S3 or Amazon Simple Storage Service provides a simple web-services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web. It gives any developer access to the same highly scalable, reliable, secure, fast, inexpensive infrastructure that Amazon uses to run its own global network of web sites. The service aims to maximize benefits of scale and to pass those benefits on to developers.
AWS Free Tier
Includes 5GB storage, 20,000 Get Requests, and 2,000 Put Requests with Amazon S3.
Standard | 0.02 per GB |
Infrequent Access | 0.01 per GB |
Glacier | 0.005 per GB |
Deep Glacier | 0.00099 per GB |
Storage pricing S3 Standard - General purpose storage for any type of data, typically used for frequently accessed data First 50 TB / Month $0.023 per GB Next 450 TB / Month $0.022 per GB Over 500 TB / Month $0.021 per GB S3 Intelligent Tiering - Automatic cost savings for data with unknown or changing access patterns Monitoring and Automation, All Storage / Month (Objects > 128 KB) $0.0025 per 1,000 objects Frequent Access Tier, First 50 TB / Month $0.023 per GB Frequent Access Tier, Next 450 TB / Month $0.022 per GB Frequent Access Tier, Over 500 TB / Month $0.021 per GB Infrequent Access Tier, All Storage / Month $0.0125 per GB Archive Instant Access Tier, All Storage / Month $0.004 per GB S3 Intelligent Tiering - Optional asynchronous Archive Access tiers Archive Access Tier, All Storage / Month $0.0036 per GB Deep Archive Access Tier, All Storage / Month $0.00099 per GB S3 Standard Infrequent Access - For long lived but infrequently accessed data that needs millisecond access All Storage / Month $0.0125 per GB S3 One Zone Express - High-performance storage for your most frequently accessed data All Storage / Month $0.16 per GB S3 One Zone Infrequent Access - For re-creatable infrequently accessed data that needs millisecond access All Storage / Month $0.01 per GB S3 Glacier Instant Retrieval - For long-lived archive data accessed once a quarter with instant retrieval in milliseconds All Storage / Month $0.004 per GB S3 Glacier Flexible Retrieval - For long-term backups and archives with retrieval option from 1 minute to 12 hours All Storage / Month $0.0036 per GB S3 Glacier Deep Archive - For long-term data archiving that is accessed once or twice in a year and can be restored within 12 hours All Storage / Month $0.00099 per GB
Optimising Costs
How to analyze and reduce S3 storage usage
Costs Example
Monthly cost of storing in S3 Standard: 753.27 GB x $0.024/GB = $18.08 Monthly cost of storing in S3 Glacier: $3.67 753.27 GB x $0.0045/GB = $3.39 Glacier overhead: 855953 objects * 32 KB * $0.0045/GB = $0.12 S3 overhead: 855953 objects * 8 KB * $0.024/GB = $0.16
S3cmd is a tool for managing objects in Amazon S3 storage. It allows for making and removing "buckets" and uploading, downloading and removing "objects" from these buckets. It runs on Linux and Mac.
sudo -i apt-get install python3-setuptools wget tar -xzvf s3cmd-2.0.2.tar.gz cd s3cmd-2.0.2/ python install which s3cmd s3cmd --version
sudo pip3 install s3cmd
s3cmd --configure
Stored in...
host_base = host_bucket = %(bucket)
s3cmd --help
How to create a folder...
s3cmd put file.jpg s3://bucket/folder/file.jpg
How to sync a folder but only include certain files or folders...
s3cmd --exclude '*' --include '*200901*' --no-progress --stats sync /home/MailScanner/archive/ s3://
How to move folders and files but using BASH brace expansion...
s3cmd --dry-run mv --recursive s3://{22..31} s3://
List failed multipart uploads...
s3cmd multipart s3://
Delete failed multipart upload...
s3cmd abortmp s3://BUCKET/OBJECT Id
Encrypted Sync
Static Web Site
Create an S3 Bucket from AWS CLI
Create an S3 bucket in the us-east-1 region, giving your bucket a globally unique name, using the S3 API:
aws s3api create-bucket --bucket <UNIQUE_BUCKET_NAME> --region=<REGION> --create-bucket-configuration LocationConstraint=<REGION> --acl public-read
Modify the Newly Created Bucket to Be an S3 Website Bucket
Issue the AWS S3 API CLI command to enable the "Static website hosting" property of your bucket. In this same command, you'll also provide the index.html page, which is what your bucket URL will serve:
aws s3 website s3://<UNIQUE_BUCKET_NAME> --index-document index.html
Modify Provided S3 Policy File and Use It to Modify Bucket Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PublicReadGetObject", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::mybucketname/*" } ] }
Put in the name of your bucket.
Save and exit the file.
Use the S3 policy file to modify the bucket policy so your objects are publicly accessible, which is a requirement for S3 static websites:
aws s3api put-bucket-policy --bucket <UNIQUE_BUCKET_NAME> --policy file://policy_s3.json
Create a Basic index.html Page and Upload File
Create a basic HTML page:
echo "<html><center><h1>My Static Website on S3</h1></center></html>" > index.html
Upload the index.html file to your S3 website bucket using the AWS S3 API CLI:
aws s3 cp index.html s3://<UNIQUE_BUCKET_NAME>
Verify Your S3 Static Website Is Working
Enter the S3 website URL for your bucket in the browser to ensure it's working.
You can also test from the terminal using the curl command:
curl http://<UNIQUE_BUCKET_NAME>
Convert a WordPress Web Site to Static HTML hosted on Amazon S3
Part I - S3 with no SSL
- Install the Simply Static plug-in
- Simply Static › Generate
- Download the ZIP file
- Extract the ZIP to your computer
- Create your S3 Bucket with the same name as the web site domain name you want using the instructions from the link above
- Change the permissions as instructed to 'Allow Public Access' and enable 'Static website hosting' using the instructions from the link above
- Upload the index.html file as a 'File' and then any folders as 'Folder' (tip - you have to go in to the folder to select it!)
- Complete the Route 53 part to add an A Record with an ALIAS to the S3 endpoint using the instructions from the link above
- Load the domain name in your web browser and check
Part II - CloudFront with Let's Encrypt SSL
Recover Deleted Objects
How can I retrieve an Amazon S3 object that was deleted in a versioning-enabled bucket?
Disaster Prevention and Recovery
Set Lifecycle Rule to EMPTY Bucket
Set Lifecycle Rule To Delete Failed Multipart Uploads
Reduce Costs by Limiting Versions
How to remove old versions of objects in S3 when using S3 versioning
docker pull amazon/aws-cli
Normal Usage
docker run --rm -it -v "/root/.aws:/root/.aws" amazon/aws-cli s3 ls
Advanced Usage
docker run --rm -it -v "/root/.aws:/root/.aws" -v "/path/to:/path/to" amazon/aws-cli --profile myprofile s3 sync /path/to/subfolder/ s3://mybucketname/subfolder/ --exclude "*" --include "filename*"
CLI aws Install
This is the official AWS command line tool.
Version 2
Uninstall version 1 ...
sudo -H pip3 uninstall awscli
Install version 2 ...
cd /tmp/ curl -s "" -o "" unzip -q sudo ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli aws --version
Version 1
sudo -i python3 --version apt install python3-distutils curl -s -O python3 pip3 install awscli
BASH Completion -
CLI aws Upgrade
Version 2
cd /tmp/ curl --silent "" -o "" unzip -q sudo ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update aws --version cd
Version 1
sudo -H pip3 install --upgrade awscli
CLI aws Usage
aws configure
aws configure set default.s3.max_concurrent_requests 20
aws help
aws s3 help
aws s3 ls
aws s3 sync /tmp/foo s3://bucketname/foo
aws ec2 authorize-security-group-ingress --group-name launch-wizard-1 --protocol tcp --port 22 --cidr
1. To backup photos in your Syncthing directory (dryrun option added for testing)...
aws s3 sync --dryrun --exclude "*" --include "*201701*" /home/user/Syncthing/User/phone/photos/ s3://
#!/bin/bash # # script to backup photos (taken the day before) to aws s3 # YEAR=$( date +'%Y' -d "yesterday" ) MONTH=$( date +'%m' -d "yesterday" ) /usr/local/bin/aws s3 sync --exclude "*" --include "*${YEAR}${MONTH}*" /home/user/Syncthing/User/phone/photos/ s3://${YEAR}/${MONTH}/ exit
2. To move objects from one bucket to another bucket, or same bucket but different folder...
aws s3 mv s3://source/file1.txt s3://destination/file2.txt aws s3 mv s3://source/file1.txt s3://source/folder/file1.txt aws --profile profile2 s3 mv --dryrun --recursive --exclude "*" --include "archive-nfs/201502*" s3://source/ s3://destination/archive-nfs/MailArchive/
3. To use a different profile (for different customers)...
nano ~/.aws/credentials [default] aws_access_key_id = XXXXXX aws_secret_access_key = XXXXXXXXXXXXX [customer2] aws_access_key_id = XXXXXX aws_secret_access_key = XXXXXXXXXXXXX
aws --profile customer2 s3 ls
Thanks -
4. Delete multiple files...
aws --profile customer2 s3 rm --dryrun --recursive --exclude "*" --include "messages" s3://mybucket/folder/ (dryrun) delete: s3://mybucket/folder/subfolder/messages
5. Make bucket...
aws s3 mb s3://mybucket --region eu-west-1
6. Create folder... (the key here is the forward slash / at the end)
aws s3api put-object --bucket mybucket --key dir-test/
7. Create folder and sub folders... (the key here is the forward slash / at the end)
aws s3api put-object --bucket mybucket --key dir-test/subfolder1/subfolder2/
8. Size and Number of Files...
aws s3api list-objects --bucket mybucket --output json --query "[sum(Contents[].Size), length(Contents[])]"
9. Copy files from remote storage to local...
aws s3 cp --recursive s3://mybucket/myFolder/ ./path/to/folder/
10. Restore file from Glacier storage...
aws --profile=default s3api restore-object --bucket mybucket --key foldername/ --restore-request '{"Days":7,"GlacierJobParameters":{"Tier":"Standard"}}'
11. Upload folder to S3 as a tar.gz file without compressing locally first using pipes...
tar cvfz - /var/test | aws s3 cp - s3://mybucket/test1.tar.gz
12. Search for a filename...
aws --profile myprofile s3api list-objects --bucket --query "Contents[?contains(Key, '*S1255*')]" aws --profile myprofile s3 ls s3:// --recursive |grep 'S1255'
13. Empty bucket but keep CPU usage low about 30% ...
sudo apt install cpulimit /usr/bin/cpulimit -q -b -c 1 -e aws -l 30 nice aws s3 rm --quiet s3:// --recursive
Official Guides
User Guide -
Reference -
Point in Time Restore
CLI Backup and File Versioning
Make S3 bucket...
aws s3 mb s3://bucketname.archive-test
Create S3 bucket archiving policy...
Example 1 = move all objects to Infrequent Access after 30 days, and then to Glacier after 60 days ...
nano aws_lifecycle_30_IA_60_GLACIER.json { "Rules": [ { "Filter": { "Prefix": "" }, "Status": "Enabled", "Transitions": [ { "Days": 30, "StorageClass": "STANDARD_IA" }, { "Days": 60, "StorageClass": "GLACIER" } ], "NoncurrentVersionTransitions": [ { "NoncurrentDays": 30, "StorageClass": "STANDARD_IA" }, { "NoncurrentDays": 60, "StorageClass": "GLACIER" } ], "ID": "30 Days Transfer to IA, 60 Days Transfer to Glacier" } ] }
Example 2 = only keep 1 current version and 1 non-current version of a file after 1 day ...
{ "Rules": [ { "Expiration": { "ExpiredObjectDeleteMarker": true }, "ID": "1 Days Versions", "Filter": {}, "Status": "Enabled", "NoncurrentVersionExpiration": { "NoncurrentDays": 1, "NewerNoncurrentVersions": 1 }, "AbortIncompleteMultipartUpload": { "DaysAfterInitiation": 1 } } ] }
Set S3 bucket lifecycle policy (only keep 3 files for any noncurrent version after 30 days) that has versioning enabled...
nano bucket-lifecycle-configuration.json
{ "Rules": [ { "ID": "30DaysKeep3", "Filter": {}, "Status": "Enabled", "NoncurrentVersionExpiration": { "NoncurrentDays": 30, "NewerNoncurrentVersions": 3 } } ] }
aws --profile profile s3api put-bucket-lifecycle-configuration --bucket <bucket> --lifecycle-configuration file://bucket-lifecycle-configuration.json
Set S3 bucket archiving policy...
aws s3api put-bucket-lifecycle-configuration --bucket bucketname.archive-test --lifecycle-configuration file://aws_lifecycle_30_IA_60_GLACIER.json
Check S3 bucket archiving policy...
aws s3api get-bucket-lifecycle-configuration --bucket bucketname.archive-test
Set S3 bucket versioning...
aws s3api put-bucket-versioning --bucket bucketname.archive-test --versioning-configuration Status=Enabled
Check S3 bucket versioning...
aws s3api get-bucket-versioning --bucket bucketname.archive-test
Make S3 bucket folder...
aws --profile default s3api put-object --bucket bucketname.archive-test --key Test/
Create local folder and files...
mkdir ~/Test echo "This is the first line and first version of the file." >>~/Test/test.txt
Sync local folder with S3 bucket folder...
aws s3 sync ~/Test/ s3://bucketname.archive-test/Test/
List S3 bucket contents...
aws s3 ls --human-readable --recursive --summarize s3://bucketname.archive-test/Test/
Check S3 bucket versioning...
aws s3api list-object-versions --bucket bucketname.archive-test
Edit the same file again...
echo "This is the second line and second version of the file." >>~/Test/test.txt
Sync local folder with S3 bucket folder again...
aws s3 sync ~/Test/ s3://bucketname.archive-test/Test/
Check S3 bucket versioning...
aws s3api list-object-versions --bucket bucketname.archive-test
Restore particular version of file...
aws s3api get-object --bucket bucketname.archive-test --key Test/test.txt --version-id hsu8723wgjhas ~/Test/test.txt
CLI s3 sync options
DESCRIPTION Syncs directories and S3 prefixes. Recursively copies new and updated files from the source directory to the destination. Only creates fold- ers in the destination if they contain one or more files.
See 'aws help' for descriptions of global parameters.
SYNOPSIS sync <LocalPath> <S3Uri> or <S3Uri> <LocalPath> or <S3Uri> <S3Uri> [--dryrun] [--quiet] [--include <value>] [--exclude <value>] [--acl <value>] [--follow-symlinks | --no-follow-symlinks] [--no-guess-mime-type] [--sse <value>] [--sse-c <value>] [--sse-c-key <value>] [--sse-kms-key-id <value>] [--sse-c-copy-source <value>] [--sse-c-copy-source-key <value>] [--storage-class <value>] [--grants <value> [<value>...]] [--website-redirect <value>] [--content-type <value>] [--cache-control <value>] [--content-disposition <value>] [--content-encoding <value>] [--content-language <value>] [--expires <value>] [--source-region <value>] [--only-show-errors] [--no-progress] [--page-size <value>] [--ignore-glacier-warnings] [--force-glacier-transfer] [--request-payer <value>] [--metadata <value>] [--metadata-directive <value>] [--size-only] [--exact-timestamps] [--delete]
CLI s3cmd Install
sudo -i cd /root/misc git clone cd s3cmd python install s3cmd --version exit
Simple Backup Procedure With Retention Policy
Encrypted Incremental Backups with S3cmd
Install Error: No module named setuptools
If you receive the following error...
Traceback (most recent call last): File "", line 7, in <module> from setuptools import setup ImportError: No module named setuptools
...then install the setuptools python module using pip...
sudo -i cd /root/misc wget python pip install --upgrade setuptools
sudo -i cd /root/misc/s3cmd git pull python install s3cmd --version exit
s3cmd --configure
Tweak Settings
nano ~/.s3cfg
bucket_location = EU host_bucket = %(bucket)
Create A Bucket
s3cmd mb s3://uniquename.subname.whatever
List Buckets
s3cmd ls
List Contents Of Buckets
s3cmd ls s3://uniquename.subname.whatever/
Create Directory
This is a bit strange but you have to upload a file to the whole folder tree that is not there. It will then create the folders and subfolders as part of the process.
s3cmd put /tmp/test.txt s3://uniquename.subname.whatever/folder/subfolder/test.txt
Upload Files (Test)
s3cmd put --recursive --dry-run ~/folder s3://uniquename.subname.whatever/
Upload Files
s3cmd put --recursive ~/folder s3://uniquename.subname.whatever/
Sync Files
s3cmd sync --verbose ~/folder s3://uniquename.subname.whatever/
This will delete files from S3 that do not exist on your local drive.
This will allow you to clear up your local drive and S3 bucket at the same time.
s3cmd sync --verbose ~/folder --delete-removed s3://uniquename.subname.whatever/
Example: Backup Dovecot Emails Script
#!/bin/bash cd /var/vmail/ && \ /bin/tar -cpf && \ /usr/local/bin/s3cmd --quiet put /var/vmail/ s3:// && \ /usr/local/bin/s3cmd ls -H s3://
Calculate Size of Bucket
Log in > S3 > Click on Bucket > Select All (tickboxes) > More > Get Size
aws s3 ls --summarize --human-readable --recursive s3://bucket/
s3cmd du s3://bucket/ --human-readable
Restrict Access From An IP Address
{ "Version": "2012-10-17", "Id": "S3PolicyIPRestrict", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:*", "Resource": "arn:aws:s3:::bucket/*", "Condition" : { "IpAddress" : { "aws:SourceIp": "" }, "NotIpAddress" : { "aws:SourceIp": "" } } } ] }
Android App
Bucket Policy Examples
Read Only Access To Single Bucket
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*" ], "Resource": "arn:aws:s3:::bucketname" } ] }
or, longer full version...
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:ListBucketByTags", "s3:GetLifecycleConfiguration", "s3:ListBucketMultipartUploads", "s3:GetBucketTagging", "s3:GetInventoryConfiguration", "s3:GetBucketWebsite", "s3:ListBucketVersions", "s3:GetBucketLogging", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:GetBucketNotification", "s3:GetBucketPolicy", "s3:GetReplicationConfiguration", "s3:GetEncryptionConfiguration", "s3:GetBucketRequestPayment", "s3:GetBucketCORS", "s3:GetAnalyticsConfiguration", "s3:GetMetricsConfiguration", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::mybucketname" } ] }
Read Only Access To Single Bucket For Specific User
{ "Version": "2012-10-17", "Statement": [ { "Sid": "statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountB-ID:user/Dave" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::mybucketname/*" } ] }
Restrict To Single Bucket
Example 1
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListObjectsInBucket", "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::bucket-name"] }, { "Sid": "AllObjectActions", "Effect": "Allow", "Action": "s3:*Object", "Resource": ["arn:aws:s3:::bucket-name/*"] } ] }
Example 2
{ "Statement": [ { "Action": "s3:ListAllMyBuckets", "Effect": "Allow", "Resource": "arn:aws:s3:::*" } { "Action": "s3:*", "Effect": "Allow", "Resource": "arn:aws:s3:::mybucketname" } ] }
{ "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::mybucketname", "Condition": {} }, { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectAclVersion" ], "Resource": "arn:aws:s3:::mybucketname/*", "Condition": {} }, { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*", "Condition": {} } ] }
Event Notifications
Edit your Topic Policy to allow S3 to publish events to SNS...
{ "Version": "2008-10-17", "Id": "example-ID", "Statement": [ { "Sid": "example-statement-ID", "Effect": "Allow", "Principal": { "AWS":"*" }, "Action": [ "SNS:Publish" ], "Resource": "Topic-ARN", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*" } } } ] }
Lifecycle Storage Management with Glacier
Because Amazon S3 maintains the mapping between your user-defined object name and Amazon Glacier’s system-defined identifier, Amazon S3 objects that are stored using the Amazon Glacier option are only accessible through the Amazon S3 APIs or the Amazon S3 Management Console.
To put this in slightly simpler terms, S3 doesn't create Glacier archives that you own or can manipulate. S3 creates Glacier archives that S3 owns and manages.
Your only interface to these objects is through S3, which makes requests to Glacier on your behalf. So, for your questions, the answer for each one is essentially the same:
It doesn't matter. The archives are managed by S3 and are not user-accessible via the Glacier API or console.
AWS S3 Lifecycle Storage Management with Glacier
S3 CloudFront Error Access Denied
WARNING: Redirected To
Replace the bucket_host in the .s3cfg file with the one from the warning.
host_bucket = %(bucket)
Thanks to
rclone - rsync for cloud storage
CloudBerry Backup
Cloudberry - Simple backup software that stores the data in its simple folder structure.
It has a web based interface available at port 43210 -
Cyberduck - Mounts the S3 storage in your desktop (Windows or Mac) file browser.
S3 Sync (Windows)
$29.99 USD
Bonkey (The Backup Monkey) (Mac & Windows)
Duplicati (Crossplatform)
Once installed you Duplicati will open a web interface: