Skip to content

Commit

Permalink
Periodic update - 2023-03-17
Browse files Browse the repository at this point in the history
  • Loading branch information
@aws-alan
aws-alan committed Mar 17, 2023
1 parent 1ea1a4c commit c5caf5a
Show file tree
Hide file tree
Showing 80 changed files with 1,890 additions and 665 deletions.
128 changes: 21 additions & 107 deletions doc_source/CreatingMultiRegionAccessPoints.md
View file

Large diffs are not rendered by default.

5 changes: 5 additions & 0 deletions doc_source/FailoverConfiguration.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Amazon S3 Multi\-Region Access Points routing states<a name="FailoverConfiguration"></a>

Your Amazon S3 Multi\-Region Access Points failover configuration determines the routing status of the AWS Regions that are used with the Multi\-Region Access Point\. You can configure your Amazon S3 Multi\-Region Access Point to be in an active\-active state or active\-passive state\.
+ **Active\-active** – In an active\-active configuration, all requests are automatically sent to the closest proximity AWS Region in your Multi\-Region Access Point\. After the Multi\-Region Access Point has been configured to be in an active\-active state, all Regions can receive traffic\. If traffic disruption occurs in an active\-active configuration, network traffic will automatically be redirected to one of the active Regions\.
+ **Active\-passive** – In an active\-passive configuration, the active Regions in your Multi\-Region Access Point receive traffic and the passive ones do not\. If you intend to use S3 failover controls to initiate failover in a disaster situation, set up your Multi\-Region Access Points in an active\-passive configuration while you're testing and performing disaster\-recovery planning\.
11 changes: 3 additions & 8 deletions doc_source/MrapFailover.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,6 @@ For example, to perform failover to an AWS Region of your choice, you shift traf

If you have S3 Cross\-Region Replication \(CRR\) enabled with two\-way replication rules, you can keep your buckets synchronized during a failover\. In addition, if you have CRR enabled in an active\-active configuration, Amazon S3 Multi\-Region Access Points can also fetch data from the bucket location of closest proximity, which improves application performance\.

## Amazon S3 Multi\-Region Access Points routing states<a name="FailoverConfiguration"></a>

Your Amazon S3 Multi\-Region Access Points failover configuration determines the routing status of the AWS Regions that are used with the Multi\-Region Access Point\. You can configure your Amazon S3 Multi\-Region Access Point to be in an active\-active state or active\-passive state\.
+ **Active\-active** – In an active\-active configuration, all requests are automatically sent to the closest proximity AWS Region in your Multi\-Region Access Point\. After the Multi\-Region Access Point has been configured to be in an active\-active state, all Regions can receive traffic\. If traffic disruption occurs in an active\-active configuration, network traffic will automatically be redirected to one of the active Regions\.
+ **Active\-passive** – In an active\-passive configuration, the active Regions in your Multi\-Region Access Point receive traffic and the passive ones do not\. If you intend to use S3 failover controls to initiate failover in a disaster situation, set up your Multi\-Region Access Points in an active\-passive configuration while you're testing and performing disaster\-recovery planning\.

## AWS Region support<a name="RegionSupport"></a>

With Amazon S3 Multi\-Region Access Points failover controls, your S3 buckets can be in any of the [17 Regions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.html) where Multi\-Region Access Points are supported\. You can initiate failover across any two Regions at one time\.
Expand All @@ -24,6 +18,7 @@ Although failover is initiated between only two Regions at one time, you can sep
The following topics demonstrate how to use and manage Amazon S3 Multi\-Region Access Point failover controls\.

**Topics**
+ [Amazon S3 Multi\-Region Access Points routing states](#FailoverConfiguration)
+ [AWS Region support](#RegionSupport)
+ [Using Amazon S3 Multi\-Region Access Point failover controls](UsingFailover.md)
+ [Amazon S3 Multi\-Region Access Points routing states](FailoverConfiguration.md)
+ [Using Amazon S3 Multi\-Region Access Point failover controls](UsingFailover.md)
+ [Amazon S3 Multi\-Region Access Point failover controls errors](mrap-failover-errors.md)
19 changes: 15 additions & 4 deletions doc_source/MrapOperations.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,13 @@
# Using Multi\-Region Access Points with supported operations<a name="MrapOperations"></a>
# Using Multi\-Region Access Points with supported API operations<a name="MrapOperations"></a>

Amazon S3 provides a set of operations to manage Multi\-Region Access Points\. Amazon S3 processes some of these operations synchronously and some asynchronously\. When you invoke an asynchronous operation, Amazon S3 first synchronously authorizes the requested operation\. If authorization is successful, Amazon S3 returns a token that you can use to track the progress and results of the requested operation\.

**Note**
Requests that are made through the AWS Management Console are always synchronous\. The console waits until the request is completed before enabling you to submit another request\.

You can view the current status and results of the asynchronous operations using the console, or you can use `DescribeMultiRegionAccessPointOperation` in the AWS CLI, AWS SDKs, or REST API\. Amazon S3 provides a tracking token in the response to an asynchronous operation\. You include that tracking token as an argument to `DescribeMultiRegionAccessPointOperation`\. Amazon S3 then returns the current status and results of the specified operation, including any errors or relevant resource information\. Amazon S3 performs `DescribeMultiRegionAccessPointOperation` operations synchronously\.

All requests to create or maintain Multi\-Region Access Points are routed to the US West \(Oregon\) Region\. This is true regardless of which Region that you are in when making the request, or what Regions the Multi\-Region Access Point supports\. In addition, you must grant the `s3:ListAllMyBuckets` permission to the user, role, or other AWS Identity and Access Management \(IAM\) entity that makes a request to manage a Multi\-Region Access Point\.

The following examples demonstrate how to use Multi\-Region Access Points with compatible operations in Amazon S3\.

Expand Down Expand Up @@ -131,7 +140,7 @@ s3.get_multi_region_access_point_routes(

## Update your underlying Amazon S3 bucket policy<a name="update-underlying-bucket-policy"></a>

To grant proper access, you must also update the underlying Amazon S3 bucket policy\. The following examples delegate access control to the Multi\-Region Access Point policy so that the Multi\-Region Access Point policy is respected\.
To grant proper access, you must also update the underlying Amazon S3 bucket policy\. The following examples delegate access control to the Multi\-Region Access Point policy\. After you delegate access control to the Multi\-Region Access Point policy, the bucket policy is no longer used for access control when requests are made through the Multi\-Region Access Point\.

Here's an example bucket policy that delegates access control to the Multi\-Region Access Point policy\. To use this example bucket policy, replace the `user input placeholders` with your own information\.

Expand Down Expand Up @@ -278,7 +287,9 @@ s3.submit_multi_region_access_point_routes(

You can use a presigned URL to generate a URL that allows you to access your Amazon S3 buckets through an Amazon S3 Multi\-Region Access Point\. When you create a presigned URL, you associate it with a specific object action such as an S3 upload \(`PutObject`\) or an S3 download \(`GetObject`\)\. You can share the URL, and anyone with access to it can perform the action embedded in the URL as if they were the original signing user\.

Presigned URLs have an expiration date\. When the expiration time is reached, the URL will no longer work\. However, before you use S3 Multi\-Region Access Points with presigned URLs, check the [AWS SDK compatibility](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html) with the SigV4A algorithm\. Verify that your SDK version supports SigV4A as the signing implementation that is used to sign the global AWS Region requests\. For more information about using presigned URLs with Amazon S3, see [Sharing objects by using presigned URLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html)\.
Presigned URLs have an expiration date\. When the expiration time is reached, the URL will no longer work\.

Before you use S3 Multi\-Region Access Points with presigned URLs, check the [AWS SDK compatibility](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html) with the SigV4A algorithm\. Verify that your SDK version supports SigV4A as the signing implementation that is used to sign the global AWS Region requests\. For more information about using presigned URLs with Amazon S3, see [Sharing objects by using presigned URLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html)\.

The following examples show how you can use Amazon S3 Multi\-Region Access Points with presigned URLs\. To use these examples, replace the *`user input placeholders`* with your own information\.

Expand Down Expand Up @@ -328,4 +339,4 @@ PresignedGetObjectRequest presignedGetObjectRequest = s3Presigner.presignGetObje
------

**Note**
To use SigV4A with temporary security credentials—for example, when using AWS Identity and Access Management \(IAM\) roles—make sure that you request the temporary credentials from a Regional endpoint in AWS Security Token Service \(AWS STS\), instead of a global endpoint\. If you use the global endpoint for AWS STS \(`sts.amazonaws.com`\), AWS STS will generate temporary credentials from a global endpoint, which isn't supported by Sig4A\. As a result, you'll get an error\. To resolve this issue, use any of the listed [Regional endpoints for AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_region-endpoints)\.
To use SigV4A with temporary security credentials—for example, when using IAM roles—make sure that you request the temporary credentials from a Regional endpoint in AWS Security Token Service \(AWS STS\), instead of a global endpoint\. If you use the global endpoint for AWS STS \(`sts.amazonaws.com`\), AWS STS will generate temporary credentials from a global endpoint, which isn't supported by Sig4A\. As a result, you'll get an error\. To resolve this issue, use any of the listed [Regional endpoints for AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_region-endpoints)\.
13 changes: 13 additions & 0 deletions doc_source/MultiRegionAccessConfiguration.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Configuring a Multi\-Region Access Point for use with AWS PrivateLink<a name="MultiRegionAccessConfiguration"></a>

You can use Multi\-Region Access Points to route Amazon S3 request traffic between AWS Regions\. Each Multi\-Region Access Point global endpoint routes Amazon S3 data request traffic from multiple sources without your having to build complex networking configurations with separate endpoints\. These data\-request traffic sources include:
+ Traffic originating in a virtual private cloud \(VPC\)
+ Traffic from on\-premises data centers traveling over AWS PrivateLink
+ Traffic from the public internet

If you establish an AWS PrivateLink connection to an S3 Multi\-Region Access Point, you can route S3 requests into AWS, or across multiple AWS Regions, over a private connection by using a simple network architecture and configuration\. When you use AWS PrivateLink, you don't need to configure a VPC peering connection\.

**Topics**
+ [Configuring a Multi\-Region Access Point for use with AWS PrivateLink](MultiRegionAccessPointsPrivateLink.md)
+ [Removing access to a Multi\-Region Access Point from a VPC endpoint](RemovingMultiRegionAccessPointAccess.md)
+ [Multi\-Region Access Point restrictions and limitations](MultiRegionAccessPointRestrictions.md)
19 changes: 11 additions & 8 deletions doc_source/MultiRegionAccessPointBucketReplication.md
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# Configuring bucket replication for use with Multi\-Region Access Points<a name="MultiRegionAccessPointBucketReplication"></a>
# Configuring replication for use with Multi\-Region Access Points<a name="MultiRegionAccessPointBucketReplication"></a>

When you make a request to a Multi\-Region Access Point endpoint, Amazon S3 automatically routes the request to the bucket that responds to the request of closest proximity\. Amazon S3 does not consider the contents of the request when making this decision\. If you make a request to `GET` an object, your request might be routed to a bucket that doesn't have a copy of this object\. If that happens, you will receive an HTTP status code 404 \(Not Found\) error\.
When you make a request to a Multi\-Region Access Point endpoint, Amazon S3 automatically routes the request to the bucket that is closest to you\. Amazon S3 doesn't consider the contents of the request when making this decision\. If you make a request to `GET` an object, your request might be routed to a bucket that doesn't have a copy of this object\. If that happens, you receive an HTTP status code 404 \(Not Found\) error\. For more information about Multi\-Region Access Point request routing, see [Multi\-Region Access Point request routing](MultiRegionAccessPointRequestRouting.md)\.

If you want the Multi\-Region Access Point to be able to retrieve the object regardless of which bucket receives the request, you must configure Amazon S3 Cross\-Region Replication \(CRR\)\.

For example, consider a Multi\-Region Access Point with three buckets:
+ A bucket named `my-bucket-usw2` in the Region `us-west-2` that contains the object `my-image.jpg`
+ A bucket named `my-bucket-aps1` in the Region `ap-south-1` that contains the object `my-image.jpg`
+ A bucket named `my-bucket-euc1` in the Region `eu-central-1` that does not contain the object `my-image.jpg`
+ A bucket named `my-bucket-usw2` in the Region `us-west-2` that contains the object `my-image.jpg`
+ A bucket named `my-bucket-aps1` in the Region `ap-south-1` that contains the object `my-image.jpg`
+ A bucket named `my-bucket-euc1` in the Region `eu-central-1` that doesn't contain the object `my-image.jpg`

In this situation, if you make a `GetObject` request for the object `my-image.jpg`, the success of that request depends upon which bucket receives your request\. Because Amazon S3 doesn't consider the contents of the request, it might route your `GetObject` request to the `my-bucket-euc1` bucket if that bucket responds of closest proximity\. Even though your object is in a bucket in the Multi\-Region Access Point, you will get an HTTP 404 Not Found error because the individual bucket that received your request didn't have the object\.

Expand All @@ -17,10 +17,13 @@ Replication works as normal with buckets that are assigned to a Multi\-Region Ac

**Recommendations for using replication with Multi\-Region Access Points**
For the best replication performance when working with Multi\-Region Access Points, we recommend the following:
+ Configure S3 Replication Time Control \(S3 RTC\)\. To replicate your data across different Regions within a predictable time frame, you can use S3 RTC\. S3 RTC replicates 99\.99 percent of new objects stored in Amazon S3 within 15 minutes \(backed by a service\-level agreement\)\. For more information, see [Meeting compliance requirements using S3 Replication Time Control \(S3 RTC\)](replication-time-control.md)\. There are additional charges for S3 RTC\. For information about paying for S3 RTC fees, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/)\.
+ Use two\-way \(bi\-directional\) replication to support keeping buckets synchronized when buckets are updated through the Multi\-Region Access Point\. For more information, see [Creating two\-way replication rules for your Multi\-Region Access Point](mrap-create-replication-rules.md)\.
+ Configure S3 Replication Time Control \(S3 RTC\)\. To replicate your data across different Regions within a predictable time frame, you can use S3 RTC\. S3 RTC replicates 99\.99 percent of new objects stored in Amazon S3 within 15 minutes \(backed by a service\-level agreement\)\. For more information, see [Meeting compliance requirements using S3 Replication Time Control \(S3 RTC\)](replication-time-control.md)\. There are additional charges for S3 RTC\. For information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/)\.
+ Use two\-way \(bidirectional\) replication to support keeping buckets synchronized when buckets are updated through the Multi\-Region Access Point\. For more information, see [Create two\-way replication rules for your Multi\-Region Access Point](mrap-create-two-way-replication-rules.md)\.
+ Create cross\-account Multi\-Region Access Points to replicate data to buckets in separate AWS accounts\. This approach provides account\-level separation, so that data can be accessed from and replicated across different accounts in different Regions other than the source bucket\. Setting up cross\-account Multi\-Region Access Points comes at no additional cost\. If you're a bucket owner but don't own the Multi\-Region Access Point, you pay only for data transfer and request costs\. Multi\-Region Access Point owners pay for data routing and internet\-acceleration costs\. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/)\.
+ Enable replica modification sync for each replication rule to also keep metadata changes to your objects in sync\. For more information, see [Enabling replica modification sync](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-for-metadata-changes.html#enabling-replication-for-metadata-changes)\.
+ Enable Amazon CloudWatch metrics to [monitor replication events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-metrics.html) events\. CloudWatch metrics fees apply\. For more information, see [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/)\.

**Topics**
+ [Creating two\-way replication rules for your Multi\-Region Access Point](mrap-create-replication-rules.md)
+ [Create one\-way replication rules for your Multi\-Region Access Point](mrap-create-one-way-replication-rules.md)
+ [Create two\-way replication rules for your Multi\-Region Access Point](mrap-create-two-way-replication-rules.md)
+ [View the replication rules for your Multi\-Region Access Point](mrap-view-replication-rules.md)
Loading

0 comments on commit c5caf5a

Please sign in to comment.