S3 bucket basics (create, configure, access)

Topic: Cloud aws core

Create an S3 bucket in a region; set bucket policy and block public access; upload and download objects. Use this when you need object storage for backups, static assets, or data lake and want to do it securely with the right permissions.

Intent: How-to

Quick answer

  • Create bucket in the AWS console or aws s3 mb s3://bucket-name --region region. Bucket names are globally unique. Turn on Block Public Access (all four settings) unless you need public read for static hosting.
  • Upload: aws s3 cp file s3://bucket-name/key or console upload. Download: aws s3 cp s3://bucket-name/key file. Use IAM policy to allow s3:GetObject, s3:PutObject, s3:ListBucket as needed; avoid bucket policy that allows * Principal.
  • Enable versioning for critical buckets so you can recover from overwrite or delete. Use lifecycle rules to transition to Glacier or expire old versions; enable encryption (SSE-S3 or SSE-KMS) for data at rest.

Steps

  1. Create bucket

    Console: S3 -> Create bucket; choose name (globally unique), region, and options. CLI: aws s3 mb s3://my-bucket --region us-east-1. Enable Block Public Access (recommended).

  2. Set permissions

    Use IAM policies to grant users/roles s3:GetObject, s3:PutObject, s3:ListBucket, etc. on the bucket and prefix. Use bucket policy only for cross-account or public read (e.g. static site); never use Principal * with broad actions.

  3. Upload and download

    aws s3 cp local s3://bucket/key; aws s3 sync dir s3://bucket/prefix. Download with cp or sync in reverse. Use presigned URLs for temporary public access without exposing credentials.

  4. Harden and protect

    Enable versioning for recovery; enable server-side encryption (SSE-S3 or SSE-KMS). Add lifecycle rules for transition or expiration. Enable access logging to another bucket for audit.

Summary

Create a bucket with a unique name and Block Public Access; set IAM and optionally bucket policy for access. Upload and download via CLI or console; enable versioning and encryption for critical data. Use this to get started with S3 securely.

Prerequisites

None.

Steps

Step 1: Create bucket

Create in console or CLI; choose region; enable Block Public Access.

Step 2: Set permissions

Grant least privilege via IAM; use bucket policy only for cross-account or controlled public access.

Step 3: Upload and download

Use cp and sync; use presigned URLs for temporary access.

Step 4: Harden and protect

Enable versioning, encryption, and lifecycle; enable access logging.

Verification

Bucket exists; you can upload and download with the intended credentials; public access is blocked unless explicitly configured.

Troubleshooting

Access denied — Check IAM policy (s3:GetObject, ListBucket, etc.) and bucket policy; check Block Public Access. Bucket name taken — Bucket names are global; choose a different name.

Next steps

Continue to