Amazon Simple Storage Service (S3) is an object storage service offering industry-leading scalability, data availability, security, and performance. It stores data as objects within buckets, supporting any file type up to 5TB per object. S3 provides 99.999999999% (11 nines) durability and integrates with virtually every AWS service.

How much does S3 cost?

S3 pricing varies by storage class and region. Standard storage costs ~$0.023/GB/month in us-east-1. You also pay for requests (PUT/GET), data transfer out, and optional features. For infrequent access, Standard-IA costs ~$0.0125/GB. Glacier Deep Archive costs just ~$0.00099/GB for long-term archival. Use lifecycle policies and Intelligent-Tiering to optimize costs automatically.

What's the difference between S3 buckets and objects?

Buckets are top-level containers with globally unique names that hold objects. Objects are the actual files you store, consisting of data, metadata, and a unique key (path). Think of buckets as root folders and keys as file paths. Each AWS account can have up to 100 buckets (soft limit), and each bucket can hold unlimited objects.

Should I use S3 Standard or Intelligent-Tiering?

Use S3 Standard when you know data will be frequently accessed (CDN origins, active application data). Use Intelligent-Tiering when access patterns are unknown or unpredictable—it automatically moves data between tiers based on usage with no retrieval fees. The small monitoring fee ($0.0025/1000 objects/month) is offset by savings on infrequently accessed data.

How do I secure S3 buckets?

Secure S3 with multiple layers: (1) Block Public Access settings (enabled by default), (2) Bucket policies for fine-grained access control, (3) IAM policies for user/role permissions, (4) Server-side encryption (SSE-S3 or SSE-KMS), (5) Access logging and CloudTrail for auditing, (6) VPC endpoints for private access, (7) Object Lock for immutability. Never use ACLs for new buckets—use policies instead.

What's the best way to upload large files to S3?

For files over 100MB, use multipart upload which the AWS CLI handles automatically. Configure thresholds with 'aws configure set s3.multipart_threshold 64MB' and chunk sizes with 's3.multipart_chunksize 16MB'. Increase concurrent requests for faster uploads. For very large uploads, consider S3 Transfer Acceleration or AWS Snow family devices.

How do I back up data to S3?

Use aws s3 sync for incremental backups—it only transfers changed files. For disaster recovery, enable Cross-Region Replication to copy data to another region automatically. Combine versioning with lifecycle policies to retain multiple versions while archiving old data to Glacier. For ransomware protection, use Object Lock in compliance mode.

Can S3 host a static website?

Yes, S3 can host static websites (HTML, CSS, JavaScript) directly. Enable static website hosting in bucket settings, set index and error documents, and configure bucket policy for public read access. For HTTPS and custom domains, add CloudFront as a CDN in front of S3. This is ideal for SPAs, documentation sites, and landing pages.

What is S3 versioning and when should I use it?

Versioning keeps multiple variants of objects in the same bucket. When you overwrite or delete an object, S3 preserves the previous version. Enable versioning for: data protection against accidental deletion, audit trails, recovery from application errors, and compliance requirements. Note that versions accumulate storage costs—use lifecycle policies to manage old versions.

How do I choose between S3 and EBS/EFS?

S3 is object storage accessed via HTTP API—ideal for static assets, backups, data lakes, and web content. EBS is block storage attached to EC2 instances—use for databases and application data requiring a filesystem. EFS is managed NFS for shared file access across multiple instances. Use S3 for most storage needs unless you need POSIX filesystem semantics or ultra-low latency.

AWS S3 Complete Guide: Storage, CLI, Security & Cost Optimization

Amazon S3 has become the de facto standard for cloud storage, powering everything from startup backups to Netflix's global content delivery. With over 100 trillion objects stored and 99.999999999% durability, S3 handles more data than any other cloud storage service. But its flexibility—seven storage classes, multiple access control mechanisms, and hundreds of configuration options—can be overwhelming.

This guide provides a comprehensive overview of S3 and serves as a roadmap to our specialized guides on specific topics.

S3 Architecture Overview

┌─────────────────────────────────────────────────────────────────────────┐
│                            AWS S3 ARCHITECTURE                          │
└─────────────────────────────────────────────────────────────────────────┘
                                      │
         ┌────────────────────────────┼────────────────────────────┐
         │                            │                            │
         ▼                            ▼                            ▼
┌─────────────────┐        ┌─────────────────┐        ┌─────────────────┐
│     BUCKETS     │        │     OBJECTS     │        │    STORAGE      │
│                 │        │                 │        │    CLASSES      │
├─────────────────┤        ├─────────────────┤        ├─────────────────┤
│ • Global names  │        │ • Data (0-5TB)  │        │ • Standard      │
│ • Region-based  │        │ • Key (path)    │        │ • Int-Tiering   │
│ • 100/account   │        │ • Metadata      │        │ • Standard-IA   │
│ • Policies/ACLs │        │ • Version ID    │        │ • Glacier tiers │
└─────────────────┘        └─────────────────┘        └─────────────────┘
         │                            │                            │
         │                            ▼                            │
         │                 ┌─────────────────┐                     │
         │                 │    SECURITY     │                     │
         │                 ├─────────────────┤                     │
         │                 │ • IAM policies  │                     │
         │                 │ • Bucket policy │                     │
         │                 │ • Encryption    │                     │
         │                 │ • Block Public  │                     │
         │                 │ • VPC endpoints │                     │
         │                 └─────────────────┘                     │
         │                            │                            │
         └────────────────────────────┴────────────────────────────┘
                                      │
                                      ▼
                         ┌─────────────────────┐
                         │   DATA MANAGEMENT   │
                         ├─────────────────────┤
                         │ • Versioning        │
                         │ • Lifecycle rules   │
                         │ • Replication       │
                         │ • Object Lock       │
                         └─────────────────────┘

Core Concepts

Buckets

Buckets are containers for objects. Key characteristics:

Globally unique names — Bucket names must be unique across all AWS accounts worldwide
Region-specific — Buckets are created in a specific AWS region for data residency and latency
Flat namespace — S3 has no actual folder hierarchy; "folders" are simulated via key prefixes
Limit of 100 per account — Soft limit that can be increased via support request

# Create a bucket
aws s3 mb s3://my-unique-bucket-name --region us-east-1

# List buckets
aws s3 ls

Objects

Objects are the files you store in S3:

Key — The unique identifier (path) within a bucket, e.g., images/photo.jpg
Data — The actual content, from 0 bytes to 5TB
Metadata — System and user-defined key-value pairs
Version ID — Unique identifier when versioning is enabled

# Upload an object
aws s3 cp photo.jpg s3://my-bucket/images/photo.jpg

# Object URL format
# https://bucket-name.s3.region.amazonaws.com/key
# https://my-bucket.s3.us-east-1.amazonaws.com/images/photo.jpg

Keys and Prefixes

S3 uses a flat structure, but prefixes simulate folders:

my-bucket/
├── images/           ← prefix
│   ├── photo.jpg     ← key: images/photo.jpg
│   └── logo.png      ← key: images/logo.png
├── documents/        ← prefix
│   └── report.pdf    ← key: documents/report.pdf
└── index.html        ← key: index.html

Prefixes enable:

Organized listing (aws s3 ls s3://bucket/images/)
Lifecycle rules by prefix
Access policies by prefix
Efficient parallel operations

Quick-Start Decision Matrix

What do you need to do with S3?
│
├─► Store frequently accessed data
│   └─► Use S3 Standard
│       See: aws-s3-storage-classes-guide
│
├─► Store rarely accessed data (but need instant access)
│   └─► Use S3 Standard-IA or Intelligent-Tiering
│       See: aws-s3-storage-classes-guide
│
├─► Long-term archive (compliance, backups)
│   └─► Use S3 Glacier (Instant/Flexible/Deep Archive)
│       See: aws-s3-glacier-backup-guide
│
├─► Upload/download files via CLI
│   └─► Use aws s3 cp (single files) or aws s3 sync (directories)
│       See: aws-s3-cli-commands-reference
│
├─► Keep directories in sync
│   └─► Use aws s3 sync with --delete for mirroring
│       See: aws-s3-sync-vs-copy
│
├─► Protect against accidental deletion
│   └─► Enable versioning + lifecycle policies
│       See: aws-s3-versioning-replication-guide
│
├─► Disaster recovery across regions
│   └─► Enable Cross-Region Replication
│       See: aws-s3-versioning-replication-guide
│
├─► Secure sensitive data
│   └─► Use encryption, bucket policies, VPC endpoints
│       See: aws-s3-security-best-practices
│
└─► Protect against ransomware
    └─► Use Object Lock in compliance mode
        See: aws-s3-security-best-practices

Guide Directory

Getting Started

Guide	Description	Time
S3 CLI Commands Reference	Complete reference for cp, sync, mv, rm, ls and advanced options	15 min
Sync vs Copy	When to use each command for uploads, backups, and deployments	10 min

Storage & Cost Optimization

Guide	Description	Time
S3 Storage Classes Guide	Compare all 7 storage classes with pricing and use cases	15 min
Glacier Backup Guide	Long-term archive, compliance, and cost optimization	15 min

Security & Compliance

Guide	Description	Time
S3 Security Best Practices	Encryption, access control, bucket policies, and compliance	15 min

Data Protection & DR

Guide	Description	Time
Versioning & Replication Guide	Version control, cross-region replication, disaster recovery	15 min

CLI Essentials

The AWS CLI is the most efficient way to manage S3 at scale. Here's a quick reference of essential commands:

Essential Commands

Command	Purpose	Example
`aws s3 ls`	List buckets/objects	`aws s3 ls s3://bucket/prefix/`
`aws s3 cp`	Copy files	`aws s3 cp file.txt s3://bucket/`
`aws s3 sync`	Synchronize directories	`aws s3 sync ./local s3://bucket/`
`aws s3 mv`	Move/rename	`aws s3 mv s3://bucket/old s3://bucket/new`
`aws s3 rm`	Delete objects	`aws s3 rm s3://bucket/file.txt`
`aws s3 mb`	Create bucket	`aws s3 mb s3://new-bucket`
`aws s3 rb`	Delete bucket	`aws s3 rb s3://bucket --force`
`aws s3 presign`	Generate temporary URL	`aws s3 presign s3://bucket/file --expires-in 3600`

Common Patterns

# Upload a directory recursively
aws s3 cp ./dist s3://my-bucket/ --recursive

# Sync with deletion (mirror)
aws s3 sync ./local s3://bucket/ --delete

# Always preview first
aws s3 sync ./local s3://bucket/ --delete --dryrun

# Upload with specific storage class
aws s3 cp backup.tar.gz s3://bucket/ --storage-class GLACIER

# Exclude patterns
aws s3 sync ./project s3://bucket/ --exclude "*.log" --exclude "node_modules/*"

For complete CLI documentation, see our S3 CLI Commands Reference.

Storage Class Overview

S3 offers seven storage classes optimized for different access patterns:

Class	Use Case	Storage Cost*	Retrieval	Min Duration
Standard	Frequent access	$0.023/GB	Instant, free	None
Intelligent-Tiering	Unknown patterns	$0.023-0.004/GB	Instant, free	None
Standard-IA	Infrequent access	$0.0125/GB	Instant, $0.01/GB	30 days
One Zone-IA	Recreatable data	$0.01/GB	Instant, $0.01/GB	30 days
Glacier Instant	Archive (quarterly)	$0.004/GB	Instant, $0.03/GB	90 days
Glacier Flexible	Archive (yearly)	$0.0036/GB	1-12 hours	90 days
Glacier Deep Archive	Compliance (7+ yr)	$0.00099/GB	12-48 hours	180 days

*Prices for us-east-1; vary by region.

Cost Optimization Strategy

┌─────────────────────────────────────────────────────────────┐
│                 LIFECYCLE COST OPTIMIZATION                  │
└─────────────────────────────────────────────────────────────┘

   Day 0          Day 30         Day 90         Day 365
     │               │              │               │
     ▼               ▼              ▼               ▼
┌─────────┐    ┌───────────┐   ┌─────────┐    ┌───────────┐
│Standard │───►│Standard-IA│──►│ Glacier │───►│Deep Archive│
│$0.023/GB│    │$0.0125/GB │   │$0.0036/GB│   │$0.00099/GB │
└─────────┘    └───────────┘   └─────────┘    └───────────┘
   Active         Warm            Cold           Frozen
   data          backup         archive        compliance

For detailed storage class comparisons and lifecycle policies, see our Storage Classes Guide.

Security Fundamentals

S3 security follows the principle of least privilege with multiple control layers:

Access Control Hierarchy

┌─────────────────────────────────────────────────────────────┐
│                    S3 ACCESS CONTROL                         │
└─────────────────────────────────────────────────────────────┘
                              │
        ┌─────────────────────┼─────────────────────┐
        │                     │                     │
        ▼                     ▼                     ▼
┌───────────────┐    ┌───────────────┐    ┌───────────────┐
│ BLOCK PUBLIC  │    │ IAM POLICIES  │    │BUCKET POLICIES│
│    ACCESS     │    │               │    │               │
├───────────────┤    ├───────────────┤    ├───────────────┤
│ • Account level│   │ • User perms  │    │ • Cross-acct  │
│ • Bucket level │   │ • Role perms  │    │ • Public access│
│ • Default: ON  │   │ • Fine-grained│    │ • Conditions  │
└───────────────┘    └───────────────┘    └───────────────┘

Security Checklist

Block Public Access enabled at account level
Server-side encryption enabled (SSE-S3 or SSE-KMS)
Bucket policies restrict access to authorized principals
IAM policies follow least privilege
Access logging enabled for audit trails
Versioning enabled for critical data
MFA Delete required for sensitive buckets
VPC endpoints for private access from EC2

Encryption Options

Type	Key Management	Use Case
SSE-S3	AWS-managed	Default encryption, simplest
SSE-KMS	Customer-managed in KMS	Audit trails, key rotation, policies
SSE-C	Customer-provided	Full key control, you manage keys
Client-side	Client-managed	Encrypt before upload

# Upload with SSE-S3 encryption
aws s3 cp file.txt s3://bucket/ --sse AES256

# Upload with SSE-KMS encryption
aws s3 cp file.txt s3://bucket/ --sse aws:kms --sse-kms-key-id alias/my-key

For comprehensive security guidance, see our S3 Security Best Practices.

Backup and Disaster Recovery

Versioning

Versioning preserves every version of every object:

# Enable versioning
aws s3api put-bucket-versioning \
  --bucket my-bucket \
  --versioning-configuration Status=Enabled

# List versions
aws s3api list-object-versions --bucket my-bucket --prefix file.txt

Cross-Region Replication

Automatically replicate objects to another region for disaster recovery:

# Replication copies to DR region
my-bucket (us-east-1) ──────► dr-bucket (us-west-2)
          Primary                    Replica

Key features:

Real-time replication — Objects copied within seconds
Different storage class — Store replica in Glacier for cost savings
Selective replication — Filter by prefix or tags
Bi-directional — Sync changes both ways (optional)

For complete coverage, see our Versioning and Replication Guide.

Best Practices Checklist

Organization

Use consistent naming conventions for buckets
Organize objects with prefixes that match your access patterns
Tag buckets and objects for cost allocation and management
Document bucket purposes and retention policies

Performance

Use multipart upload for files >100MB
Enable Transfer Acceleration for global uploads
Use CloudFront for frequently accessed content
Parallelize operations with multiple keys

Cost

Implement lifecycle policies for all buckets
Use Intelligent-Tiering for unpredictable access patterns
Enable S3 Storage Lens for visibility into usage
Review storage class distribution monthly

Security

Enable Block Public Access at account level
Use bucket policies over ACLs
Enable encryption by default
Enable access logging for compliance buckets
Use VPC endpoints for private access

Reliability

Enable versioning for critical data
Configure Cross-Region Replication for DR
Use Object Lock for compliance and ransomware protection
Test restore procedures regularly

Common Use Cases

Static Website Hosting

# Enable website hosting
aws s3 website s3://my-website-bucket/ \
  --index-document index.html \
  --error-document error.html

# Sync website files
aws s3 sync ./dist s3://my-website-bucket/ \
  --delete \
  --cache-control "max-age=31536000"

Database Backup

# Automated backup script
#!/bin/bash
DATE=$(date +%Y-%m-%d)
pg_dump mydb | gzip | aws s3 cp - s3://backups/db/mydb-$DATE.sql.gz

# Lifecycle policy transitions to Glacier after 30 days

Data Lake Storage

# Structure for data lake
data-lake-bucket/
├── raw/              # Landing zone
│   └── 2026/01/17/   # Partitioned by date
├── processed/        # Cleaned data
├── curated/          # Business-ready
└── archive/          # Historical (Glacier)

Log Aggregation

# Sync logs from multiple servers
aws s3 sync /var/log/app s3://logs/server-01/ --exclude "*.tmp"

# Lifecycle: Standard → IA (30d) → Glacier (90d) → Delete (365d)

Troubleshooting

Common Errors

Error	Cause	Solution
AccessDenied	Missing IAM/bucket permissions	Check policies, use IAM Policy Simulator
NoSuchBucket	Bucket doesn't exist	Verify bucket name and region
NoSuchKey	Object doesn't exist	Check key path (case-sensitive)
SlowDown	Request rate exceeded	Implement exponential backoff
EntityTooLarge	File >5GB for single PUT	Use multipart upload
InvalidAccessKeyId	Wrong credentials	Run `aws configure`

Debug Commands

# Test permissions
aws s3 ls s3://my-bucket/ --debug

# Check bucket policy
aws s3api get-bucket-policy --bucket my-bucket

# Verify encryption settings
aws s3api get-bucket-encryption --bucket my-bucket

# Check Block Public Access
aws s3api get-public-access-block --bucket my-bucket

Next Steps

Based on your needs, continue with these specialized guides:

New to S3 CLI? Start with CLI Commands Reference
Optimizing costs? Read Storage Classes Guide
Setting up backups? See Glacier Backup Guide
Securing buckets? Follow Security Best Practices
Need disaster recovery? Check Versioning & Replication Guide

For building S3 commands visually, use our AWS S3 Command Generator to avoid syntax errors and ensure best practices.