AWS S3 Fundamentals: Complete Guide to Buckets, Objects, and Permissions

Key Takeaway

Exam Tip

S3 Exam Essentials: S3 is object storage, not a file system. Bucket names must be globally unique, and by default all buckets and objects are private. Since April 2023, S3 Block Public Access is enabled by default. Bucket policies and IAM policies are recommended over ACLs for permission management.

Component	Key Points
Bucket	Container for objects, globally unique name required, created in a region
Object	Data + metadata, up to 5TB, identified by key (path)
Permissions	IAM policy + bucket policy combination recommended, ACL is legacy
Default Security	All buckets/objects are private by default, public access blocked

What is S3?

Amazon S3 (Simple Storage Service) is AWS's core storage service that uses object storage.

Object Storage vs Block/File Storage

Feature	Object Storage (S3)	Block Storage (EBS)	File Storage (EFS)
Data Unit	Object (file + metadata)	Block	File/folder
Access Method	HTTP/HTTPS API	OS mount	NFS protocol
Modification	Replace entire object	Block-level modification	File-level modification
Scalability	Unlimited	Volume size limited	Petabytes
Latency	Milliseconds	Microseconds	Milliseconds
Use Cases	Static files, backups, archives	Databases, OS volumes	Shared file systems

Exam Tip

Exam Point: S3 requires replacing the entire object for modifications, making it unsuitable for frequently modified data. Use EBS for database files or log files that are updated frequently.

S3 Buckets

What is a Bucket?

A bucket is the top-level container for storing objects in S3. It looks like a folder but is actually a flat structure.

Key Bucket Characteristics

Bucket Naming Rules:
├── Globally unique (must be unique across all AWS accounts worldwide)
├── 3-63 characters in length
├── Only lowercase letters, numbers, and hyphens
├── Must start with a letter or number
└── Cannot be IP address format (e.g., 192.168.1.1)

Feature	Description
Globally Unique Name	Bucket name must be unique across all AWS accounts worldwide
Region Specific	Buckets are created in a specific region; data is stored there
Per Account Limit	Default 100 (can request up to 1,000)
Deletion Requirement	Bucket must be empty to delete

Bucket Naming Best Practices

Good Examples:
✅ my-company-app-logs-2026
✅ prod-backup-us-east-1
✅ data-lake-raw-zone

Bad Examples:
❌ MyBucket (uppercase not allowed)
❌ my_bucket (underscores not allowed)
❌ my..bucket (consecutive dots not allowed)
❌ -mybucket (cannot start with hyphen)

S3 Objects

Object Components

S3 objects consist of the following elements:

S3 Object Structure
├── Key
│   └── Unique identifier for the object (full path)
│   └── Example: photos/2026/vacation/beach.jpg
├── Value
│   └── Actual data (file content)
│   └── Maximum 5TB
├── Metadata
│   ├── System metadata: Content-Type, Last-Modified, etc.
│   └── User-defined metadata: x-amz-meta-* headers
├── Version ID
│   └── Generated when versioning is enabled
└── Subresources
    ├── ACL (Access Control List)
    └── Torrent

Object Keys and Virtual Folders

S3 has a flat structure, but you can use slashes (/) in keys to simulate folders.

Bucket: my-photos-bucket
├── photos/2026/january/photo1.jpg  ← Key
├── photos/2026/january/photo2.jpg
├── photos/2026/february/photo3.jpg
└── documents/report.pdf

These are actually 4 independent objects, not folders!

Exam Tip

Exam Point: S3 has no actual folder/directory concept. Folders shown in the console are visualizations of key prefixes. "photos/2026/" is a prefix.

Object Size Limits

Operation	Limit
Single PUT	Maximum 5GB
Multipart Upload	Maximum 5TB (required for >100MB)
Minimum Part Size	5MB (except last part)
Maximum Parts	10,000

Upload Method Selection:
├── 0 ~ 100MB: Single PUT recommended
├── 100MB ~ 5GB: Multipart recommended
└── 5GB ~ 5TB: Multipart required

S3 Permission Management

Permission Methods Comparison

S3 permissions can be managed through several mechanisms:

Method	Applies To	Primary Use Cases
IAM Policy	IAM users/roles	Internal user permission management
Bucket Policy	Bucket	Cross-account access, public access
ACL	Bucket/Object	Legacy, not recommended
S3 Access Points	Bucket	Large-scale shared datasets

IAM Policy vs Bucket Policy

IAM Policy (Identity-based):
├── "What can this user/role do?"
├── Attached to IAM users, groups, roles
├── Manage permissions for multiple buckets in one place
└── Best for internal users within an AWS account

Bucket Policy (Resource-based):
├── "Who can access this bucket?"
├── Attached directly to S3 bucket
├── Can allow anonymous (public) access
├── Best for cross-account access
└── Written in JSON format

Bucket Policy Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-website-bucket/*"
    }
  ]
}

Element	Description
Version	Policy language version (always use "2012-10-17")
Statement	Array of permission rules
Sid	Statement identifier (optional)
Effect	Allow or Deny
Principal	Target of permission grant (* = all users)
Action	Actions to allow/deny
Resource	Target resources (ARN)

Object Ownership Settings

Since April 2023, new buckets have Bucket owner enforced as the default setting.

Setting	ACL Status	Object Ownership
Bucket owner enforced (recommended)	Disabled	Always bucket owner
Bucket owner preferred	Enabled	Requires bucket-owner-full-control ACL
Object writer (legacy)	Enabled	Uploading account

Exam Tip

Exam Point: To resolve object ownership issues with cross-account uploads, use Bucket owner enforced. This setting disables ACLs and ensures the bucket owner owns all objects.

S3 Block Public Access

Block Public Access Settings

All new buckets have public access blocked by default.

Block Public Access Options:
├── BlockPublicAcls
│   └── Block adding public ACLs
├── IgnorePublicAcls
│   └── Ignore existing public ACLs
├── BlockPublicPolicy
│   └── Block public bucket policies
└── RestrictPublicBuckets
    └── Block public/cross-account access for buckets with public policies

Scenario	Recommended Setting
Completely Private	All 4 ON (default)
Static Website Hosting	All 4 OFF + control via bucket policy
CloudFront Integration	All 4 ON + use OAC

Enabling Public Access

When public access is needed (like static websites):

1. Check Account-level Block Public Access
   └── S3 > Block Public Access settings for this account

2. Disable Bucket-level Block Public Access
   └── Bucket > Permissions > Block public access

3. Allow public read via bucket policy
   └── Principal: "*", Action: "s3:GetObject"

S3 Static Website Hosting

Setup Method

You can use an S3 bucket as a static website.

Static Website Hosting Setup:
├── Bucket > Properties > Enable Static website hosting
├── Specify Index document (e.g., index.html)
├── Specify Error document (e.g., error.html)
├── Disable Block Public Access
└── Allow public read via bucket policy

Website Endpoints

Type	Format	Example
REST API	`bucket-name.s3.region.amazonaws.com`	`my-bucket.s3.us-east-1.amazonaws.com`
Website	`bucket-name.s3-website-region.amazonaws.com`	`my-bucket.s3-website-us-east-1.amazonaws.com`

Exam Tip

Exam Point: Static website hosting only supports HTTP. For HTTPS, place CloudFront in front. When integrating with CloudFront, using OAC (Origin Access Control) to block direct S3 access is recommended for security.

S3 and CloudFront Integration

OAC vs OAI

Security mechanisms for CloudFront accessing S3 origins:

Feature	OAC (Recommended)	OAI (Legacy)
Introduced	2022	2008
SSE-KMS Support	✅	❌
Dynamic Request Support	✅ (POST, PUT, etc.)	❌ (GET only)
All Regions	✅	✅
Recommendation	✅ Recommended	Migrate to OAC

OAC Setup Flow

OAC Setup:
1. CloudFront > Origin access control settings > Create
2. Specify S3 bucket as origin
3. Apply CloudFront-generated bucket policy to S3
4. Keep S3 Block Public Access ON

Bucket Policy Example:
{
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Service": "cloudfront.amazonaws.com"
    },
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::bucket-name/*",
    "Condition": {
      "StringEquals": {
        "AWS:SourceArn": "arn:aws:cloudfront::account-id:distribution/distribution-id"
      }
    }
  }]
}

S3 Versioning

Versioning Characteristics

Versioning States:
├── Unversioned (default): No versioning
├── Enabled: Versioning active
└── Suspended: Versioning paused

Key Features:
├── Enabled at bucket level
├── Once enabled, cannot be disabled (only suspended)
├── All object versions retained → increased storage costs
└── MFA Delete can protect against permanent deletion

Delete Behavior

Action	Versioning Disabled	Versioning Enabled
DELETE	Permanent deletion	Adds Delete Marker (recoverable)
DELETE + Version ID	N/A	Permanently deletes specific version

Exam Tip

Exam Point: When you delete an object in a versioned bucket, a Delete Marker is created. The actual data is not deleted, and removing the Delete Marker restores the object.

SAA-C03 Exam Focus Points

Common Question Types

Topic	Key Point
Bucket Name	Globally unique, lowercase/numbers/hyphens only, DNS compatible
Object Size	Max 5TB, multipart recommended for >100MB
Default Security	All buckets/objects are private by default
Permission Management	IAM policy + bucket policy combination, ACL is legacy
Cross-Account	Use bucket policy or IAM role
Object Ownership	Bucket owner enforced resolves ownership issues
Static Website	HTTP only, HTTPS requires CloudFront
CloudFront Integration	OAC recommended (OAI is legacy)

Common Exam Traps

❌ S3 bucket names only need to be unique within a region
   → Must be globally unique

❌ You can set permissions on S3 folders
   → S3 has no actual folders, they're just prefixes

❌ ACL is recommended over bucket policies
   → Bucket policy + IAM policy combination recommended, ACL is legacy

❌ S3 static websites support HTTPS
   → HTTP only, HTTPS requires CloudFront

❌ Disabling versioning deletes previous versions
   → Versioning can only be suspended, existing versions are retained

Frequently Asked Questions

Q: What's the difference between S3 buckets and objects?

A bucket is a container (logical group) for storing objects, while an object is the actual data (file).

Bucket: Globally unique name required, created in a region, 100 per account limit
Object: Identified by key (path), max 5TB, includes metadata

Q: Should I use IAM policies or bucket policies?

Same account users: Use IAM policies to define "who can do what"

Cross-account access or public access: Use bucket policies

Complex scenarios: Combine IAM policy + bucket policy (both must Allow for access, any Deny blocks access)

Q: When should I use S3 ACLs?

Rarely. AWS disabled ACLs by default for new buckets since 2023.

They're used limitedly for legacy system compatibility or AWS service integrations like CloudWatch Logs delivery. For new implementations, use bucket policies.

Q: How do I use HTTPS with S3 static websites?

S3 static website hosting only supports HTTP. For HTTPS:

Create CloudFront distribution (with S3 as origin)
Attach ACM certificate (HTTPS termination at CloudFront)
Configure OAC (block direct S3 access)

This routes traffic: User → CloudFront (HTTPS) → S3 (internal communication).

Q: How do I access another AWS account's S3 bucket?

Method 1: Bucket Policy (resource-based)

{
  "Principal": {"AWS": "arn:aws:iam::OTHER-ACCOUNT:root"},
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::bucket/*"
}

Method 2: IAM Role Assumption (recommended)

Create role in bucket owner's account
Add accessing account to trust policy
Use AssumeRole from accessing account

Role assumption provides finer control and better auditing.

Summary

S3 is AWS's core storage service and appears in various forms on the SAA-C03 exam. Key takeaways:

Object Storage: Key-Value structure, not a file system
Buckets: Globally unique name, created in a region
Default Security: Everything is private, public access blocked by default
Permission Management: IAM policy + bucket policy combination, ACL is legacy
Static Websites: HTTP only, HTTPS requires CloudFront

Continue learning with S3 Storage Classes and S3 Encryption to complete your S3 knowledge.