Public Access Control
- •Default deny public access—only open when explicitly needed (static hosting)
- •Bucket policy vs IAM: bucket policy for cross-account/public, IAM for same-account roles
- •Check both bucket-level AND account-level block settings—account can override bucket
- •For web assets, prefer CDN in front of bucket over direct public access
Presigned URLs
- •Set shortest expiration practical—minutes for immediate use, not days
- •URL is a bearer token—anyone with it has access; treat as secret
- •Specify HTTP method in signature—GET for download, PUT for upload
- •Include Content-Type for uploads—mismatch between signature and request causes 403
- •Generate server-side, never expose credentials to client
Lifecycle Rules
- •Transition to cheaper tiers for infrequent access—but check minimum storage duration penalties
- •Auto-delete for temp files, logs, old versions—prevents unbounded storage growth
- •Clean incomplete multipart uploads—accumulate invisibly; set abort rule (7 days typical)
- •Versioned buckets: separate rules for current vs noncurrent versions
Versioning Behavior
- •Enable before you need it—can't recover deleted objects without versioning
- •"Delete" creates delete marker—object hidden but versions remain; storage still consumed
- •Permanent deletion requires explicit version ID—without it, just adds marker
- •Noncurrent version expiration essential—otherwise old versions accumulate forever
Multipart Uploads
- •Required above 5GB, recommended above 100MB—single PUT has size limits
- •Incomplete uploads invisible in normal listings—consume storage silently
- •Abort incomplete uploads via lifecycle—or manually with
list-multipart-uploads - •Parallel part uploads for speed—parts can upload concurrently
CORS for Browser Access
- •Required for JavaScript direct upload/download—blocked without CORS headers
- •Specify exact origins—avoid wildcard
*for authenticated requests - •Expose headers that JavaScript needs to read—Content-Length, ETag, custom headers
- •AllowedMethods: GET for download, PUT for upload, DELETE if needed
Key Naming
- •Use prefixes like directories:
users/123/avatar.jpg—but S3 is flat, not hierarchical - •Avoid sequential prefixes for high throughput—
2024-01-01/file1can hotspot - •Random prefix or hash for write-heavy buckets—distributes across partitions
- •No leading slash—
/images/file.jpgcreates empty-string prefix
Cost Awareness
- •Request volume matters—many small files more expensive than few large files
- •Egress typically costly—CDN reduces egress by caching at edge
- •Minimum storage duration varies by tier—early deletion still charged full period
- •Lifecycle transitions have per-object cost—millions of tiny files expensive to transition
Replication
- •Cross-region for disaster recovery, same-region for compliance copies
- •Versioning required on both source and destination
- •Only new objects replicate—existing objects need manual copy or batch operation
- •Delete markers not replicated by default—explicitly enable if needed
Provider Differences
- •AWS S3: full feature set, most tools assume AWS behavior
- •Cloudflare R2: no egress fees, subset of features
- •Backblaze B2: S3-compatible API, different pricing model
- •MinIO: self-hosted, full S3 API compatibility
- •Check presigned URL compatibility—some providers have quirks