Introducing Amazon S3 Express One Zone: High-Performance Storage with Enhanced CloudTrail Logging
Amazon Web Services (AWS) has recently unveiled a new storage class, Amazon S3 Express One Zone, during the re:Invent 2023 event. This high-performance, single-Availability Zone (AZ) storage class is engineered to offer consistent single-digit millisecond data access. It is specifically tailored for applications that demand low latency and frequent data access. The S3 Express One Zone is designed to provide up to 10 times better performance compared to the S3 Standard storage class. This storage class utilizes S3 directory buckets to store objects within a single AZ, making it an ideal choice for demanding applications.
Enhanced Monitoring with AWS CloudTrail
Starting today, Amazon S3 Express One Zone supports AWS CloudTrail data event logging. This new feature enables you to monitor all object-level operations such as PutObject, GetObject, and DeleteObject, in addition to bucket-level actions like CreateBucket and DeleteBucket, which were already supported. This enhancement is crucial for auditing purposes, governance, and compliance. Furthermore, it allows you to leverage S3 Express One Zone’s 50% lower request costs compared to the S3 Standard storage class.
With this capability, you can quickly identify which S3 Express One Zone objects were created, read, updated, or deleted, and trace the source of the API calls. If unauthorized access is detected, immediate actions can be taken to restrict access. Additionally, the CloudTrail integration with Amazon EventBridge allows you to create rule-based workflows triggered by data events, further enhancing your ability to manage and secure your data.
Setting Up CloudTrail Data Event Logging for S3 Express One Zone
To utilize this new feature, start by accessing the Amazon S3 console. Following the steps to create a directory bucket, you will create an S3 bucket and select "Directory" as the bucket type, specifying an Availability Zone such as apne1-az4. After entering a base name, a suffix that includes the Availability Zone ID will be automatically added to create the final name. Confirm that the data is stored in a single Availability Zone and proceed to create the bucket.
Next, navigate to the CloudTrail console to enable data event logging. Create a CloudTrail trail responsible for tracking the events of your S3 directory bucket. In the "Choose log events" step, select "Data events" with "Advanced event selectors are enabled." For the data event type, choose "S3 Express" and either log all events or customize the log selector template to manage data events for specific S3 directory buckets. Finish by reviewing and creating the trail, thus enabling logging with CloudTrail.
CloudTrail Data Event Logging in Action
To see CloudTrail data event logging in action, you can perform operations such as uploading and downloading files to your S3 directory bucket using the S3 console or AWS CLI. For instance, you can send Put_Object and Get_Object commands via AWS CLI:
sh<br /> $ aws s3api put-object --bucket s3express-one-zone-cloudtrail--apne1-az4--x-s3 --key cloudtrail_test --body cloudtrail_test.txt<br /> $ aws s3api get-object --bucket s3express-one-zone-cloudtrail--apne1-az4--x-s3 --key cloudtrail_test response.txt<br />
CloudTrail will publish log files to your S3 bucket in a gzip archive, organized hierarchically based on the bucket name, account ID, Region, and date. By listing the bucket associated with your trail and retrieving the log files for the relevant date, you can inspect the logs to identify events such as PutObject and GetObject, differentiating between operations performed via the S3 console and AWS CLI.
Key Insights and Practical Applications
Getting Started
You can enable CloudTrail data event logging for S3 Express One Zone using the CloudTrail console, CLI, or SDKs. This feature is designed to simplify governance and compliance for your high-performance storage needs.
Regions
CloudTrail data event logging is available in all AWS Regions where S3 Express One Zone is currently offered.
Activity Logging
With CloudTrail data event logging for S3 Express One Zone, you can track object-level activities such as PutObject, GetObject, and DeleteObject, as well as bucket-level activities like CreateBucket and DeleteBucket.
Conclusion
The introduction of CloudTrail data event logging for S3 Express One Zone significantly enhances your ability to monitor and manage your data storage. This feature not only ensures better governance and compliance but also provides a cost-effective solution with 50% lower request costs compared to the S3 Standard storage class.
For more information and detailed steps on how to implement this feature, you can visit the S3 User Guide and the AWS S3 Express One Zone page.
By integrating these new capabilities, AWS continues to provide robust and scalable solutions that meet the evolving needs of its users, ensuring high performance and enhanced security for your data storage requirements.
For more Information, Refer to this article.