Skip to main content AWS S3 object storage for bucket management, object operations, and access control. Use when creating buckets, uploading files, configuring lifecycle policies, setting up static websites, managing permissions, or implementing cross-region replication.
npx skills add itsmostafa/aws-agent-skills --skill s3 agent-skills agentic-ai aws claude-code claude-skills codex
AWS S3
Amazon Simple Storage Service (S3) provides scalable object storage with industry-leading durability (99.999999999%). S3 is fundamental to AWS—used for data lakes, backups, static websites, and as storage for many other AWS services.
Table of Contents
Core Concepts
Buckets
Containers for objects. Bucket names are globally unique across all AWS accounts.
Objects
Files stored in S3, consisting of data, metadata, and a unique key (path). Maximum size: 5 TB.
Storage Classes
Class Use Case Durability Availability Standard Frequently accessed 99.999999999% 99.99% Intelligent-Tiering
Standard-IA Infrequent access 99.999999999% 99.9%
Glacier Instant Archive with instant retrieval 99.999999999% 99.9%
Glacier Flexible Archive (minutes to hours) 99.999999999% 99.99%
Glacier Deep Archive Long-term archive 99.999999999% 99.99%
Versioning Keeps multiple versions of an object. Essential for data protection and recovery.
Common Patterns
Create a Bucket with Best Practices # Create bucket (us-east-1 doesn't need LocationConstraint)
aws s3api create-bucket \
--bucket my-secure-bucket-12345 \
--region us-west-2 \
--create-bucket-configuration LocationConstraint=us-west-2
# Enable versioning
aws s3api put-bucket-versioning \
--bucket my-secure-bucket-12345 \
--versioning-configuration Status=Enabled
# Block public access
aws s3api put-public-access-block \
--bucket my-secure-bucket-12345 \
--public-access-block-configuration \
BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
# Enable encryption
aws s3api put-bucket-encryption \
--bucket my-secure-bucket-12345 \
--server-side-encryption-configuration '{
"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]
}'
import boto3
s3 = boto3.client('s3', region_name='us-west-2')
# Create bucket
s3.create_bucket(
Bucket='my-secure-bucket-12345',
CreateBucketConfiguration={'LocationConstraint': 'us-west-2'}
)
# Enable versioning
s3.put_bucket_versioning(
Bucket='my-secure-bucket-12345',
VersioningConfiguration={'Status': 'Enabled'}
)
# Block public access
s3.put_public_access_block(
Bucket='my-secure-bucket-12345',
PublicAccessBlockConfiguration={
'BlockPublicAcls': True,
'IgnorePublicAcls': True,
'BlockPublicPolicy': True,
'RestrictPublicBuckets': True
}
)
Upload and Download Objects # Upload a single file
aws s3 cp myfile.txt s3://my-bucket/path/myfile.txt
# Upload with metadata
aws s3 cp myfile.txt s3://my-bucket/path/myfile.txt \
--metadata "environment=production,version=1.0"
# Download a file
aws s3 cp s3://my-bucket/path/myfile.txt ./myfile.txt
# Sync a directory
aws s3 sync ./local-folder s3://my-bucket/prefix/ --delete
# Copy between buckets
aws s3 cp s3://source-bucket/file.txt s3://dest-bucket/file.txt
Generate Presigned URL import boto3
from botocore.config import Config
s3 = boto3.client('s3', config=Config(signature_version='s3v4'))
# Generate presigned URL for download (GET)
url = s3.generate_presigned_url(
'get_object',
Params={'Bucket': 'my-bucket', 'Key': 'path/to/file.txt'},
ExpiresIn=3600 # URL valid for 1 hour
)
# Generate presigned URL for upload (PUT)
upload_url = s3.generate_presigned_url(
'put_object',
Params={
'Bucket': 'my-bucket',
'Key': 'uploads/newfile.txt',
'ContentType': 'text/plain'
},
ExpiresIn=3600
)
Configure Lifecycle Policy cat > lifecycle.json << 'EOF'
{
"Rules": [
{
"ID": "MoveToGlacierAfter90Days",
"Status": "Enabled",
"Filter": {"Prefix": "logs/"},
"Transitions": [
{"Days": 90, "StorageClass": "GLACIER"}
],
"Expiration": {"Days": 365}
},
{
"ID": "DeleteOldVersions",
"Status": "Enabled",
"Filter": {},
"NoncurrentVersionExpiration": {"NoncurrentDays": 30}
}
]
}
EOF
aws s3api put-bucket-lifecycle-configuration \
--bucket my-bucket \
--lifecycle-configuration file://lifecycle.json
Event Notifications to Lambda aws s3api put-bucket-notification-configuration \
--bucket my-bucket \
--notification-configuration '{
"LambdaFunctionConfigurations": [
{
"LambdaFunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:ProcessS3Upload",
"Events": ["s3:ObjectCreated:*"],
"Filter": {
"Key": {
"FilterRules": [
{"Name": "prefix", "Value": "uploads/"},
{"Name": "suffix", "Value": ".jpg"}
]
}
}
}
]
}'
CLI Reference
High-Level Commands (aws s3) Command Description aws s3 lsList buckets or objects aws s3 cpCopy files aws s3 mvMove files aws s3 rmDelete files aws s3 syncSync directories aws s3 mbMake bucket aws s3 rbRemove bucket
Low-Level Commands (aws s3api) Command Description aws s3api create-bucketCreate bucket with options aws s3api put-objectUpload with full control aws s3api get-objectDownload with options aws s3api delete-objectDelete single object aws s3api put-bucket-policySet bucket policy aws s3api put-bucket-versioningEnable versioning aws s3api list-object-versionsList all versions
Useful Flags
--recursive: Process all objects in prefix
--exclude/--include: Filter objects
--dryrun: Preview changes
--storage-class: Set storage class
--acl: Set access control (prefer policies instead)
Best Practices
Security
Block public access at account and bucket level
Enable versioning for data protection
Use bucket policies over ACLs
Enable encryption (SSE-S3 or SSE-KMS)
Enable access logging for audit
Use VPC endpoints for private access
Enable MFA Delete for critical buckets
Performance
Use Transfer Acceleration for distant uploads
Use multipart upload for files > 100 MB
Randomize key prefixes for high-throughput (less relevant with 2024 improvements)
Use byte-range fetches for large file downloads
Cost Optimization
Use lifecycle policies to transition to cheaper storage
Enable Intelligent-Tiering for unpredictable access
Delete incomplete multipart uploads :
{
"Rules": [{
"ID": "AbortIncompleteMultipartUpload",
"Status": "Enabled",
"Filter": {},
"AbortIncompleteMultipartUpload": {"DaysAfterInitiation": 7}
}]
}
Use S3 Storage Lens to analyze storage patterns
Troubleshooting
Access Denied Errors
Bucket policy denies access
IAM policy missing permissions
Public access block preventing access
Object owned by different account
VPC endpoint policy blocking
# Check your identity
aws sts get-caller-identity
# Check bucket policy
aws s3api get-bucket-policy --bucket my-bucket
# Check public access block
aws s3api get-public-access-block --bucket my-bucket
# Check object ownership
aws s3api get-object-attributes \
--bucket my-bucket \
--key myfile.txt \
--object-attributes ObjectOwner
CORS Errors Symptom: Browser blocks cross-origin request
aws s3api put-bucket-cors --bucket my-bucket --cors-configuration '{
"CORSRules": [{
"AllowedOrigins": ["https://myapp.com"],
"AllowedMethods": ["GET", "PUT", "POST"],
"AllowedHeaders": ["*"],
"ExposeHeaders": ["ETag"],
"MaxAgeSeconds": 3600
}]
}'
Slow Uploads
Use multipart upload for large files
Enable Transfer Acceleration
Use aws s3 cp with --expected-size for large files
Check network throughput to the region
403 on Presigned URL
URL expired
Signer lacks permissions
Bucket policy blocks access
Region mismatch (v4 signatures are region-specific)
Fix: Ensure signer has permissions and use correct region.
References Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).