Amazon S3 Checklist

The Amazon S3 Checklist is an exhaustive list of all elements you need to have / to test before using S3 in production.

How to use • Contributing

Sister Projects

• Amazon Redshift Checklist

Table of Contents

1. Management
2. Availability
3. Monitoring
4. Security
5. Performance
6. Cost

---

How to use

All items in the Amazon S3 Checklist are required for the majority of the projects, but some elements can be omitted or are not essential. We choose to use 3 levels of flexibility:

• 🟢 means that the item is recommended but can be omitted in some particular situations.
• 🟡 means that the item is highly recommended and can eventually be omitted in some really particular cases.
• 🔴 means that the item can't be omitted for any reason.

Some resources possess an emoticon to help you understand which type of content / help you may find on the checklist:

• 📖 documentation or article
• 🔧 online tool / testing tool
• 📹 media or video content

---

Management

• 🔴 Choose Bucket Policy vs IAM Policy vs ACL: Setting up the right access controls for your S3 buckets and objects.

  • 📖 IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)

• 🟡 Use Access Points: Simplifies managing data access at scale for applications using shared data sets on S3.

  • 📖 Amazon S3 Access Points

• 🟡 Create object lifecycle policies: Implement data lifecycle needs according to frequency, durability, and latency requirements. Object lifecycle policies will move data between the various storage classes, including Glacier and even the deletion of objects.

  • 📖 Object lifecycle management

• 🟢 Have an object tagging policy: Object tagging is a powerful mechanism to attach metadata to objects managed in S3.

  • 📖 Object tagging

⬆️ back to top

---

Availability

• 🔴 Have a backup plan: 11 9s of durability is not bulletproof. Consider cross-region replication or multi-cloud backups.

  • 📖 Replication

• 🟡 Enable object versioning: Object versioning, in conjunction with lifecycle management enhances application resilience.

  • 📖 Object Versioning

⬆️ back to top

---

Monitoring

• 🔴 Have a monitoring plan: What metrics are recorded? Who is notified? How often are metrics monitored?

  • 📖 Monitoring Amazon S3

• 🔴 Enable CloudTrail: CloudTrail logs cover general interactions with the S3 service.

  • 📖 Logging with Amazon S3

• 🔴 Enable server access logging: Server access logging provides detailed records for the requests that are made to a bucket.

  • 📖 Logging with Amazon S3
  • 📖 Amazon S3 server access logging

⬆️ back to top

---

Security

• 🔴 Enable block all public access: Blocks public access to S3 buckets and prevents S3 buckets from being made public unless this setting is turned off.

  • 📖 Using Amazon S3 block public access

• 🔴 Enforce server-side or client-side encryption: Enabling SSE-S3, SSE-KMS or SSE-C to encrypt data at rest by AWS, or use envelope encryption (client-side) to encrypt data prior to it landing on S3.

  • 📖 Protecting data using encryption
  • 📖 How do I enable default encryption for an Amazon S3 bucket?
  • 📖 How Amazon Simple Storage Service (Amazon S3) uses AWS KMS
  • 📖 Envelope encryption

• 🔴 Enforce encryption in-transit: Enforce the use of Secure Socket Layer/Transport Layer Security (SSL/TLS) for all S3 requests.

  • 📖 s3-bucket-ssl-requests-only

• 🟡 Enable MFA delete: Adds another layer of security requiring additional authentication.

  • 📖 MFA delete

• 🟡 Use VPC endpoints: Where traffic being routed over the Internet is undesirable, VPC endpoints should be used to access S3.

  • 📖 VPC endpoints

• 🟡 🆕 Use Amazon GuardDuty: Detect suspicious activities such as requests coming from an unusual geo-location, disabling of preventative controls such as S3 block public access, or API call patterns consistent with an attempt to discover misconfigured bucket permissions.

  • 📖 Using Amazon GuardDuty to Protect Your S3 Buckets

• 🟢 Use Glacier Vault Lock: Immutable policy for enforcing controls such as "write once read many" (WORM).

  • 📖 Amazon S3 Glacier Vault Lock

• 🟢 Use Amazon Macie: Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and intellectual property, to provide you with a better understanding of the data that your organization stores in Amazon S3.

  • 📖 What is Amazon Macie?

⬆️ back to top

---

Performance

• 🟡 Have a partitioning strategy: Consider storing your data in a fit-for-purpose directory structure for better read and write performance.

  • 📖 Best Practices Design Patterns: Optimizing Amazon S3 Performance
  • 📖 Amazon S3 Performance Tips & Tricks

• 🟢 Use S3 Select: Enables applications to retrieve only a subset of data from an object by using simple SQL expressions.

  • 📖 Selecting content from objects

• 🟢 Use Glacier Select: Allows you to to perform filtering directly against a Glacier object using standard SQL statements.

  • 📖 Amazon S3 Glacier features

⬆️ back to top

---

Cost

• 🔴 Use Intelligent-Tiering: Intelligent-Tiering storage class is designed to optimize costs by automatically moving data to the most cost-effective access tier.

  • 📖 Amazon S3 Storage Classes

• 🟢 Retrieve S3 inventory: Outputs files that list your objects and their corresponding metadata on a daily or weekly basis. Can be useful to setup your own lifecycle management or for big data jobs that require S3 object metadata without having to call individual object APIs.

  • 📖 Amazon S3 inventory

⬆️ back to top

---

Contributing

Open an issue or a pull request to suggest changes or additions.

⬆️ back to top