Amazon S3 (Simple Storage Service) - CLF-C02

Summary: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20260634

Refresher: Intro to S3

Ref: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20055916 and https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/29102298

User-based security access: IAM policies (allow/deny operations on S3)
Resource-based security access:
- Bucket policies: indicate which principals/identities can access bucket, and what operations they are allowed/denied to do
  - Can allow cross-account or AWS-external (public) access to S3 bucket
  - IAM Access Analyzer: can check common access patterns to S3 buckets, helps determine optimal S3 bucket policy
- Block Public Access settings: ON by default, block any public (AWS-external) access to bucket, override any other configuration when it comes to public access
- Access Control List (ACL) at object- or bucket-level: very simple permission configurations, legacy, avoid if possible
S3 encryption → secure/obfuscate S3 data from unauthorized viewers
- In-transit encryption: can enforce HTTPS (HTTP + SSL/TLS) to access S3
- At-rest encryption: can enforce client-side and/or server-side encryption (CSE/SSE)

Ref: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20055922

🔧 Can host a static website on Amazon S3
- Configure a root file to serve (e.g. index.html)
- Get a default website URL based on bucket's name
‼️ Website content must be static (S3 objects)!!
❗ Security:
- Must disable “Block Public Access” if you want website to be visible outside of AWS
- Bucket policy must enable public reads, otherwise 403 Forbidden

Ref: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20055932; https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20055940; and https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20055948