The Amazon S3 Checklist is an exhaustive list of all elements you need to have / to test before using S3 in production.
All items in the Amazon S3 Checklist are required for the majority of the projects, but some elements can be omitted or are not essential. We choose to use 3 levels of flexibility:
- π’ means that the item is recommended but can be omitted in some particular situations.
- π‘ means that the item is highly recommended and can eventually be omitted in some really particular cases.
- π΄ means that the item can't be omitted for any reason.
Some resources possess an emoticon to help you understand which type of content / help you may find on the checklist:
- π documentation or article
- π§ online tool / testing tool
- πΉ media or video content
-
π΄ Choose Bucket Policy vs IAM Policy vs ACL: Setting up the right access controls for your S3 buckets and objects.
-
π‘ Use Access Points: Simplifies managing data access at scale for applications using shared data sets on S3.
-
π‘ Create object lifecycle policies: Implement data lifecycle needs according to frequency, durability, and latency requirements. Object lifecycle policies will move data between the various storage classes, including Glacier and even the deletion of objects.
-
π’ Have an object tagging policy: Object tagging is a powerful mechanism to attach metadata to objects managed in S3.
- π Object tagging
-
π΄ Have a backup plan: 11 9s of durability is not bulletproof. Consider cross-region replication or multi-cloud backups.
- π Replication
-
π‘ Enable object versioning: Object versioning, in conjunction with lifecycle management enhances application resilience.
- π Object Versioning
-
π΄ Have a monitoring plan: What metrics are recorded? Who is notified? How often are metrics monitored?
- π Monitoring Amazon S3
-
π΄ Enable CloudTrail: CloudTrail logs cover general interactions with the S3 service.
-
π΄ Enable server access logging: Server access logging provides detailed records for the requests that are made to a bucket.
-
π΄ Enable block all public access: Blocks public access to S3 buckets and prevents S3 buckets from being made public unless this setting is turned off.
-
π΄ Enforce server-side or client-side encryption: Enabling SSE-S3, SSE-KMS or SSE-C to encrypt data at rest by AWS, or use envelope encryption (client-side) to encrypt data prior to it landing on S3.
-
π΄ Enforce encryption in-transit: Enforce the use of Secure Socket Layer/Transport Layer Security (SSL/TLS) for all S3 requests.
-
π‘ Enable MFA delete: Adds another layer of security requiring additional authentication.
- π MFA delete
-
π‘ Use VPC endpoints: Where traffic being routed over the Internet is undesirable, VPC endpoints should be used to access S3.
- π VPC endpoints
-
π‘ π Use Amazon GuardDuty: Detect suspicious activities such as requests coming from an unusual geo-location, disabling of preventative controls such as S3 block public access, or API call patterns consistent with an attempt to discover misconfigured bucket permissions.
-
π’ Use Glacier Vault Lock: Immutable policy for enforcing controls such as "write once read many" (WORM).
-
π’ Use Amazon Macie: Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and intellectual property, to provide you with a better understanding of the data that your organization stores in Amazon S3.
-
π‘ Have a partitioning strategy: Consider storing your data in a fit-for-purpose directory structure for better read and write performance.
-
π’ Use S3 Select: Enables applications to retrieve only a subset of data from an object by using simple SQL expressions.
-
π’ Use Glacier Select: Allows you to to perform filtering directly against a Glacier object using standard SQL statements.
-
π΄ Use Intelligent-Tiering: Intelligent-Tiering storage class is designed to optimize costs by automatically moving data to the most cost-effective access tier.
-
π’ Retrieve S3 inventory: Outputs files that list your objects and their corresponding metadata on a daily or weekly basis. Can be useful to setup your own lifecycle management or for big data jobs that require S3 object metadata without having to call individual object APIs.
- π Amazon S3 inventory
Open an issue or a pull request to suggest changes or additions.