Five S3 functionalities that are only available through AWS CLI/SDK

During my learning, I discovered five S3 functionalities that are only available through the AWS CLI:

1. Configuring S3 MFA delete

When working with S3 Versioning in Amazon S3 buckets, you can optionally add another layer of security by configuring a bucket to enable MFA (multi-factor authentication) delete. When you do this, the bucket owner must include two forms of authentication in any request to delete a version or change the versioning state of the bucket.

MFA delete requires additional authentication for either of the following operations:

Changing the versioning state of your bucket

Permanently deleting an object version

MFA delete requires two forms of authentication together:

• Your security credentials

• The concatenation of a valid serial number, a space, and the six-digit code displayed on an approved authentication device

In order to enable MFA, we need to follow the steps below.

Configure AWS Client
Create an AWS access key and then execute aws configure to set up your credentials.
This is not best practice for security purposes but we will use this for the current exercise only.

Command to enable MFA
213849 is the authentication token

[ec2user@some-ip ~]$ aws s3api put-bucket-versioning --profile default --bucket testbucketmfa --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::XXXXXXXXXXXX:mfa/account-mfa-device 213849"

Command to disable MFA

[ec2user@some-ip ~]$ aws s3api put-bucket-versioning --profile default --bucket testbucketmfa --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa "arn:aws:iam::XXXXXXXXXXXX:mfa/account-mfa-device 987543"

2. S3 Pre-signed URLs

All objects in S3 are private by default. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a presigned URL, using their own security credentials, to grant time-limited permission to download the objects.

The commands below are using AWS CLI. We can also generate pre-signed URLs using AWS SDK.

aws s3 presign s3://testbucket202119/smiley.jpg --region ap-southeast-2

The above command will generate a URL, for example:

https://testbucket202119.s3.amazonaws.com/smiley.jpg?AWSAccessKeyId=AKIAYYDMCK6YRXWASPX2&Expires=1639901714&Signature=VGcqq8ilnCtkd8OTFJP4aMidqI4%3D

3. Upload files to S3 Glacier Vault

S3 Glacier Vault is a container for storing archives.

Command to create a vault

aws glacier create-vault --vault-name testvault --account-id [AccountId]

Command to upload an archive to a vault

aws glacier upload-archive --account-id [AccountId] --vault-name testvault --body HappyFace.jpg

4. S3 Multi Part Upload
Multipart upload allows you to upload a single object as a set of parts. Each part is a contiguous portion of the object's data. You can upload these parts in any order.
In general, when your object size reaches 100 MB, you should consider using multipart uploads instead of uploading the object in a single operation.

We can either use s3 or s3 api. You can find more information at How do I use the AWS CLI to perform a multipart upload of a file to Amazon S3?

5. S3 Access point through VPC

Amazon S3 Access Points, a feature of S3, simplify data access for any AWS service or customer application that stores data in S3. With S3 Access Points, customers can create unique access control policies for each access point to easily control access to shared datasets.

The S3 console doesn't support accessing bucket resources using a virtual private cloud (VPC) access point. To access bucket resources from a VPC access point, use the AWS CLI, AWS SDK, or Amazon S3 REST API.

Acknowledgements

• Stephane Maarek's- Ultimate AWS Certified SysOps Administrator Associate 2021 on Udemy

• AWS Tutorial - S3 Glacier Series - Part 2 of 8 - Create Vault using CLI & Console by
  NamrataHShah

• AWS Documentation

Please let me know your thoughts in the comments.