<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>S3 | The AWS Blog</title><link>https://theawsblog.com/tags/s3/</link><description>Articles, tutorials and insights from the AWS community.</description><generator>Hugo</generator><language>en</language><managingEditor>@theawsblog (The AWS Blog)</managingEditor><webMaster>@theawsblog</webMaster><lastBuildDate>Tue, 30 Jun 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://theawsblog.com/tags/s3/index.xml" rel="self" type="application/rss+xml"/><item><title>Replicating S3 bucket configuration needs workflow discipline</title><link>https://theawsblog.com/news/emiliano-montesdeoca/s3-configuration-replication-step-functions/</link><pubDate>Tue, 30 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/s3-configuration-replication-step-functions/</guid><description>AWS shows how Step Functions can replicate S3 bucket configuration across Regions, but builders should decide where automation ends and infrastructure as code should remain the source of truth.</description><content:encoded>&lt;p&gt;Replicating S3 data is only part of a multi-Region storage strategy. The bucket configuration around that data is often where drift hides.&lt;/p&gt;
&lt;p&gt;The AWS Storage Blog post on &lt;a href="https://aws.amazon.com/blogs/storage/replicate-amazon-s3-bucket-configurations-across-aws-regions-with-aws-step-functions/"&gt;replicating Amazon S3 bucket configurations across AWS Regions with AWS Step Functions&lt;/a&gt; shows an automation pattern for replaying bucket configuration into a target Region with an auditable workflow.&lt;/p&gt;
&lt;p&gt;That is useful, but it also raises an important architecture question: should configuration replication be a workflow, or should it be infrastructure as code?&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The source article describes a Step Functions and Lambda solution that creates a bucket in a target Region and applies configuration from a source bucket. It logs runs to DynamoDB and CloudWatch, which gives operators an audit trail.&lt;/p&gt;
&lt;p&gt;This kind of workflow can help when teams need to replicate settings such as encryption, lifecycle, versioning, event notifications, tags, or other operational configuration across Regions.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;Disaster recovery plans often assume that a bucket in another Region is ready because replication is configured. But during a real failover, missing configuration can break applications or weaken controls.&lt;/p&gt;
&lt;p&gt;Examples:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;lifecycle rules are missing and costs grow,&lt;/li&gt;
&lt;li&gt;event notifications do not trigger downstream processing,&lt;/li&gt;
&lt;li&gt;encryption or bucket policy differs from the primary Region,&lt;/li&gt;
&lt;li&gt;observability tags are absent,&lt;/li&gt;
&lt;li&gt;access points or integration settings are inconsistent.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;A repeatable replication workflow can turn those assumptions into something testable.&lt;/p&gt;
&lt;h2 id="the-trade-off-with-iac"&gt;The trade-off with IaC&lt;/h2&gt;
&lt;p&gt;For stable environments, infrastructure as code should usually be the source of truth. If the bucket configuration is defined in CDK, CloudFormation, Terraform, or Pulumi, the cleanest replication path is often to deploy the same intent to another Region.&lt;/p&gt;
&lt;p&gt;A workflow-based replication tool is valuable when:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;buckets already exist and need operational synchronization,&lt;/li&gt;
&lt;li&gt;configuration is discovered from a source environment,&lt;/li&gt;
&lt;li&gt;teams need an emergency or transitional DR path,&lt;/li&gt;
&lt;li&gt;there are many legacy buckets not yet under IaC,&lt;/li&gt;
&lt;li&gt;operators need a controlled copy action with audit logs.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The risk is creating a second source of truth. If IaC says one thing and the replication workflow copies another, drift becomes harder to reason about.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Before using this pattern, classify buckets into two groups:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;IaC-owned buckets&lt;/strong&gt; where configuration should be generated from code.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Operationally managed buckets&lt;/strong&gt; where a replication workflow can reduce drift until IaC ownership exists.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Then run regular DR validation. Do not only check that the target bucket exists. Check whether the target bucket has the policies, notifications, lifecycle rules, encryption settings, tags, and observability hooks needed for the application to run.&lt;/p&gt;
&lt;p&gt;The useful takeaway is that S3 resilience is not just object replication. It is configuration repeatability. Step Functions can provide a controlled workflow for that, as long as builders are clear about the source of truth.&lt;/p&gt;</content:encoded></item><item><title>Faster S3 access log queries make storage security more usable</title><link>https://theawsblog.com/news/emiliano-montesdeoca/s3-access-logs-cloudwatch-s3-tables/</link><pubDate>Mon, 29 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/s3-access-logs-cloudwatch-s3-tables/</guid><description>AWS shows how CloudWatch and S3 Tables can make S3 access logs easier to query, which helps builders turn storage audit data into operational and security signals.</description><content:encoded>&lt;p&gt;S3 access logs are valuable, but value delayed often becomes value ignored. If logs are difficult to query, teams use them only after something has already gone wrong.&lt;/p&gt;
&lt;p&gt;The AWS Storage Blog post on &lt;a href="https://aws.amazon.com/blogs/storage/query-amazon-s3-access-logs-instantly-with-cloudwatch-and-s3-tables/"&gt;querying Amazon S3 access logs instantly with CloudWatch and S3 Tables&lt;/a&gt; is interesting because it focuses on making access data easier to use in everyday operations.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The article walks through delivering S3 access log data to CloudWatch Logs and S3 Tables, then using those destinations for dashboards, alarms, and queries. The practical shift is from &amp;ldquo;logs exist somewhere&amp;rdquo; to &amp;ldquo;logs are queryable enough to support investigation and monitoring.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;For builders, that means S3 access patterns can become part of normal observability instead of a separate forensic workflow.&lt;/p&gt;
&lt;h2 id="why-it-matters"&gt;Why it matters&lt;/h2&gt;
&lt;p&gt;S3 is often where the most important data lives. Application logs, analytics exports, customer files, model artifacts, backups, and operational reports all end up in buckets. Yet many teams still monitor bucket configuration more carefully than bucket access behavior.&lt;/p&gt;
&lt;p&gt;Queryable access logs help answer questions that matter:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Which principals are reading sensitive prefixes?&lt;/li&gt;
&lt;li&gt;Did access spike after a deployment?&lt;/li&gt;
&lt;li&gt;Are clients getting unexpected 403 or 404 responses?&lt;/li&gt;
&lt;li&gt;Which workloads are driving request cost?&lt;/li&gt;
&lt;li&gt;Did a suspicious IP enumerate objects?&lt;/li&gt;
&lt;li&gt;Are lifecycle or replication assumptions visible in traffic?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;When these questions are cheap to answer, teams ask them earlier.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;More logging is not free. S3 access log delivery, CloudWatch ingestion, query volume, table storage, retention, and dashboards all have cost implications. The right design depends on the bucket&amp;rsquo;s risk and traffic profile.&lt;/p&gt;
&lt;p&gt;I would not send every low-value development bucket into a high-retention analytics pipeline. I would prioritize buckets that contain customer data, security logs, production artifacts, financial exports, backups, or AI training and retrieval data.&lt;/p&gt;
&lt;p&gt;Also, access logs are only one layer. They should complement CloudTrail data events, IAM Access Analyzer, Macie, GuardDuty, S3 Storage Lens, and application-level audit logs. Different signals answer different questions.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Pick a production bucket that matters and define three operational queries before building anything. For example:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;top readers by prefix over the last hour,&lt;/li&gt;
&lt;li&gt;denied requests by principal and source IP,&lt;/li&gt;
&lt;li&gt;unusual data transfer volume compared with baseline.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Then build the logging path and dashboard around those questions. Add alarms only where the signal is actionable; noisy storage alarms quickly become invisible.&lt;/p&gt;
&lt;p&gt;The main takeaway is that storage observability should be designed for regular use, not just incident response. Faster S3 access log queries make that much more realistic.&lt;/p&gt;</content:encoded></item><item><title>S3 Storage Lens groups make storage cost conversations less generic</title><link>https://theawsblog.com/news/emiliano-montesdeoca/s3-storage-lens-groups-cost-visibility/</link><pubDate>Fri, 26 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/s3-storage-lens-groups-cost-visibility/</guid><description>Amazon S3 Storage Lens groups help teams inspect storage by workload-specific criteria, making cost, lifecycle, and data hygiene work more actionable.</description><content:encoded>&lt;p&gt;Storage optimization advice often starts too broadly: reduce old data, review access patterns, apply lifecycle policies. That is true, but it is not specific enough for a team to act.&lt;/p&gt;
&lt;p&gt;The AWS Storage Blog post on &lt;a href="https://aws.amazon.com/blogs/storage/create-custom-storage-groupings-with-amazon-s3-storage-lens-groups/"&gt;S3 Storage Lens groups&lt;/a&gt; is useful because it shows how to group storage by workload-specific criteria instead of looking only at account or bucket totals.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;S3 Storage Lens groups let builders define custom groupings and analyze metrics for targeted slices of S3 data. The source article uses examples such as older application logs and aging image files across multiple buckets and accounts.&lt;/p&gt;
&lt;p&gt;That matters because the useful unit of storage ownership is rarely just a bucket. It may be an application, dataset, tenant, media type, compliance class, or product feature.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;S3 cost and hygiene problems are usually ownership problems.&lt;/p&gt;
&lt;p&gt;A central cloud team can see that storage is growing. They may not know which logs are safe to expire, which images are user-generated content, which datasets are legally retained, or which prefixes belong to an old migration. Application teams know the context, but they often lack cross-account visibility.&lt;/p&gt;
&lt;p&gt;Storage Lens groups can bridge that gap. They help create a view that says, &amp;ldquo;this workload has 40 TB of logs older than 180 days,&amp;rdquo; not just &amp;ldquo;this account has 400 TB in S3.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;That turns a generic optimization request into a practical backlog item.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Custom groups are only useful if the grouping logic reflects real ownership and lifecycle rules. If tags, prefixes, naming conventions, or account boundaries are inconsistent, the dashboard can give false confidence.&lt;/p&gt;
&lt;p&gt;Teams should avoid building too many groups at once. Start with questions that lead to action:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Which data can move to a colder tier?&lt;/li&gt;
&lt;li&gt;Which prefixes have no recent access?&lt;/li&gt;
&lt;li&gt;Which workloads are growing faster than expected?&lt;/li&gt;
&lt;li&gt;Which buckets contain small-object patterns that inflate request costs?&lt;/li&gt;
&lt;li&gt;Which teams own the largest retained datasets?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Also remember that visibility is not enforcement. Storage Lens can show the opportunity, but lifecycle rules, retention policies, and application changes implement the fix.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Pick one high-cost storage area and define a group around the way the business thinks about it. For example: production application logs older than 90 days, media originals by product, or export datasets by tenant.&lt;/p&gt;
&lt;p&gt;Then review the metrics with the owning team and decide on one action: lifecycle transition, deletion after retention, object compaction, prefix redesign, or access pattern review.&lt;/p&gt;
&lt;p&gt;The practical value of Storage Lens groups is not better charts. It is better conversations between platform, finance, security, and application teams about the specific data that is driving cost and risk.&lt;/p&gt;</content:encoded></item><item><title>S3 Files makes Lambda file workflows simpler, but not automatically better</title><link>https://theawsblog.com/news/emiliano-montesdeoca/s3-files-lambda-modernization/</link><pubDate>Wed, 24 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/s3-files-lambda-modernization/</guid><description>Amazon S3 Files lets Lambda functions work with S3-backed file paths instead of download-process-upload code, which can simplify workloads if teams understand consistency, throughput, and VPC implications.</description><content:encoded>&lt;p&gt;A lot of Lambda code that works with S3 is not complicated because the business logic is complicated. It is complicated because the function has to download an object, manage &lt;code&gt;/tmp&lt;/code&gt;, process the file, upload the result, and clean up after itself.&lt;/p&gt;
&lt;p&gt;The AWS Compute Blog post on &lt;a href="https://aws.amazon.com/blogs/compute/modernizing-lambda-s3-workloads-with-amazon-s3-files/"&gt;modernizing Lambda and S3 workloads with Amazon S3 Files&lt;/a&gt; shows a different model: mount an S3-backed file system and let the function use normal file paths.&lt;/p&gt;
&lt;p&gt;That sounds small. For many workloads, it changes the shape of the code.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;S3 Files lets a Lambda function mount an S3 bucket as a file system at a path such as &lt;code&gt;/mnt/data&lt;/code&gt;. Code can open, read, write, list, and organize files using filesystem operations while S3 remains the durable backing store.&lt;/p&gt;
&lt;p&gt;The source article uses examples such as image processing, ETL pipelines, and multi-agent shared workspaces. In each case, the function moves away from explicit S3 transfer code and toward direct file I/O.&lt;/p&gt;
&lt;p&gt;That removes a surprising amount of glue:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;no manual download before processing,&lt;/li&gt;
&lt;li&gt;no upload step after writing output,&lt;/li&gt;
&lt;li&gt;less &lt;code&gt;/tmp&lt;/code&gt; capacity management,&lt;/li&gt;
&lt;li&gt;fewer cleanup paths for failed invocations,&lt;/li&gt;
&lt;li&gt;simpler handoffs between functions that share a workspace.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;The strongest use case is modernization of existing file-oriented libraries. Many image, document, ML, and data-processing libraries expect file paths. Without S3 Files, Lambda code often has to adapt object storage into temporary local files before real work can start.&lt;/p&gt;
&lt;p&gt;S3 Files lets builders keep file-based code and still use S3 as the storage layer. That can make Lambda more attractive for workloads that previously moved to containers only because file handling became awkward.&lt;/p&gt;
&lt;p&gt;The shared workspace pattern is also interesting for AI agents. If multiple Lambda functions collaborate on a session, a directory tree can be easier to reason about than a collection of object keys and serialized state blobs.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;I would not replace every S3 API call with file I/O.&lt;/p&gt;
&lt;p&gt;Object APIs are still excellent when you want explicit object boundaries, event-driven processing, presigned URLs, lifecycle policies, replication, and direct control over metadata. File systems are easier for some code, but they can also hide transfer and consistency behavior behind familiar syntax.&lt;/p&gt;
&lt;p&gt;Builders should validate:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;throughput for large files,&lt;/li&gt;
&lt;li&gt;behavior under high concurrency,&lt;/li&gt;
&lt;li&gt;consistency expectations between producers and consumers,&lt;/li&gt;
&lt;li&gt;VPC and mount target requirements,&lt;/li&gt;
&lt;li&gt;IAM permissions for mount and write operations,&lt;/li&gt;
&lt;li&gt;failure behavior when a function exits while writing.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Also remember that simpler code is not the same as simpler operations. If many functions share a writable workspace, you need naming conventions, cleanup policies, and safeguards against accidental overwrite.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Look for Lambda functions where more code is spent on S3 transfers than on the actual business logic. Image resizing, report generation, data conversion, document processing, and agent workspaces are good candidates.&lt;/p&gt;
&lt;p&gt;For each candidate, compare two versions:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;current S3 API flow with &lt;code&gt;/tmp&lt;/code&gt;,&lt;/li&gt;
&lt;li&gt;S3 Files flow with mounted paths.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Measure duration, memory, error handling complexity, and cost. The winning design may be different per workload.&lt;/p&gt;
&lt;p&gt;The useful takeaway is not that file systems are better than object APIs. It is that Lambda now has a cleaner option when the workload is naturally file-shaped.&lt;/p&gt;</content:encoded></item></channel></rss>