Back to Docs
Recipe

AWS S3 Primer

Everything you need to know about S3 buckets, objects, keys, regions, and the shared-responsibility model — distilled for builders who ship fast.

What S3 actually is

S3 is an object store, not a filesystem. You put objects (files + metadata) into buckets (flat containers). Every object lives at a unique key — think of it as the full path. There are no folders; the console fakes them by splitting keys on /.

Buckets, regions, and naming

Bucket names are globally unique across all AWS accounts. Choose a region close to your users — data never leaves that region unless you explicitly replicate it. Names must be DNS-compliant: lowercase, no underscores, 3–63 characters.

Public vs private by default

Every new bucket is private. Block Public Access is on by default. If you need public objects, you enable it at the bucket level and then set per-object ACLs or a bucket policy. Prefer CloudFront signed URLs over wide-open buckets.

Storage classes at a glance

  • S3 Standard — hot data, millisecond retrieval, 99.99% availability.
  • Intelligent-Tiering — auto-moves objects when access patterns change.
  • Glacier Instant — rarely accessed, instant retrieval, cheaper storage.
  • Glacier Deep Archive — cheapest, hours to retrieve, compliance archives.

Security essentials

Enable default encryption (SSE-S3 or SSE-KMS). Use IAM policies for programmatic access, pre-signed URLs for temporary sharing, and VPC endpoints to keep traffic off the public internet. Turn on bucket versioning before you need it — it is not retroactive.

Nimbus uses S3 for signed payload distribution, update manifests, and offline grace caches. Every object is SSE-KMS encrypted, delivered through CloudFront with signed URLs, and versioned so rollbacks are instant.

← Docs homeNext recipe →