AWS - S3

最後更新: 2020-10-17



Download protocol

The default download protocol is HTTP/HTTPS


Authentication mechanisms are provided to ensure that data is kept secure from unauthorized access.

Objects can be made private or public, and rights can be granted to specific users.

Bucket Region

A bucket can be stored in one of several Regions.

You can choose a Region to optimize for latency, minimize costs, or address regulatory requirements.


Access S3 object


Virtual-hosted style access







Bucket Versioning


After enabling Bucket Versioning, you might need to update your lifecycle rules to manage previous versions of objects.





S3 with KMS

  • Client-side encryption
  • Server-side encryption

Server-side encryption

S3 加密過程(Put)

S3 -requests(data-key)-> KMS

# plaintext & encrypted copy of the data key
S3        <-keys-        KMS

S3: encrypt(data, plaintext-key) > encrypted data

S3: encrypted data-key as metadata with the encrypted data

S3 解密過程(Get)

S3 -encrypted key-> KMS

S3 <-plaintext key- KMS

S3: decrypt(encrypted data, plaintext-key) > data

server-side encryption: SSE-S3, SSE-C, or SSE-KMS

# SSE = Server-Side Encryption
# KMS = Key Management Service
# CMKs = Customer Master Keys

  • SSE with Amazon S3-Managed Keys (SSE-S3)
    An encryption key that Amazon S3 creates, manages, and uses for you.
    If you fully trust AWS, use this S3 encryption method.
  • SSE with CMKs Stored in KMS
    different method from SSE-S3
    它支援 user control and audit trail
  • SSE with Customer-Provided Keys (SSE-C)
    keys are provided by a customer and AWS doesn’t store the encryption keys.
    S3 data encryption & decryption are performed on the AWS server side.


When you use an AWS KMS CMK for server-side encryption in Amazon S3,

you must choose a symmetric CMK. Amazon S3 only supports symmetric CMKs and not asymmetric CMKs.

S3 Bucket Keys feature


designed to reduce calls to AWS KMS when objects in an encrypted bucket are accessed.


S3 uses this data key as a bucket key.

S3 creates unique data keys outside of AWS KMS for objects in the bucket and encrypts those data keys under the bucket key.

S3 uses each bucket key for a time-limited period.


After you set the encryption settings for the entire bucket,

the files that have been uploaded to the bucket before enabling encryption are left unencrypted.


S3 bucket set CORS



2. choose the name of the bucket
3. Permissions tab > CORS section > Edit button > paste jsoin in text box