07. Storage with S3

Importance of Partitioning

Partitioning data in Amazon S3 is a crucial technique for optimizing query performance and simplifying data management, particularly in data lake architectures. It essentially involves organizing data into a logical folder structure within your S3 buckets.

What is Partitioning?

• Folder Structure: Partitioning creates a hierarchical directory structure (folders and subfolders) within your S3 buckets.
• Attribute-Based Organization: This structure is based on specific attributes of your data.
  • Time-Based Partitioning (Most Common): Data is often organized by time, for example, /year/month/day/.
  • Other Attributes: You can also partition by other relevant attributes like region, product_id, customer_id, etc., depending on how your data is typically accessed or filtered.

Why is Partitioning Important?

1. Improved Query Performance:
   • Reduced Data Scans: When querying data using services like Amazon Athena or AWS Glue, partitioning significantly reduces the amount of data that needs to be scanned. Instead of scanning the entire dataset, the query engine can intelligently narrow down its search to only the relevant partitions (folders).
   • Cost Efficiency: Since many query services (like Athena) charge based on the amount of data scanned, partitioning can lead to substantial cost savings.
2. Enhanced Data Management:
   • Easier Organization: Provides a logical and intuitive way to organize large datasets in S3.
   • Simplified Lifecycle Rules: Enables easier application of S3 lifecycle rules. For instance, you can set rules to automatically move older partitions to a less expensive storage class or delete them after a certain period.

How Partitioning Works:

1. Organize Data into Folders:
   • You physically arrange your data files into folders and subfolders within S3 according to your chosen partitioning scheme (e.g., s3://your-bucket/data/year=2023/month=01/day=15/). The “key=value” syntax (e.g., year=2023) is a common convention and often required by querying tools.
2. Register Metadata with AWS Glue Data Catalog:
   • The folder structure itself is not enough. The metadata about these partitions (i.e., how the data is partitioned and the path to each partition) needs to be registered in the AWS Glue Data Catalog.
   • AWS Glue Crawlers: AWS Glue Crawlers can automatically discover new partitions and update the metadata in your Data Catalog, automating the process.
3. Querying with Athena:
   • When you execute a query in Amazon Athena (or similar services), Athena leverages the partition metadata from the Glue Data Catalog.
   • It only retrieves data from the specific partitions that match your query’s filter conditions, ignoring all other partitions. This targeted data retrieval leads to significantly faster query execution.

Choosing a Partitioning Strategy:

• The optimal partitioning strategy depends on how your data is most frequently filtered or aggregated.
• Analyze your typical query patterns to decide which attributes should form your partition keys. For example, if you often filter by date, time-based partitioning is highly effective. If you often filter by customer_id, then partitioning by customer_id might be more suitable.

Partitioning with Glue (Hands-on)

This hands-on guide demonstrates how to set up data partitioning in Amazon S3 using AWS Glue, illustrating its benefits for query performance and data management.

1. Setting up the S3 Bucket and Folder Structure:

• Create an S3 Bucket:
  • Navigate to the S3 console and create a new, globally unique bucket (e.g., nikolai-12343-test).
• Create Partition Folders:
  • Inside your new bucket, create top-level folders that will serve as your partitions. For this example, create:
    • London/
    • New York/
• Upload Data to Partitions:
  • Upload the sales_data_London.csv file into the London/ folder.
  • Upload the sales_data_New_York.csv file into the New York/ folder. 2. Setting up an AWS Glue Crawler:
• Navigate to Glue: Go to the AWS Glue console.
• Create a New Crawler:
  • Under “Crawlers,” click “Create crawler.”
  • Give it a name (e.g., PartitionsTest).
  • Click “Next.”
• Add Data Source:
  • Select “Data stores” as the source type.
  • Choose “S3” as the data store.
  • Browse to your S3 bucket and select the entire bucket. This allows the crawler to discover all subfolders and infer partitions.
  • Click “Add data source.”
  • Click “Next.”
• Choose IAM Role:
  • Select an existing IAM role that has permissions to access S3 and Glue, or create a new one.
  • Click “Next.”
• Configure Output:
  • Choose your desired Glue database for the table metadata (e.g., default).
  • You can optionally add a table name prefix.
  • Leave the frequency as “On demand.”
  • Click “Next” and then “Create crawler.”
• Run the Crawler:
  • Select your newly created crawler and click “Run.”
  • Wait for the crawler to complete (usually takes about a minute). The crawler summary should show “1 table changed” and “2 partition changes,” indicating it discovered the London and New York partitions. 3. Querying Partitioned Data with Athena:
• Access Athena: Go to the Amazon Athena console.
• Select Database and Table:
  • Choose your Glue database.
  • You should see a new table named after your S3 bucket (e.g., nikolai_12343_test). This table has been created by the Glue crawler.
• Preview Data:
  • Select the table and click “Preview table.”
  • You will see the combined data from both London and New York. Notice that a new column, likely named partition_0, has been automatically added by Glue to represent your S3 folder structure (London, New York).
• Demonstrate Partition Filtering:
  • Initial Query (without partition filter): Run the query SELECT * FROM "your-database"."your-bucket-name" WHERE location = 'New York' LIMIT 50; and then observe the “Data scanned” amount (this query scans all files, 1.06 KB).
  • Query with Partition Filter: Now run the query SELECT * FROM "your-database"."your-bucket-name" WHERE partition_0 = 'New York' LIMIT 50; and then observe the “Data scanned” amount. You will notice significantly less data scanned (e.g., 50% if there are only two partitions), because Athena only read data from the “New York” partition folder. This demonstrates the performance benefit of partitioning. 4. Handling New Data and Partitions:
• Adding Files to Existing Partitions:
  • In your S3 bucket, navigate to the London/ folder.
  • Upload another sales data file (e.g., sales_data_london_2.csv) into this existing folder.
  • Go back to Athena and rerun a query on the London data (e.g., SELECT * FROM "your-database"."your-bucket-name" WHERE partition_0 = 'London';). You will see the new data immediately, as long as it’s within an already registered partition.
• Adding New Partitions:
  • In your S3 bucket, create a new folder at the same level as London/ and New York/ (e.g., Tokyo/).
  • Upload a sales data file (e.g., sales_data_tokyo.csv) into the Tokyo/ folder.
  • Crucial Step: Update Metadata for New Partitions: If you query the table in Athena now, the data from “Tokyo” will not appear. This is because the new partition’s metadata is not yet registered in the Glue Data Catalog.
  • You have two main options to update the metadata:
    • Option 1 (Recommended for dynamic data): Rerun the Glue Crawler. Go back to the Glue console, select your crawler, and run it again. The crawler will discover the new Tokyo/ partition and update the table metadata.
    • Option 2 (Manual/Advanced): Add Partition Manually using DDL: Execute the following DDL in Athena: ALTER TABLE "your-database"."your-bucket-name" ADD PARTITION (partition_0 = 'Tokyo') LOCATION 's3://your-bucket-name/Tokyo/'. Note that your partition column might be partition_0, location, or something else depending on how Glue inferred it. You might need to adjust the column name in the ADD PARTITION command. A more robust way for convention-based partitioning (e.g., year=YYYY/month=MM/) is MSCK REPAIR TABLE "your-database"."your-bucket-name"; which automatically discovers and registers partitions following the key-value naming convention.
  • Verify New Data: After updating the metadata (either by rerunning the crawler or manually adding the partition), rerun your query in Athena. You should now see the “Tokyo” data included in your results, and the partition_0 column will show ‘Tokyo’ for those records.

Lifecycle Management & Storage Classes

Lifecycle management in Amazon S3 is crucial for data lakes, as it allows you to optimize storage costs and performance based on data access patterns and age. This involves transitioning objects between different S3 storage classes, each offering a unique balance of cost, access speed, and availability.

Why Lifecycle Management?

• Varying Usage Patterns: Data in a data lake often starts with high access frequency (e.g., for immediate analysis) and then gradually becomes less frequently accessed as it ages, eventually moving to long-term archive.
• Cost Optimization: By automatically moving data to cheaper storage classes as its access frequency decreases, you can significantly reduce storage costs.
• Compliance: Retaining data for compliance reasons, even if rarely accessed, can be managed cost-effectively with archival storage classes.

Understanding S3 Storage Classes: Here’s a breakdown of the primary S3 storage classes, ordered roughly by decreasing access frequency/cost and increasing retrieval time:

1. S3 Standard:
   • Use Case: Default choice for frequently accessed data.
   • Characteristics: Low latency, high throughput, and high availability (stored redundantly across multiple Availability Zones). Suitable for general-purpose storage where rapid and frequent access is required.
2. S3 Intelligent-Tiering:
   • Use Case: Ideal for data with unknown or changing access patterns.
   • Characteristics: Automatically moves objects between frequent access, infrequent access, and archive access tiers based on actual access patterns. It incurs a small monitoring and automation fee.
   • Tiers:
     • Frequent Access Tier: For active data.
     • Infrequent Access Tier: Data not accessed for 30 consecutive days.
     • Archive Instant Access Tier: Data not accessed for 90 consecutive days; still offers instant retrieval.
     • Optional Asynchronous Archive Access Tiers: Can be configured to move data to Glacier Flexible Retrieval and Glacier Deep Archive for even lower costs if it’s not accessed for longer periods. Restoration from these tiers is asynchronous (e.g., hours).
3. S3 Express One Zone:
   • Use Case: Extremely low-latency, high-performance storage for your most frequently accessed and latency-sensitive data.
   • Characteristics: Delivers consistent single-digit millisecond access. Up to 10x faster access and 50% lower request costs compared to S3 Standard.
   • Key Limitation: Stored only within a single Availability Zone, meaning it’s less durable and available than multi-AZ storage classes. Best for re-creatable data or when data durability is handled by your application logic.
   • Storage Type: Uses Amazon S3 Directory Buckets, supporting hundreds of thousands of requests per second.
4. S3 Standard-Infrequent Access (S3 Standard-IA):
   • Use Case: Long-lived, but less frequently accessed data that requires rapid access when needed.
   • Characteristics: Lower storage cost than S3 Standard, but with a per-GB retrieval fee. Offers millisecond access time. Stored across multiple Availability Zones for high availability.
5. S3 One Zone-Infrequent Access (S3 One Zone-IA):
   • Use Case: Long-lived, infrequently accessed data that can be re-created if lost.
   • Characteristics: Lower storage cost than S3 Standard-IA, as it stores data in a single Availability Zone. Also incurs a per-GB retrieval fee and offers millisecond access. Suitable for secondary backups or easily re-creatable data.
6. S3 Glacier Instant Retrieval:
   • Use Case: Archival data that needs to be instantly accessible (milliseconds) when retrieved.
   • Characteristics: Offers the lowest cost for archival storage with instant retrieval. Suitable for data accessed perhaps once a quarter.
7. S3 Glacier Flexible Retrieval (formerly S3 Glacier):
   • Use Case: Archival data accessed infrequently (e.g., once or twice a year) with flexible retrieval options.
   • Characteristics: Offers very low storage costs. Retrieval times can range from 1 minute (expedited) to 12 hours (standard or bulk). Useful for long-term backups where immediate access is not critical.
8. S3 Glacier Deep Archive:
   • Use Case: Long-term archival of data that is accessed very rarely (e.g., once or twice a year) and can tolerate restoration times up to 12 hours.
   • Characteristics: The cheapest storage class in S3. Ideal for compliance archives or disaster recovery data.

Non Glacier Storage Casses:

Glacier Storage Classes:

Lifecycle Rules: Lifecycle rules are automated policies that define actions for objects in an S3 bucket based on their age. You can configure rules to:

• Transition Objects: Automatically move objects from one storage class to another after a specified number of days (e.g., from Standard to Standard-IA after 30 days, then to Glacier after 90 days).
• Expire Objects: Automatically delete objects after a specified number of days.

By combining the right storage classes with automated lifecycle rules, you can effectively manage the cost and performance of your S3 data storage throughout its entire lifespan.

Using Lifecycle Rules

We’ve discussed the various S3 storage classes, each optimized for different access patterns and cost requirements, and the concept of a data lifecycle where data access patterns change over time. To automate the management of data across these storage classes and its eventual deletion, we use S3 Lifecycle Rules.

S3 Lifecycle Rules are a set of policies applied to objects within an S3 bucket. They allow you to define automated actions based on the age of the objects or other criteria, eliminating the need for manual intervention.

Two Main Types of Actions:

1. Transition Actions:
   • This action allows you to automatically move objects from one S3 storage class to another, typically to a more cost-effective class as the data ages and becomes less frequently accessed.
   • You define a specific timeframe (e.g., “after 30 days”) after which objects will transition to a cheaper storage class (e.g., from S3 Standard to S3 Standard-IA, or to a Glacier class).
   • This is crucial for optimizing storage costs over the data’s lifespan, moving data from hot storage to colder, more archival tiers.
2. Expiration Actions:
   • This action allows you to define when objects should be automatically deleted from your S3 bucket.
   • You set a specific age (e.g., “after 365 days”) after which AWS will automatically expire (delete) the objects on your behalf.
   • This is essential for data retention policies, compliance, and simply cleaning up data that is no longer needed, further contributing to cost savings.

By combining these two types of actions, S3 Lifecycle Rules provide a powerful mechanism for automating data management, ensuring that your data is stored in the most appropriate and cost-efficient storage class throughout its lifecycle, and is eventually removed when no longer required.

Storage Classes (Hands-on)

This hands-on section demonstrates how to manually select and change S3 storage classes for individual files and highlights the implications for data access and cost. It sets the stage for understanding the need for automated lifecycle management.

Understanding Storage Class Pricing (Brief Review):

• Cost vs. Access: It’s essential to remember that different S3 storage classes offer varying cost structures:
  • Storage Cost: Glacier classes are significantly cheaper for storage per GB compared to Standard or Infrequent Access classes.
  • Access Cost: While archival classes (Glacier) have low storage costs, they incur retrieval fees and require restoration time, which can be expensive and time-consuming. Infrequent Access classes also have retrieval fees.
  • Request Cost: Some classes charge per 1,000 requests.
• Trade-offs: The choice of storage class is a trade-off between storage cost, data availability, access speed (latency), and retrieval cost.

Manually Uploading a File with a Specific Storage Class:

• Navigate to an S3 Bucket: Go to your S3 console and select any existing bucket.
• Upload a File: Click “Upload” and choose a file (e.g., a PDF document) from your local machine.
• Set Storage Class During Upload:
  • In the upload wizard, navigate to the “Properties” or “Additional upload options” step:
  • By default, the storage class is set to “Standard”:
  • Observe Options: You’ll see a list of available storage classes:
    • Standard: Default, for frequently accessed data.
    • Intelligent-Tiering: For changing or unknown access patterns.
    • Standard-Infrequent Access (Standard-IA): For less frequent access, but rapid retrieval needed.
    • One Zone-Infrequent Access (One Zone-IA): Similar to Standard-IA, but stored in a single Availability Zone (lower availability, lower cost).
    • Glacier Instant Retrieval: For archival data with millisecond retrieval.
    • Glacier Flexible Retrieval: For archival data with flexible retrieval times (minutes to hours).
    • Glacier Deep Archive: For very long-term archival with the lowest cost but longest retrieval times (hours).
  • Select a Class (e.g., One Zone-Infrequent Access): Choose “One Zone-Infrequent Access” to see its immediate accessibility.
  • Upload the File: Complete the upload.
• Verify Immediate Access (for selected class):
  • After upload, select the file in the S3 console.
  • Observe its “Storage class” in the properties panel:
  • Attempt to “Open” or “Download” the file. You will be able to access it immediately, demonstrating that One Zone-IA provides rapid access despite being for infrequent use. 3. Changing an Object’s Storage Class and Observing Retrieval Implications:
• Select an Existing Object: Choose a file that you’ve already uploaded to your S3 bucket (ideally one that’s currently in Standard or Standard-IA).
• Edit Storage Class:
  • Go to the object’s “Properties” tab.
  • Click “Edit” next to “Storage class.”
• Change to an Archival Class (e.g., Glacier Flexible Retrieval): Select “Glacier Flexible Retrieval” and “Save changes.”
• Attempt to Access the Object:
  • After the change, try to “Open” or “Download” the object.
  • Observe the Result: You will now see a message indicating that “This object is stored in Glacier. In order to access it, you must first restore it.” You will be prompted to “Initiate restore.”:
  • Understand Restoration: This illustrates that Glacier classes require a restoration process (taking minutes to hours, depending on the retrieval option chosen) before the data becomes accessible. This restoration incurs additional costs.

Summary of Manual Process:

• You can manually specify a storage class during file upload.
• You can manually change an object’s storage class after it’s uploaded.
• The choice of storage class directly impacts access speed, availability, and cost (both storage and retrieval).

Manually managing storage classes for many objects is impractical. This is why the next step involves understanding and using S3 Lifecycle Rules to automate these transitions based on defined policies.

Lifecycle Rules (Hands-on)

This hands-on guide demonstrates how to create and configure S3 Lifecycle Rules to automate the transition of data between storage classes and its eventual expiration, optimizing storage costs and compliance.

1. Accessing Lifecycle Rules in S3:

• Navigate to your S3 bucket in the AWS console.
• Go to the “Management” tab.
• Find and select “Lifecycle rules.”

2. Creating a New Lifecycle Rule:

• Click on “Create lifecycle rule.”
• Lifecycle rule name: Give your rule a descriptive name (e.g., “Transition to Archiving”).

3. Defining the Scope of the Rule:

• Apply to all objects in the bucket: This is the simplest option.
• Filter objects: You can refine the scope using:
  • Prefix: Apply the rule only to objects within a specific folder or path (e.g., csv/ to target only files in a ‘csv’ subfolder).
  • Tags: Apply the rule based on specific object tags. This is a very flexible way to categorize data and apply different policies.
  • Object size: Apply the rule based on a minimum and/or maximum object size.

4. Configuring Lifecycle Rule Actions: Here you define what happens to the objects and when. You can configure multiple actions within a single rule.

• “Move current versions of objects between storage classes” option:
  • This section allows you to define a series of transitions to cheaper storage classes based on the object’s age.
  • Check the box “Move current versions of objects between storage classes”.
  • Example 1: Immediate move to Intelligent-Tiering:
    • Select “S3 Intelligent-Tiering” as the destination storage class.
    • Enter “0” or “1” for “Days after object creation.” (0 days means immediately, 1 day means after 24 hours of creation). This is an excellent default for unknown or changing access patterns.
  • Example 2: Transition to Glacier Instant Retrieval:
    • Select “S3 Glacier Instant Retrieval.”
    • Enter “180” for “Days after object creation.” (This moves data to this archival class after 6 months).
  • Example 3: Transition to Glacier Deep Archive:
    • Select “S3 Glacier Deep Archive.”
    • Enter a higher number of days, for example, “360” (after 1 year, moving from Instant Retrieval to Deep Archive).
• “Expire Current Versions of Objects” option:
  • This action defines when the current version of an object should be permanently deleted.
  • Check both “Move current versions of objects between storage classes” and “Expire current version of objects” options.
  • Enter the number of “Days after object creation” when the object should expire (e.g., “720” for two years):
  • Important Note: For non-versioned buckets, this permanently deletes the object. For version-enabled buckets, this adds a delete marker and retains the current version as a non-current version (which can then be managed by “Noncurrent version” actions).

5. Review and Create the Rule:

• The console will display a visual timeline of your defined lifecycle actions, showing when transitions and expirations will occur.
• Review the rule configuration.
• Acknowledge that “A one-time lifecycle request cost per object may occur for certain transitions or expirations, particularly for very small objects.”
• Click “Create rule.”

6. Managing Lifecycle Rules:

• You can create multiple lifecycle rules for a single bucket, each with different scopes and actions.
• To modify a rule, select it and click “Edit.”
• To delete a rule, select it and click “Delete.” Confirm the deletion when prompted.

By setting up these lifecycle rules, you can automate the entire data lifecycle in S3, ensuring that your data moves to the most cost-effective storage class as its access patterns change and is eventually deleted when no longer required.

Intelligent Tiering (Hands-on)

Amazon S3 Intelligent-Tiering is a smart storage class that automatically moves data between different access tiers based on changing access patterns, optimizing storage costs without performance impact. It’s an excellent default choice for data with unpredictable or varying access frequencies.

How S3 Intelligent-Tiering Works (Default Configuration):

• Automated Cost Optimization: The service automatically monitors access patterns and moves objects to the most cost-effective access tier without requiring manual intervention or lifecycle rules for these initial tiers.
• Three Default Tiers:
  • Frequent Access Tier: This is where data is initially stored.
  • Infrequent Access Tier: If an object hasn’t been accessed for 30 consecutive days, it’s automatically moved to this lower-cost tier.
  • Archive Instant Access Tier: If an object hasn’t been accessed for 90 consecutive days, it’s automatically moved to this even lower-cost tier, while still providing millisecond retrieval.
• Automatic Movement Back: If an object in the Infrequent Access or Archive Instant Access tier is accessed, it’s automatically moved back to the Frequent Access tier.

While the default behavior is robust, you can further optimize costs by configuring automatic archiving to deeper, even lower-cost Glacier tiers.

• Accessing Configuration:
  • Go to your S3 bucket in the AWS console.
  • Navigate to the “Properties” tab.
  • Scroll down to “Intelligent-Tiering Archive configuration.”
• Creating a New Archive Configuration:
  • Click “Create configuration.”
  • Give it a name (e.g., “Test-Archive-Config”).
  • Scope: You can define whether the configuration applies to all objects in the bucket, or filter by:
    • Prefix: Apply to objects within specific folders (e.g., archive-data/).
    • Tags: Apply to objects with specific tags.
  • For this example, let’s select “This configuration applies to all objects in the bucket”.
• Define Archive Rule Actions:
  • Transition to Archive Access Tier: Check this box.
    • Specify the number of days after which objects should move to the Glacier Flexible Retrieval (formerly S3 Glacier) tier. For example, “180” days. This tier has lower storage costs but asynchronous retrieval times (from minutes to hours). This is the “Archive Access tier.”
  • “Deep Archive Access tier”: Check this box (optional, if you’ve enabled the previous tier).
    • Specify the number of days after which objects should move to the Glacier Deep Archive tier. For example, “365 days.” This is the lowest-cost tier but has the longest retrieval times (up to 12 hours). This is the “Deep Archive Access tier.”
• Create Configuration: Review your settings and create the configuration.

Integration with S3 Lifecycle Rules: S3 Intelligent-Tiering can also be incorporated into your overall S3 lifecycle strategy:

• You can create a standard Lifecycle Rule that automatically transitions objects to Intelligent-Tiering immediately (0 or 1 day after creation) as a starting point for all new data.
• After the data has been managed by Intelligent-Tiering for a period, you can have subsequent lifecycle rules that expire (delete) the data after a much longer period (e.g., 3 years), completing the data’s lifecycle.

By combining Intelligent-Tiering for initial cost optimization with long-term expiration lifecycle rules, you can create a comprehensive and automated data management strategy in S3.

Versioning in S3

no captions

Versioning (Hands-on)

no captions

Replication

Replication in Amazon S3 refers to the process of automatically copying and synchronizing objects between S3 buckets. This can be configured for cross-region replication (CRR), where data is replicated to a bucket in a different AWS region, or same-region replication (SRR), where data is replicated within the same region. This discussion focuses on cross-region replication due to its significant benefits.

Benefits of Cross-Region Replication:

• Disaster Recovery (DR): Provides an additional layer of data redundancy. If a primary region experiences an outage, a copy of your critical data is available in a separate, unaffected region.
• Reduced Latency & Improved Performance: By replicating data closer to geographically dispersed users, you can significantly reduce data access times and improve the user experience. For example, a US-based gaming company with many users in Europe can replicate game data to an EU region, resulting in faster load times for European players.
• Increased Availability & Durability: The additional copies of data across regions enhance the overall availability and durability, safeguarding against localized disruptions.

Cost Considerations:

• Storage Costs: You incur storage costs for the replicated data in the destination bucket.
• Data Transfer Costs: There are charges for data transferred out of the source region to the destination region.

When to Use Replication (Decision Factors). Deciding which data to replicate requires careful consideration to balance costs and benefits:

• Data Criticality for Disaster Recovery: Identify essential data that, if lost or inaccessible, would severely impact business operations. Replicating this data ensures business continuity.
• Application Performance Requirements: Replicate data frequently accessed by users or applications in different geographic locations to reduce latency and improve responsiveness.
• High Availability Needs: For highly critical media files or other assets that demand constant accessibility, replication provides an additional layer of availability.
• Cost-Benefit Analysis: Evaluate the cost of replication (storage and data transfer) against the value derived from improved disaster recovery, performance, and availability. Avoid replicating non-critical or rarely accessed data unnecessarily.
• Compliance and Regulatory Requirements: In sectors like finance and healthcare, regulatory mandates may necessitate data replication to different geographical locations for governance and compliance standards.

How Cross-Region Replication Works in AWS:

• Replication Rules: You configure replication rules and policies on the source S3 bucket.
• Automatic Replication: Once enabled, any new objects added to the source bucket are automatically replicated to the destination bucket based on the configured rule.
• One-Way Replication: Replication is typically one-directional. Files added to the source bucket are copied to the destination, but files added directly to the destination bucket are not automatically replicated back to the source.
• Deletion Behavior (Default): By default, deleting an object in the source bucket does not delete its replica in the destination bucket. This serves as a safety mechanism against accidental deletions, acting as a form of disaster recovery for unintended data loss. You can configure rules to synchronize deletions if needed, but this is not the default behavior.
• Versioning Requirement: Versioning must be enabled on both the source and destination S3 buckets for replication to function.

Replication (Hands-on)

Let’s walk through how to set up cross-region replication in AWS for your data lake.

1. Create a Source Bucket:

• Go to the S3 console.
• Choose a region for your source bucket (e.g., US East (Ohio)).
• Click “Create bucket.”
• Give your source bucket a unique name (e.g., myreplicationsource2324).
• Important: Under “Bucket Versioning,” enable versioning. Replication requires versioning to be enabled on both the source and destination buckets.
• Leave other settings as default for now.
• Click “Create bucket.”

2. Create a Destination Bucket:

• Create another bucket. This will be your destination for the replicated data.
• Choose a different region than your source bucket (e.g., US East (N. Virginia)). This provides the cross-region redundancy we want.
• Give this bucket a unique name (e.g., myreplicationtarget2324).
• Important: Enable versioning for the destination bucket as well.
• Leave other settings as default.
• Click “Create bucket.”

3. Configure Cross-Region Replication on the Source Bucket:

• Go to your source bucket.
• Go to the “Management” tab.
• Click “Create replication rule”.
• Rule Name: Give your replication rule a descriptive name (e.g., replicationtest).
• Rule status: Ensure it’s “Enabled.”
• Source bucket: The source bucket should be pre-selected. You can optionally limit the scope to specific prefixes or tags, but for this example, replicate all objects in the bucket.
• Destination:
  • Choose “A bucket in another region.”
  • Browse and select your destination bucket.
  • You’ll be prompted to enable versioning on the destination bucket if you haven’t already.
• IAM Role: Choose an existing IAM role that has the necessary permissions for S3 replication, or create a new one. AWS will guide you through this.
• Additional replication options: Leave the default settings for now. You can explore “Replication Time Control” for faster replication (at an additional cost), but it’s not required for basic setup.
• Important: Under “Additional replication options”, leave the “Delete marker replication” unchecked. This is the default and recommended setting for disaster recovery. If you check this option, when you delete a file in the source bucket, it will also be deleted in the destination bucket. Leaving it unchecked means that the destination bucket retains a copy of the file even if it’s deleted in the source. This is important for data protection.
• Click “Save.”

4. Test Replication:

• Go to your source bucket.
• Upload a file (any small file will do).
• Go to your destination bucket.
• Refresh the page. You should see the replicated file appear in the destination bucket within a few seconds (depending on file size and network conditions).
• Test Deletion:
  • Delete the file from the source bucket.
  • Go to the destination bucket. The file should still be present. This demonstrates the default behavior where deletions in the source are not replicated to the destination, providing an extra layer of protection.

This setup ensures that any new objects you add to your source bucket will be automatically replicated to your destination bucket in a different region, providing redundancy for disaster recovery and potentially improving data access performance for users in that region. Remember that replication is one-way by default, and deletions are not replicated unless you specifically configure that option.

Security in S3 (Encryption)

Security in S3 is paramount, and encryption plays a critical role in protecting your data. Data can be encrypted both in transit (as it moves to and from S3) and at rest (while stored on S3’s servers).

Encryption in Transit

• Data is protected as it travels to and from S3 using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
• This method encrypts the data at the client, securely transports it to S3, and then decrypts it there.
• S3 can then re-encrypt the object at the server side if configured for server-side encryption.

Encryption at Rest (Server-Side Encryption)

All S3 buckets have encryption at rest configured by default. Amazon S3 automatically encrypts data objects before saving them and decrypts them upon download. There are several methods for server-side encryption, offering varying levels of control and security:

1. Server-Side Encryption with S3 Managed Keys (SSE-S3):
   • Default Configuration: This is the base level of encryption for every S3 bucket.
   • Management: S3 fully manages the encryption keys. You upload your data, and S3 handles the encryption and decryption processes automatically. Each object is encrypted with a unique key, and S3 manages the creation, storage, and rotation of these keys.
   • Ease of Use: This is the simplest option, requiring no user intervention for key management.
2. Server-Side Encryption with AWS Key Management Service (SSE-KMS):
   • Enhanced Control: This method integrates with AWS Key Management Service (KMS), allowing you to create and manage your own encryption keys (Customer Master Keys - CMKs).
   • Key Control: You have much more control over the keys, including defining policies for who can use them, auditing their usage, and rotating, disabling, or deleting them. This is crucial for compliance and auditing purposes.
   • AWS Management: While you manage the keys, AWS still handles the encryption and decryption operations using your KMS key.
3. Dual-Layer Server-Side Encryption with KMS Keys (DSSE-KMS):
   • Highest Security: This approach encrypts your data twice, each time with a different key managed by KMS.
   • Two Layers of Encryption:
     • The first encryption layer is applied when the data arrives at S3.
     • A second, distinct KMS key is then used to apply a second encryption layer.
   • Redundant Protection: This dual encryption ensures that even if one encryption layer were compromised, the second layer would still protect your data, offering an exceptionally high level of security.
4. Server-Side Encryption with Customer Provided Keys (SSE-C):
   • Full Customer Responsibility: Unlike other S3 options where AWS manages the keys, with SSE-C, you provide your own encryption keys for each object you upload.
   • Key Management: You are fully responsible for generating, storing, managing, and rotating these keys. AWS never stores your keys.
   • Secure Transfer: When uploading a file with SSE-C, you must send the encryption key over a secure connection (HTTPS).
   • Advanced Use Cases: This method offers the highest level of security and control for highly regulated industries, but it comes with significant operational responsibility for key management.

In summary, S3 provides multiple encryption options to protect your data at rest and in transit, ranging from fully AWS-managed keys to customer-provided keys, allowing you to choose the level of control and security that best fits your requirements.

Security (Hands-on)

This hands-on guide demonstrates how to configure encryption settings for S3 buckets and individual objects, covering the default SSE-S3 and overriding with SSE-KMS: 1. Creating a Bucket with Default Encryption (SSE-S3):

• Navigate to S3: Go to the Amazon S3 console.
• Create a New Bucket: Click “Create bucket.”
• Name the Bucket: Give it a unique name (e.g., encryption-test-yourname-numbers).
• Default Encryption Settings:
  • Scroll down to the “Default encryption” section.
  • You’ll see options for “Server-side encryption.”
  • The default selection is usually “Amazon S3 managed keys (SSE-S3)“. This means S3 handles all key management on your behalf.
  • Leave this as the default for now.
• Create Bucket: Click “Create bucket.” 2. Uploading an Object and Verifying Default Encryption:
• Navigate to Your New Bucket: Open the encryption-test-... bucket you just created.
• Upload a File: Click “Upload,” select a file (e.g., a simple text or PDF file), and click “Upload.”
  • During Upload - Encryption Options: In the “Properties” section of the upload wizard, you’ll see “Server-side encryption.” The default is “Do not specify an encryption key,” which means it will inherit the bucket’s default encryption settings. Leave this as is.
• Verify Encryption:
  • Once the file is uploaded, select the object in your bucket.
  • Go to the “Properties” tab.
  • Under the “Server-side encryption settings” section, you will see that the object is using “Amazon S3 managed keys (SSE-S3)”:

3. Overriding Bucket Default with SSE-KMS for an Existing Object:

• Select the Object: In your bucket, select the file you just uploaded.
• Edit Encryption Settings:
  • Go to the “Properties” tab for the object.
  • Scroll down to “Server-side encryption settings” and click “Edit.”
• Change Encryption Type:
  • Select “Override bucket settings for default encryption.”
  • Choose “AWS Key Management Service key (SSE-KMS)“.
  • Choose a KMS Key:
    • You’ll see an option to select a KMS key.
    • Choose the default AWS managed key (e.g., alias/aws/s3). This key is automatically created and managed by AWS for S3 integration with KMS.
    • Alternatively, if you have custom KMS keys, you could select one of those.
• Save Changes: Click “Save changes.”

4. Verify SSE-KMS Encryption and Key Details:

• Re-verify Object Properties: After saving, go back to the object’s “Properties” tab.
• Check Encryption Settings: You will now see that the “Server-side encryption settings” indicate it’s using “AWS Key Management Service key (SSE-KMS)“.
• KMS Key ARN: You’ll also see the “Encryption key ARN,” which is the Amazon Resource Name of the specific KMS key used. You could click this ARN to navigate directly to the KMS console and inspect the key’s details, permissions, and usage. This demonstrates the increased control provided by SSE-KMS.

Cleanup:

• Delete the Bucket: To avoid incurring unnecessary costs, remember to delete the S3 bucket you created.
  • Go to the S3 console, select your encryption-test-... bucket.
  • Click “Delete.”
  • You will need to confirm the deletion by typing the bucket name and potentially emptying the bucket first if it contains objects.

This hands-on exercise illustrates the flexibility of S3 encryption, allowing you to configure default encryption at the bucket level and then selectively override it for individual objects with different key management options like SSE-KMS, offering more granular control over your encryption keys.

Bucket Policies

S3 bucket policies are powerful tools used to define granular access permissions for your S3 buckets and their contained objects. Unlike IAM user policies, which are attached to users or roles, bucket policies are directly attached to an S3 bucket, making them resource-based policies. They specify who can access the bucket and what actions they can perform.

Key Characteristics of Bucket Policies:

• JSON Document: Bucket policies are written in JSON format, adhering to the AWS IAM policy language.
• Resource-Based: They are applied directly to an S3 bucket, governing access to that specific bucket and its contents.
• Granular Control: You can define very precise rules for access, including specific actions, principals, and conditions.

Basic Structure of a Bucket Policy (JSON Components):

A typical S3 bucket policy JSON document consists of the following key elements:

• Version:
  • Specifies the version of the policy language. Typically, this is "2012-10-17".
• Statement:
  • This is an array that contains one or more individual access rules. Each rule is a JSON object defining a specific permission.
• Effect:
  • Defines whether the statement permits or denies access.
  • "Allow": Explicitly grants permission for the specified actions.
  • "Deny": Explicitly denies permission for the specified actions. (Deny always overrides Allow).
• Principal:
  • Specifies the identity that is allowed or denied access.
  • Can be an AWS account (e.g., "AWS": "arn:aws:iam::123456789012:root"), an IAM user (e.g., "AWS": "arn:aws:iam::123456789012:user/Alice"), an IAM role, or an AWS service.
  • "*" can be used to represent anonymous users (for public access) or all authenticated AWS users, depending on context and other policy elements.
• Action:
  • Defines the specific API operations that are allowed or denied.
  • Examples:
    • "s3:GetObject": Allows downloading objects.
    • "s3:PutObject": Allows uploading objects.
    • "s3:DeleteObject": Allows deleting objects.
    • "s3:ListBucket": Allows listing objects in a bucket.
    • "s3:*": Represents all S3 actions.
• Resource:
  • Specifies the S3 resource(s) that the action applies to.
  • For a bucket policy, this will typically be the bucket ARN or objects within the bucket.
  • Examples:
    • "arn:aws:s3:::your-bucket-name": Refers to the bucket itself.
    • "arn:aws:s3:::your-bucket-name/*": Refers to all objects within the bucket.
• Condition (Optional):
  • Adds constraints or specific conditions that must be met for the policy statement to take effect.
  • Examples:
    • "IpAddress": Restricts access to a specific IP address range (e.g., {"IpAddress": {"aws:SourceIp": "192.0.2.0/24"}}).
    • "Bool": Requires the connection to use HTTPS (e.g., {"Bool": {"aws:SecureTransport": "false"}} combined with a “Deny” effect to enforce HTTPS).

Bucket policies are set up directly on the S3 bucket itself. You can find and edit them by navigating to the specific S3 bucket in the AWS Management Console, then going to the “Permissions” tab and selecting “Bucket policy.”

Access Points in S3

Amazon S3 Access Points are a feature designed to simplify data access management for S3 buckets, especially when dealing with a large number of users, applications, or varying access permissions. They act as customizable network entry points to your S3 buckets.

The Problem S3 Access Points Solve:

• Traditionally, managing access to an S3 bucket with diverse needs (e.g., one team needs read-only, another needs read/write, a specific application needs access from a particular VPC) could lead to complex and potentially unwieldy bucket policies. S3 Access Points simplify this by providing a more granular and scalable way to manage permissions.

Key Characteristics and Benefits:

1. Customizable Entry Points:
   • Instead of managing a single, complex bucket policy for all access patterns, you create multiple Access Points for a single S3 bucket.
   • Each Access Point can have its own unique access policy, allowing you to define specific permissions tailored to a particular user, application, or use case.
   • Example: You can create one Access Point for your analytics team that grants read-only access to specific prefixes, and another Access Point for your data ingestion service that grants write access to a different prefix, all targeting the same underlying S3 bucket.
2. Unique DNS Name:
   • Each Access Point has its own distinct DNS name (e.g., my-app-ap.s3-accesspoint.us-east-1.amazonaws.com).
   • This DNS name can be Internet Origin (accessible from the internet) or VPC Origin (accessible only from within a specified Amazon Virtual Private Cloud). VPC-origin Access Points offer enhanced network security by restricting access to a private network.
3. Simplified Permissions Management:
   • The permissions for an Access Point are defined in an Access Point Policy, which functions similarly to a bucket policy but is scoped to the specific Access Point.
   • This allows for more streamlined management of permissions, as you can easily review and modify access for a particular use case without affecting other access patterns to the same bucket.
4. Scalability:
   • As your data lake or project grows, managing access for numerous departments, applications, or external partners becomes much more efficient. You can create new Access Points as needed without reorganizing your S3 bucket’s structure or modifying its central policy.
5. Enhanced Security:
   • Access Points help limit how data can be accessed and by whom, reducing the risk of accidental exposure of sensitive data.
   • VPC-origin Access Points provide a strong network perimeter, ensuring that access to your data only occurs through private networks, which is crucial for sensitive data and compliance requirements.

In essence, S3 Access Points provide a flexible and scalable way to manage access to shared S3 buckets, simplifying permission management and enhancing security by creating dedicated, policy-bound entry points.

Object Lambda

Amazon S3 Object Lambda is a powerful S3 feature that allows you to transform data as it’s being retrieved from an S3 bucket. This means you can modify data on the fly using AWS Lambda functions without needing to create or store separate copies of the data.

Object Lambda functions as an intermediary layer between your S3 bucket and the requesting user or application. Here’s a breakdown of the process:

1. Request Initiation: A user or application initiates a request to access data stored in an S3 bucket.
2. Access Point Redirection: Instead of directly accessing the S3 bucket, this request is directed to an S3 Object Lambda Access Point.
3. Lambda Invocation: The Object Lambda Access Point acts as a proxy. It’s configured to invoke a specific AWS Lambda function.
4. Data Retrieval and Transformation:
   • The Lambda function receives the request and, in turn, fetches the original object from the underlying S3 bucket via a standard S3 Access Point.
   • Within the Lambda function, your custom code processes and transforms the data according to your defined logic. This could involve redacting sensitive information, resizing images, converting data formats, or augmenting the data with external information.
5. Transformed Data Return: Once the Lambda function has processed the data, it returns the transformed data back to the Object Lambda Access Point.
6. Response to User: The Object Lambda Access Point then sends this transformed data back to the user or application that made the initial request.

This entire process occurs transparently to the requester, who simply receives the transformed data without needing to know the underlying transformation logic.

Object Lambda offers significant benefits by enabling dynamic data processing without data duplication:

• No Data Duplication: You don’t need to create and manage multiple copies of your data for different use cases. The transformation happens on-demand during retrieval.
• Reduced Storage Costs: By eliminating duplicate data copies, you save on storage costs.
• Simplified Data Management: Manage a single source of truth in your S3 bucket, with transformations handled at the access layer.
• Real-time Data Adaptation: Data can be adapted to specific application or user needs in real-time.

Here are some common use cases for S3 Object Lambda:

• Redacting Sensitive Information: Automatically filter out Personally Identifiable Information (PII) or other sensitive data before it’s delivered to analytics applications or third-party tools.
• Image Resizing/Watermarking: Deliver different image sizes or add watermarks dynamically based on the requesting application’s requirements.
• Data Format Conversion: Convert data formats on the fly (e.g., XML to JSON, CSV to Parquet) to suit different consumers without storing multiple formats.
• Augmenting Data: Enrich data with additional information from other AWS services or external databases before serving it.
• Custom Filtering: Apply custom filtering logic to return only relevant subsets of data to specific users or applications.

S3 Event Notifications

S3 Event Notifications allow you to trigger actions based on events that occur within your S3 buckets. An event is essentially any action taken on your bucket or its objects, and event notifications enable you to react to those actions in real-time.

An event can be anything from creating an object (uploading a file), deleting an object, restoring an archived object, replicating an object, and even lifecycle transitions (moving an object to a different storage class).

How Event Notifications Work. When an event occurs in your S3 bucket, S3 can send a notification to a designated destination. Common destinations include:

• SNS (Simple Notification Service): Sends messages to subscribers.
• SQS (Simple Queue Service): Queues messages for processing.
• Lambda Function: Triggers an AWS Lambda function to perform custom processing.
• EventBridge: Routes events for more complex handling.

A very common use case is to trigger a Lambda function when a new object is uploaded to a bucket. This allows you to perform automated processing on the uploaded file, such as:

• Transforming the file.
• Storing metadata about the file in a database.
• Triggering a workflow.

S3 supports a wide range of event types:

• Object Creation Events:
  • s3:ObjectCreated:Put: Object created via a PUT request.
  • s3:ObjectCreated:Post: Object created via a POST request.
  • s3:ObjectCreated:*: All object creation events, regardless of method.
• Object Deletion Events:
  • s3:ObjectRemoved:Delete: Object deleted.
• Object Restore Events
• Object Replication Events
• Lifecycle Events
• Object Tagging Events
• Object ACL Put Events

You can filter event notifications to trigger only for specific objects or types of objects. This is done using prefixes and suffixes:

• Prefix Filter: Triggers the notification only for objects within a specific directory or folder.
  • Example: A prefix of images/ would trigger the notification only for files uploaded to the images/ folder.
• Suffix Filter: Triggers the notification only for objects with a specific file extension.
  • Example: A suffix of .jpg would trigger the notification only for JPEG image files.

Example Scenario. Let’s say you want to trigger a Lambda function whenever a file is uploaded to your bucket using the PUT method. You could configure an event notification with the event type s3:ObjectCreated:Put. If you only wanted this to happen for files uploaded to a specific folder, such as “new_uploads”, you would set the prefix to “new_uploads/“. If you only wanted to trigger it for CSV files, you would set the suffix to “.csv”.

S3 Event Notifications (Hands-on)

This hands-on guide will walk you through setting up S3 Event Notifications to send a message to an SNS topic when a file is uploaded to your S3 bucket, which then triggers an email notification.

1. Create an S3 Bucket (Source for Events):

• Go to the Amazon S3 console.
• Click “Create bucket.”
• Bucket name: Choose a unique name (e.g., eventnotifications-test-945746).
• AWS Region: Select your preferred region (e.g., US East (N. Virginia)).
• Leave all other settings as default.
• Click “Create bucket.” 2. Create an SNS Topic and Subscription:
• Go to the Amazon SNS (Simple Notification Service) console.
• Create Topic:
  • In the left navigation pane, click “Topics.”
  • Click “Create topic.”
  • Type: Choose “Standard.”
  • Name: Give it a name (e.g., UploadBucket).
  • Access policy: This is crucial.
    • Scroll down to the “Access policy” section.
    • Choose “Advanced.”
    • You need to add a policy statement that allows your S3 bucket to publish messages to this SNS topic.
    • Replace YOUR_AWS_ACCOUNT_ID with your account ID:

    {
      "Version": "2012-10-17",
      "Id": "__default_policy_ID",
      "Statement": [
        {
          "Sid": "AllowS3Publish",
          "Effect": "Allow",
          "Principal": {
            "Service": "s3.amazonaws.com"
          },
          "Action": "sns:Publish",
          "Resource": "arn:aws:sns:us-eas-1:273574620682:UploadBucket",
          "Condition": {
            "StringEquals": {
              "aws:SourceAccount": "YOUR_AWS_ACCOUNT_ID"
            },
            "ArnLike": {
              "aws:SourceArn": "arn:aws:s3:::eventnotifications-test-945746"
            }
          }
        }
      ]
    }

    • Important: Before clicking “Create topic”, copy the placeholder policy. You will need to paste it and fill in the ARNs later. For now, create the topic and copy its ARN immediately.
    • Click “Create topic.”
• Create and Confirm Subscription:
  • Once the topic is created, click on “Create subscription.”
  • Topic ARN: It should be pre-filled with your new topic’s ARN.
  • Protocol: Choose “Email.”
  • Endpoint: Enter your email address where you want to receive notifications.
  • Click “Create subscription.”
  • Check your email inbox. You will receive an email from AWS asking you to confirm the subscription.
  • Click the “Confirm subscription” link in the email. You should see a confirmation message in your browser. 3. Update SNS Topic Policy with S3 Bucket ARN:
• Go back to your S3 bucket’s properties.
• Copy the Amazon Resource Name (ARN) of your S3 bucket (e.g., `arn:aws:s3:::s3-eventnotifications-test-945746).
• Go back to your SNS topic in the console.
• Click “Edit.”
• Scroll down to the “Access policy” section.
• Paste the JSON policy you copied earlier.
• Click “Save changes.” 4. Configure Event Notification in S3:
• Go to your S3 bucket (e.g., eventnotifications-test-945746).
• Go to the “Properties” tab.
• Scroll down to the “Event notifications” section.
• Click “Create event notification.”
• Event name: Give it a name (e.g., UploadEvent).
• Prefix (optional): If you only want notifications for a specific folder, enter the folder name (e.g., uploads/). Leave blank for the entire bucket.
• Suffix (optional): If you only want notifications for specific file types, enter the extension (e.g., .csv). Leave blank for all file types.
• Event types: Under “Object creation,” check the box for “All object create events” (or Put, Post, etc., if you want more specific).
• Destination:
  • Choose “SNS topic.”
  • From the “SNS topic” dropdown, select the SNS topic you created earlier (e.g., s3-upload-notification).
• Click “Save changes.” 5. Test the Event Notification:
• Go back to your S3 bucket.
• Click “Upload.”
• Select any small file from your computer and upload it to the bucket.
• Check your email: Within a few moments, you should receive an email notification from AWS SNS, confirming that a file was uploaded to your S3 bucket. The email body will contain details about the S3 event, including the bucket name, key (file name), event time, and more.

You have successfully set up an S3 event notification to trigger an SNS topic, which then sends an email. Remember to clean up your resources (delete the S3 bucket and SNS topic) to avoid incurring unnecessary charges.

Data Mesh (to watch)

The Data Mesh is an architectural concept, not a specific AWS service, that focuses on decentralizing data ownership and management within an organization. It’s a strategic shift from traditional centralized data architectures (like data warehouses or monolithic data lakes) towards a distributed model where data is treated as a product.

Core Idea: A Data Mesh aims to organize and manage data by assigning responsibility to the domain teams that are closest to the data. These domain teams become the owners and stewards of their data, making them accountable for its quality, governance, and accessibility.

Key Principles of a Data Mesh:

1. Domain-Oriented Data Ownership:
   • Instead of a central data team managing all data, ownership is distributed to the business domains that generate and consume the data (e.g., Marketing, Sales, Product Development).
   • These domain teams are best positioned to understand the semantics, quality, and usage patterns of their data.
   • They are responsible for the entire lifecycle of their data, from ingestion to serving.
2. Data as a Product:
   • Each domain treats its data as a first-class product, designed for consumption by other domains and applications.
   • This means the data must be:
     • Discoverable: Easily found by potential consumers.
     • Addressable: Clearly identifiable and locatable.
     • Trustworthy: High quality, reliable, and well-documented.
     • Self-describing: Metadata is readily available.
     • Interoperable: Can be easily combined with data from other domains.
     • Secure: Access is controlled and audited.
     • Valuable: Provides clear business value to its consumers.
3. Self-Service Data Infrastructure Platform:
   • To enable domain teams to manage their data independently, a foundational self-service platform is provided.
   • This platform abstracts away the underlying infrastructure complexities, allowing domain teams to easily ingest, transform, store, and serve their data products without becoming infrastructure experts.
   • It provides tools and capabilities for data product development, deployment, and monitoring.
4. Federated Computational Governance:
   • While ownership is decentralized, there’s a need for global interoperability, security, and compliance.
   • Federated governance establishes a set of global rules and standards that all domain teams must adhere to (e.g., data privacy, security protocols, interoperability standards).
   • This governance model combines central coordination with decentralized execution, balancing autonomy with organizational alignment.

Although a Data Mesh is an architectural concept, it can be effectively implemented using various AWS services that support decentralized data architectures:

• Amazon S3: Provides scalable, durable, and cost-effective object storage for raw and processed data.
• AWS Glue: Used for data cataloging (making data discoverable), ETL (Extract, Transform, Load) processes within domains, and metadata management.
• Amazon Redshift: A data warehousing solution for analytical workloads and serving structured data products.
• AWS Lake Formation: Simplifies building, securing, and managing data lakes, providing centralized security and governance controls across decentralized data stores.
• Amazon Athena: A serverless query service for ad-hoc analysis directly on data in S3, enabling self-service data exploration.
• Amazon API Gateway: Can be used to expose data products as APIs, making them easily consumable by applications and other domains.

By adopting the principles of a Data Mesh and leveraging suitable AWS services, organizations can overcome challenges associated with monolithic data architectures, improve data quality, foster data literacy, and scale their data capabilities more effectively.

Data Exchange (to watch)

AWS Data Exchange is a service that provides a centralized, cloud-based catalog where customers can find, subscribe to, and use third-party data in a secure and streamlined manner. It acts as a marketplace for data, connecting data providers with data consumers within the AWS ecosystem.

Core Purpose. AWS Data Exchange simplifies the traditionally complex and cumbersome process of acquiring, licensing, and working securely with third-party datasets. It aims to reduce the operational overhead and time required to access external data, allowing businesses to focus on deriving insights from that data.

Common Use Cases. Organizations across various industries leverage AWS Data Exchange for diverse needs:

• Financial Services: Access to real-time market data, historical financial records, economic indicators, and proprietary analytics to inform trading strategies, risk management, and investment decisions.
• Healthcare and Life Sciences: Obtain anonymized patient data, medical research findings, clinical trial data, and public health datasets for research, drug discovery, and population health management.
• Geospatial Data: Utilize satellite imagery, weather data, geographical information systems (GIS) data, and location-based intelligence for urban planning, environmental monitoring, logistics, and resource management.
• Retail and Consumer Goods: Acquire data on consumer behavior, purchasing trends, sales forecasts, demographic information, and market intelligence to optimize marketing campaigns, inventory management, and product development.
• Advertising and Marketing: Access audience segments, consumer profiles, and media consumption data to enhance targeting and campaign effectiveness.

Integration with Other AWS Services. AWS Data Exchange seamlessly integrates with other AWS services, enabling flexible data delivery and consumption models:

• AWS Marketplace Integration: Data providers register as AWS Marketplace sellers to publish their datasets as data products. This leverages the existing marketplace infrastructure for billing, subscriptions, and distribution.
• Amazon S3 Integration:
  • For Providers: Data providers can import and store their data files directly in their S3 buckets.
  • For Subscribers: Once subscribed, customers can export these data files to their own S3 buckets, allowing for easy integration with their existing data processing pipelines.
• AWS Lake Formation Data Permissions: Data Exchange supports datasets where permissions are managed by AWS Lake Formation. This allows subscribers to directly access data stored in a provider’s Lake Formation-governed data lake. Subscribers can then query, transform, and share access to this data within their own Lake Formation environment, enabling powerful cross-account data sharing without data movement.