing.

 If you are prompted for a token, use the one distributed to you (or credits you have purchased).

2. Open your lab by clicking Open Console

This will automatically log you into the AWS Management Console.

 Please do not change the Region unless instructed.

Common login errors

Error : Federated login credentials

If you see this message:

• Close the browser tab to return to your initial lab window
• Wait a few seconds
• Click Open Console again

You should now be able to access the AWS Management Console.

Error: You must first log out

If you see the message, You must first log out before logging into a different AWS account:

• Click click here
• Close your browser tab to return to your initial Qwiklabs window
• Click Open Console again

Task 1: Create a bucket

Every object in Amazon S3 is stored in a bucket. In this task, you create a bucket and examine bucket configuration options.

3. At the top-left of the AWS Management Console, choose the Services menu, and then choose S3.

 You can also search for S3 at the top of the services menu

4. Choose Create bucket and then configure:

• Bucket name: 
• Replace NUMBER with a random number

 Bucket names must be between 3 and 63 characters long and can only contain lowercase letters, numbers, or hyphens. They must also be unique across all of Amazon S3, regardless of account or region, and cannot be changed after the bucket is created. As you enter a bucket name, a help box displays showing any violations of the naming rules. Refer to the Additional Resources section at the end of the lab for links to more information.

• Leave Region at its default value

 Selecting a particular region allows you to optimize latency, minimize costs, or address regulatory requirements. Objects stored in a region never leave that region unless you explicitly transfer them to another region.

5. Choose Create bucket

Task 2: Upload an object to the bucket

Now that you have created a bucket, you are ready to store objects. An object can be any kind of file: a text file, a photo, a video, a zip file, and so on. When you add an object to Amazon S3, you have the option of including metadata with the object and setting permissions to control access to the object.

In this task you upload objects to your S3 bucket.

6. Right-click this link and download the picture to your computer: sheep.png

7. In the S3 Management Console, choose your bucket that starts with the name mybucket.

8. Choose  Upload

This launches an upload wizard that assists you in uploading files. Use this wizard to upload files either by selecting them from a file chooser or by dragging them to the S3 window.

9. Choose Add files

10. Browse to and select the sheep.png file that you downloaded previously.

11. Choose Upload

You can watch the progress of the upload from within the Transfer panel at the bottom of the screen. Since this is a very small file, you might not see the transfer. After your file has been uploaded, it will be displayed in the bucket.

 If the file does not display in the bucket within a few seconds of uploading it, you may need to choose the  refresh button at the top-right.

Task 3: Make an object public

In this task, you configure permissions on a bucket and an object to make the object publicly accessible.

First, you attempt to access the object to confirm that it is private by default.

12. Choose the sheep.png file name.

The sheep.png overview page opens. Notice the navigation at the top-left of the screen updates with a link to return to the bucket overview page.

13. Copy the Object URL link displayed at the bottom of the window.

The link should look similar to: 

14. In a new browser tab, paste the link into the address field, and then press Enter.

You receive an Access Denied error. This is because objects in Amazon S3 are private by default.

To resolve the access denied error, configure the object to be publicly accessible.

15. Keep this browser tab open, but return to the web browser tab with the S3 Management Console.

16. On the sheep.png overview page, choose the Permissions tab.

17. Under the Public access section, select  Everyone. A new settings pane appears on the right-hand side of the screen.

18. Select  Read object. Notice the warning message that displays about the object having public access.

19. Choose Save

An error message displays at the top of the screen because the bucket is configured not to allow public access. The bucket settings override any permissions applied to individual objects.

20. At the top-left of the screen, choose the link with the bucket name you created previously.

21. Choose the Permissions tab. The Block public access button is highlighted. If it is not, choose it.

22. Choose Edit to change the settings.

23. Deselect the Block all public access option, and then leave all other options deselected.

Notice that all of the individual options remain deselected. When deselecting all public access, you must then select the individual options that apply to your situation and security objectives. Both ACLs and bucket policies are used later in the lab, so they all remain deselected in this example. In a production environment, it is recommended to use the least permissive settings possible. Refer to the Additional Resources section at the end of the lab for links to more information.

24. Choose Save

25. A dialogue box opens asking you to confirm your changes. Type  in the field, and then choose Confirm

A Public access settings updated successfully message displays.

26. Choose the Overview tab.

27. Choose the sheep.png file name.

28. On the sheep.png overview page, choose the Permissions tab.

29. Under the Public access section, select  Everyone. A new settings pane appears on the right-hand side of the screen.

30. Select  Read object. Notice the warning message that displays about the object having public access.

31. Choose Save

32. Return to the browser tab that displayed Access Denied and refresh  the page.

The picture is displayed because it is now publicly accessible.

33. Close the web browser tab that displays your picture and return to the tab with the Amazon S3 Management Console.

In this example, you granted read access only to a specific object. If you wish to grant access to an entire bucket, use a bucket policy.

Task 4: Create a bucket policy

A bucket policy is a set of permissions associated with an S3 bucket. It can be used to control access to an entire bucket or to specific directories within a bucket. In this task, you upload a new file to the bucket and verify it is not publicly accessible. You then use the AWS Policy Generator to create a bucket policy that enables public read access to all objects within the bucket.

34. Right-click this link and download the text file to your computer: sample-file.txt

35. In the S3 Management Console tab, choose the name of your bucket at the top-left of the window.

36. Choose  Upload and use the same upload process as in the previous task to upload the sample-file.txt file you downloaded.

37. Choose the sample-file.txt file name. The sample-file.txt overview page opens.

38. Copy the Object URL link displayed at the bottom of the window.

39. In a new browser tab, paste the link into the address field, and then press Enter.

Once again, Access Denied will be displayed. You need to configure a bucket policy to grant access to all objects in the bucket without having to specify permissions on each object individually.

40. Keep this browser tab open, but return to the tab with the S3 Management Console.

41. Choose the name of your bucket at the top-left of the window.

You should see a list of the objects in your bucket. If not, navigate back to your bucket so that you see the list of objects you have uploaded.

42. Choose the Permissions tab.

43. In the Permissions tab, choose Bucket Policy

A blank Bucket policy editor is displayed. Bucket policies can be created manually, or they can be created with the assistance of the AWS Policy generator.

Before creating the policy, you will need to copy the ARN (Amazon Resource Name) of your bucket.

 ARNs uniquely identify AWS resources across all of AWS. Each section of the ARN is separated by a ":" and represents a specific piece of the path to the specified resource. The sections can vary slightly depending on the service being referenced, but generally follows this format:

arn:partition:service:region:account-id:resource

Amazon S3 does not require region or account-id parameters in ARNs, so those sections are left blank. However, the ":" to separate the sections is still used, so it looks similar to arn:aws:s3:::mybucket45647467

Refer to the Additional Resources section at the end of the lab for links to more information.

44. Copy the ARN of your bucket to the clipboard. It is displayed at the top of the policy editor.

45. Choose the Policy generator link at the bottom of the page.

A new web browser tab will open with the AWS Policy Generator.

 AWS policies use the JSON format, and are used to configure granular permissions for AWS services. While you can write the policy in JSON manually, the AWS Policy Generator allows you to create it using a friendly web interface.

46. In the AWS Policy Generator window, configure the following:

• Select Type of Policy: S3 Bucket Policy
• Effect:  Allow
• Principal: 

 Using the * with Principal means that anyone will be able to perform the actions in the policy. Refer to the Additional Resources section at the end of the lab for links to more information about AWS JSON policy elements.

• AWS Service: Amazon S3
• Actions:  GetObject

 The get GetObject action grants permission for objects to be retrieved from Amazon S3. Refer to the Additional Resources section at the end of the lab for links to more information about the actions available for use in Amazon S3 policies.

• Amazon Resource Name (ARN): Paste the ARN that you previously copied.
• At the end of the ARN, append 

The ARN should look similar to: arn:aws:s3:::mybucket45647467/*

 An Amazon Resource Name (ARN) is a standard way to refer to resources within AWS. In this case, the ARN is referring to your S3 bucket. Adding /* to the end of the bucket name allows the policy to apply to all objects within the bucket.

47. Choose Add Statement. The details of the statement you configured are added to a table below the button. You can add multiple statements to a policy.

48. Choose Generate Policy.

A new window is displayed showing the generated policy in JSON format. It should look similar to:

{
  "Id": "Policy1557511288767",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1557511286634",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mybucket45647467/*",
      "Principal": "*"
    }
  ]
}

 Confirm that  appears after your bucket name as shown in the Resource line in the sample above.

49. Copy the policy you created to your clipboard.

50. Close the web browser tab and return to the tab with the Bucket policy editor.

51. Paste the bucket policy you created into the Bucket policy editor.

52. Choose Save

You have just applied a bucket policy to your bucket. With this policy, all objects in your bucket are now publicly accessible.

Notice the warning message banner at the top of the screen that this bucket now has public access. The Bucket Policy button and Permissions tab are both marked with a Public label as well.

53. Return to the browser tab that displayed Access Denied and refresh  the page.

The page now displays text contained in the file you uploaded. This is because the bucket policy applies to the bucket as a whole, without having to grant individual permissions to each object individually.

54. Keep this web browser tab open for the next task and return to the tab with the S3 Management Console.

Task 5: Explore versioning

Versioning is a means of keeping multiple variants of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. With versioning, you can easily recover from both unintended user actions and application failures.

In this task, you turn on versioning for the bucket, and then upload a modified version of the text file you used in the previous task.

55. You should be on the S3 bucket Permissions tab from the previous task. If you are not, choose the link to the bucket at the top-left of the screen to return to the bucket Overview page.

56. Choose the Properties tab.

57. Choose Versioning.

58. Select  Enable versioning and then choose Save

You will notice the circle at the bottom-left of the Versioning box is now highlighted with a checkmark and says Enabled.

 Versioning is enabled for an entire bucket and all objects within the bucket. It cannot be enabled for individual objects.

 There are also cost considerations when enabling versioning. Refer to the Additional Resources section at the end of the lab for links to more information.

59. Right-click this link and save the text file to your computer using the same name as the text file in the previous task: sample-file.txt.

 While this file has the same name as the previous file, it contains new text.

60. In the S3 Management Console, choose the Overview tab.

You should notice a new Versions HideShow button is shown above the list of objects.

61. Choose  Upload and use the same upload process in the previous task to upload the new sample-file.txt file.

62. Go to the browser tab that has the contents of the sample-file.txt file.

63. Make a note of the contents on the page, then refresh  the page.

Notice a new line of text has been added.

 Amazon S3 always returns the latest version of an object if a version is not otherwise specified.

You can also obtain a list of available versions in the S3 Management Console.

64. Close the web browser tab with the contents of the text file.

65. In the S3 Management Console, choose the sample-file.txt file name. The sample-file.txt overview page opens.

66. Choose Latest version  to the right of the object name, and then select the bottom version (which is not the latest version).

67. Choose Open

You should now see the first version of the file using the S3 Management Console.

 However, if you try to access the older version of the sample-file.txt file using the object URL link, you will receive an access denied message. This is expected because the bucket policy you created in the previous task only allows permission to access the latest version of the object. In order to access a previous version of the object, you need to update your bucket policy to include the "s3:GetObjectVersion" permission. Below is an example bucket policy with the additional "s3:GetObjectVersion" action added that allows you to access the older version using the link. You do not need to update your bucket policy with this example.

{
  "Id": "Policy1557511288767",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1557511286634",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mybucket45647467/*",
      "Principal": "*"
    }
  ]
}

68. Choose the link for the bucket name at the top-left to return to the bucket Overview tab.

69. Above the list of objects, choose Show on the HideShow button next to Versions.

The view changes to show the available versions of each object, and which version is the latest. Notice the sheep.png object only has one version, and the version ID is null. This is because the object was uploaded before versioning was enabled for this bucket.

Also notice that you can now choose the version name link to navigate directly to that version of the object in the console.

70. Choose Hide on the HideShow button to return to the default object view.

71. Select the checkbox to the left of the sample-file.txt file.

72. With the object selected, choose the Actions  button, and then choose Delete

73. The Delete objects window appears. Choose the Delete button.

The sample-file.txt object is no longer displayed in the bucket. However, if the object is deleted by mistake, versioning can be used to recover it.

74. Choose the Show on the HideShow button.

Notice that the sample-file.txt object is displayed again, but the most recent version is a Delete marker. The two previous versions are listed as well. If versioning has been enabled on the bucket, objects are not immediately deleted. Instead, Amazon S3 inserts a delete marker, which becomes the current object version. The previous versions of the object are not removed. Refer to the Additional Resources section at the end of the lab for links to more information about versioning.

75. Select the checkbox to the left of the version of the sample-file.txt object with (Delete marker)

76. With the object selected, choose the Actions  button, and then choose Delete

77. The Delete objects window appears. Choose the Delete button.

78. Choose Hide on the HideShow button.

Notice that the sample-file.txt object has been restored to the bucket. Removing the delete marker has effectively restored the object to its previous state. Refer to the Additional Resources section at the end of the lab for links to more information about undeleting S3 objects.

You can also delete a specific version of an object.

79. Above the list of objects, choose Show on the HideShow button next to Versions.

You should see two versions of the sample.txt object.

80. Select the checkbox to the left of the latest version of the sample-file.txt object.

81. With the object selected, choose the Actions  button, and then choose Delete

82. The Delete objects window appears. Choose the Delete button.

Notice that there is now only one version of the sample-file.txt file. When deleting a specific version of an object no delete marker is created. The object is permanently deleted. Refer to the Additional Resources section at the end of the lab for links to more information about deleting object versions in Amazon S3.

83. Choose Hide on the HideShow button.

84. Choose the sample-file.txt file name. The sample-file.txt overview page opens.

85. Copy the Object URL link displayed at the bottom of the window.

86. In a new browser tab, paste the link into the address field, and then press Enter.

The text of the original version of the sample-file.txt object is displayed.

Conclusion

 Congratulations! You have successfully learned how to:

• Create a bucket in Amazon S3
• Add an object to your bucket
• Manage access permissions on an object
• Create a bucket policy
• Use bucket versioning

End Lab

Follow these steps to close the console, end your lab, and evaluate the experience.

87. Return to the AWS Management Console.

88. On the navigation bar, click awsstudent@<AccountNumber>, and then click Sign Out.

89. Click End Lab

90. Click OK

91. (Optional):

• Select the applicable number of stars 
• Type a comment

• Click Submit

  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied

You may close the dialog if you don't want to provide feedback.

Additional resources

• Amazon S3
• Amazon S3 training
• Editing Object Permissions
• Amazon S3 bucket naming rules
• Amazon S3 block public access
• Amazon Resource Names (ARNs) and AWS Service Namespaces documentation
• AWS JSON Policy Elements documentation
• Actions, Resources, and Condition Keys for Amazon S3
• Amazon S3 Versioning
• Undelete objects in Amazon S3
• Deleting object versions in Amazon S3

• Amazon S3 Versioning cost considerations

• For more information about AWS Training and Certification, see  http://aws.amazon.com/training/ .

• For more AWS Self-Paced Labs, see  http://amazon.qwiklabs.com .

For feedback, suggestions, or corrections, please email us at [email protected].