What Is Amazon S3?
Amazon Simple Storage Service (S3) is an object storage service, not a filesystem or block device. You store data as discrete objects (a blob of bytes plus metadata) inside containers called buckets, and you interact with it entirely through a REST API, the AWS CLI, or an SDK rather than mounting a drive. There is no directory tree underneath S3; everything is a flat key-value store, and objects can range from 0 bytes up to 5 TB, with AWS advertising 99.999999999% (11 nines) durability for the Standard storage class.
Cricket analogy: Think of S3 like the BCCI's central video archive of every IPL match ever played: you don't 'browse a shelf' for a tape, you request the exact match ID (say, 'MI-vs-CSK-2023-Final') and the system fetches it instantly from wherever it is physically stored.
Buckets, Objects, and Keys
A bucket is a top-level container with a globally unique name (unique across all of AWS, not just your account) and it is created in a specific AWS Region. Inside a bucket, every object is identified by a key, which is simply a string such as 'invoices/2026/march/inv-4471.pdf'. S3 has no real subfolders; the forward slashes in a key are just characters, and the console/CLI simulate a folder view by grouping objects on common prefixes. Each object also carries metadata (content-type, custom headers) and, if versioning is enabled on the bucket, a version ID so multiple revisions of the same key can coexist.
Cricket analogy: It's like how ESPNcricinfo names a scorecard URL '/series/ipl-2026/match/45/mumbai-vs-chennai' — the slashes look like folders but it's really just one long, unique string identifying that scorecard, the same way an S3 key like 'series/ipl-2026/match-45.json' is just one flat string.
# Create a bucket in a specific region
aws s3api create-bucket \
--bucket my-app-assets-prod-7421 \
--region us-east-1
# Upload an object with a 'folder-like' key
aws s3 cp ./invoice.pdf \
s3://my-app-assets-prod-7421/invoices/2026/march/inv-4471.pdf
# List objects sharing a common prefix (simulated folder)
aws s3api list-objects-v2 \
--bucket my-app-assets-prod-7421 \
--prefix invoices/2026/march/
# Generate a time-limited presigned URL (valid 1 hour)
aws s3 presign \
s3://my-app-assets-prod-7421/invoices/2026/march/inv-4471.pdf \
--expires-in 3600Durability, Availability, and Consistency
S3 Standard is designed for 11 nines of durability by synchronously replicating each object across a minimum of three Availability Zones within a Region, so the loss of an entire data center should not lose your data. Durability (will the bytes survive) is a different guarantee from availability (can you reach them right now); S3 Standard targets 99.99% availability with a 99.9% SLA. Since December 2020, S3 provides strong read-after-write consistency for all operations: as soon as a PUT succeeds, every subsequent GET or LIST reflects that write, with no eventual-consistency window to design around.
Cricket analogy: It's like the DRS system keeping three independent camera angles of every delivery — even if one broadcast feed drops, the umpire's decision (the 'data') survives because it was captured redundantly, similar to S3 replicating across three AZs.
S3 durability applies per-object across AZs within one Region; it does not protect against you deleting the object yourself. For protection against accidental deletion or overwrite, enable Versioning and consider adding MFA Delete or Object Lock (WORM) on the bucket.
Access Control and Security
By default, every new S3 bucket and object is private. Access is granted through IAM policies attached to users/roles, bucket policies attached to the bucket itself, or (rarely, in modern designs) legacy ACLs; S3 Block Public Access is enabled by default on new buckets and should generally stay on unless you deliberately host public content like a static website. Data at rest can be encrypted with SSE-S3 (AWS-managed keys), SSE-KMS (customer-managed keys with audit trails via CloudTrail), or SSE-C (customer-supplied keys), and data in transit is protected by requiring TLS via a bucket policy condition such as aws:SecureTransport.
Cricket analogy: It's like a stadium requiring every entrant to badge-scan (IAM policy) at the gate, with a separate ground-wide rule (bucket policy) that no one enters after the toss without media credentials — both checks must pass, just as S3 evaluates IAM and bucket policies together.
Never rely on a bucket being 'private by default' as your only safeguard. A single misconfigured bucket policy statement with a wildcard Principal ("*") can expose data publicly even with Block Public Access partially disabled. Always audit bucket policies with IAM Access Analyzer for S3 before granting broad access.
- S3 is object storage: flat key-value pairs inside globally-unique-named buckets, not a filesystem.
- Object keys can be up to 1,024 bytes and objects up to 5 TB; 'folders' are just a UI illusion built on key prefixes.
- S3 Standard offers 11 nines of durability via synchronous replication across at least 3 Availability Zones.
- Strong read-after-write consistency has applied to all S3 operations since December 2020 — no stale reads.
- Access is governed by IAM policies plus bucket policies (and optionally ACLs); Block Public Access is on by default.
- Encryption at rest (SSE-S3, SSE-KMS, SSE-C) and in transit (TLS) should both be enforced for sensitive data.
- Enable Versioning and consider Object Lock to protect against accidental deletion or overwrite.
Practice what you learned
1. What is the maximum size of a single S3 object?
2. Since December 2020, what consistency model does S3 provide for all read/write operations?
3. Which statement about S3 bucket names is correct?
4. By default, how is a newly created S3 bucket configured with respect to public access?
5. What feature should you enable to protect against accidental deletion or overwrite of objects?
Was this page helpful?
You May Also Like
S3 Storage Classes
Compare S3's storage classes — from Standard to Glacier Deep Archive — and learn how to pick the right one and automate transitions with lifecycle rules.
EFS Explained
Learn how Amazon EFS provides a fully managed, elastic NFS file system that multiple EC2 instances and containers can mount and share concurrently.
AWS Storage Gateway Overview
See how AWS Storage Gateway bridges on-premises applications to S3, EBS snapshots, and Glacier using File, Volume, and Tape gateway modes.