AWS S3 for the SAA-C03 Exam: The Complete Guide

AWS S3 for the SAA-C03 Exam: The Complete Guide

Amazon S3 is one of the most heavily tested services on the AWS Solutions Architect Associate (SAA-C03) exam. It appears in questions about storage design, security, cost optimization, data protection, and architecture patterns. You can expect S3 to be directly or indirectly referenced in 15 to 25 percent of exam questions, making it arguably the single most important service to master.

This guide covers every S3 concept that appears on the SAA-C03, organized from core features to advanced capabilities. Each section connects to the types of exam scenarios you will encounter.

For a structured study approach, pair this guide with our SAA-C03 study plan and exam topics overview.

S3 Fundamentals

Amazon S3 (Simple Storage Service) is an object storage service that offers industry-leading scalability, data availability, security, and performance. Objects are stored in buckets, and each object is identified by a unique key within its bucket.

Core Characteristics

• Object storage — Stores files as objects (not blocks or file systems)
• Virtually unlimited storage — No practical limit on the number of objects
• Object size — 0 bytes to 5 TB per object
• Bucket names — Globally unique across all AWS accounts
• Regional service — Data is stored in a specific Region but bucket names are global
• Durability — 99.999999999% (11 nines) durability for all storage classes
• Flat namespace — S3 uses a flat structure with prefixes that mimic folders in the console

S3 Consistency Model

As of December 2020, S3 provides strong read-after-write consistency for all operations. After a successful write of a new object or an overwrite, any subsequent read request immediately receives the latest version. This applies to both GET and LIST operations. For the exam, you no longer need to worry about eventual consistency for S3.

S3 Storage Classes

Understanding S3 storage classes is essential for cost optimization questions on the exam. Each class is designed for different access patterns and cost requirements.

Storage Class Comparison Table

Storage Class	Availability	Min Storage Duration	Retrieval Fee	Use Case
S3 Standard	99.99%	None	None	Frequently accessed data
S3 Intelligent-Tiering	99.9%	None	None (monitoring fee)	Unpredictable access patterns
S3 Standard-IA	99.9%	30 days	Per-GB retrieval	Infrequently accessed, rapid retrieval
S3 One Zone-IA	99.5%	30 days	Per-GB retrieval	Infrequent access, non-critical data
S3 Glacier Instant Retrieval	99.9%	90 days	Per-GB retrieval	Archive with millisecond access
S3 Glacier Flexible Retrieval	99.99%	90 days	Per-GB retrieval	Archive with minutes to hours access
S3 Glacier Deep Archive	99.99%	180 days	Per-GB retrieval	Long-term archive, 12-48 hour access

S3 Standard

The default storage class for frequently accessed data. No retrieval fees, no minimum storage duration, and the highest availability at 99.99%. Use this for active data, content distribution, analytics, and any workload where objects are accessed regularly.

S3 Intelligent-Tiering

Automatically moves objects between access tiers based on actual usage patterns. It has four access tiers: Frequent Access, Infrequent Access (after 30 days), Archive Instant Access (after 90 days), and optional Archive Access and Deep Archive Access tiers. There is a small monthly monitoring and automation fee per object, but no retrieval fees when objects move between tiers. This is the best choice when access patterns are unknown or variable.

S3 Standard-Infrequent Access (Standard-IA)

Lower storage cost than Standard but charges a per-GB retrieval fee. Has a minimum storage duration of 30 days and a minimum object size charge of 128 KB. Ideal for data accessed less than once a month but requiring immediate access when needed, such as backups, disaster recovery files, and long-tail content.

S3 One Zone-Infrequent Access (One Zone-IA)

Same as Standard-IA but stored in a single Availability Zone instead of three. This reduces cost by about 20% compared to Standard-IA but sacrifices availability and resilience. Use for data that can be recreated, like thumbnail images, transcoded media, or secondary backup copies.

Exam Tip: If a question mentions storing data that can be recreated and cost optimization is a priority, One Zone-IA is likely the answer.

S3 Glacier Instant Retrieval

Designed for archive data that is rarely accessed (once per quarter) but requires millisecond retrieval. Up to 68% lower cost than Standard-IA. Has a 90-day minimum storage duration. Good for medical images, news media assets, or archived user-generated content that may need immediate access.

S3 Glacier Flexible Retrieval (formerly Glacier)

For archive data where retrieval times of minutes to hours are acceptable. Three retrieval options:

• Expedited: 1-5 minutes (most expensive)
• Standard: 3-5 hours
• Bulk: 5-12 hours (least expensive)

Has a 90-day minimum storage duration. Suitable for compliance archives, media asset archives, and data lakes that are queried infrequently.

S3 Glacier Deep Archive

The lowest-cost storage class in S3. Designed for data that is accessed once or twice per year and retained for seven or more years. Retrieval times are 12 hours (Standard) or 48 hours (Bulk). Has a 180-day minimum storage duration. Ideal for regulatory compliance data, financial records, and healthcare records that must be preserved long-term.

Exam Scenario: A company needs to store compliance data for seven years. The data is never accessed after initial storage unless an audit request occurs. Glacier Deep Archive is the most cost-effective choice.

Encryption Options

S3 encryption is a frequent exam topic, especially in the Design Secure Architectures domain (30% of the exam).

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

• AWS manages both the encryption key and the encryption process
• Uses AES-256 encryption
• Enabled by default on all new buckets (since January 2023)
• Simplest option with no key management overhead
• Set the header x-amz-server-side-encryption: AES256

Server-Side Encryption with AWS KMS Keys (SSE-KMS)

• Uses AWS Key Management Service to manage encryption keys
• Provides an audit trail of key usage through CloudTrail
• Allows you to control who can use the keys through KMS key policies
• Supports customer-managed KMS keys for full key lifecycle control
• Set the header x-amz-server-side-encryption: aws:kms
• KMS has API rate limits (requests per second) that can affect high-throughput workloads

Exam Tip: When a question mentions audit trails for encryption key usage or fine-grained key access control, SSE-KMS is the answer.

Server-Side Encryption with Customer-Provided Keys (SSE-C)

• You provide your own encryption key with each request
• AWS performs the encryption/decryption but does not store your key
• Must use HTTPS (not HTTP) for all requests
• You are responsible for managing and rotating keys
• If you lose the key, you lose the data

Client-Side Encryption

• You encrypt data before uploading it to S3
• AWS never sees the unencrypted data
• You manage the entire encryption process and key management
• Use this when regulatory requirements mandate that AWS never has access to unencrypted data

Exam Scenario: A company requires that AWS never has access to unencrypted data and manages their own encryption keys entirely. The answer is client-side encryption.

Versioning

S3 versioning keeps multiple variants of an object in the same bucket. Once enabled, versioning cannot be disabled, only suspended.

Key Concepts

• Each object version has a unique version ID
• Deleting an object adds a delete marker rather than removing the object
• Previous versions can be restored by removing the delete marker
• Versioning is required for cross-region replication
• MFA Delete can be enabled to require MFA for deleting object versions or changing versioning state (requires the root account to enable)

Cost Implications

All versions of an object are stored and billed. A 1 GB file modified 10 times results in approximately 10 GB of storage charges (depending on how much of the file changes). Use lifecycle policies to manage older versions and control costs.

Exam Tip: When a question asks about protecting against accidental deletion, the combination of versioning and MFA Delete is the strongest answer.

Lifecycle Policies

S3 Lifecycle policies automate transitioning objects between storage classes or expiring objects based on age. They are central to cost optimization questions.

Transition Actions

Move objects between storage classes automatically based on age:

• Standard -> Standard-IA (minimum 30 days after creation)
• Standard-IA -> One Zone-IA or Glacier tiers
• Any class -> Glacier Flexible Retrieval or Glacier Deep Archive

Transition rules follow a waterfall model: objects can only move to less frequently accessed (cheaper) tiers, not backward.

Expiration Actions

Automatically delete objects, previous versions, or incomplete multipart uploads after a specified period.

Common Lifecycle Patterns

• Move logs to Standard-IA after 30 days, Glacier after 90 days, delete after 365 days
• Delete previous versions after 90 days to control versioning costs
• Expire incomplete multipart uploads after 7 days to avoid hidden storage charges

Exam Scenario: A company stores application logs in S3. Logs are accessed frequently for the first week, occasionally for the next month, and rarely afterward but must be retained for one year. The answer involves a lifecycle policy transitioning to Standard-IA at 30 days, Glacier at 90 days, and deletion at 365 days.

Replication

S3 replication automatically copies objects between buckets. There are two types:

Cross-Region Replication (CRR)

• Copies objects to a bucket in a different AWS Region
• Use cases: compliance (geographic data residency), latency reduction, disaster recovery
• Requires versioning on both source and destination buckets
• Does not replicate existing objects (only new objects after enabling); use S3 Batch Replication for existing objects

Same-Region Replication (SRR)

• Copies objects to a bucket in the same Region
• Use cases: log aggregation across accounts, production and test environment synchronization, compliance copies
• Requires versioning on both buckets

Replication Key Points for the Exam

• Replication is asynchronous
• Delete markers are not replicated by default (can be enabled)
• Versioning must be enabled on both source and destination
• Objects encrypted with SSE-C cannot be replicated
• No chaining: if Bucket A replicates to Bucket B and Bucket B replicates to Bucket C, objects created in A do not automatically appear in C
• You can replicate to buckets in different AWS accounts

Exam Scenario: A company needs to maintain a copy of all S3 data in a different Region for disaster recovery. CRR with versioning enabled is the correct solution.

Access Control

S3 access control is heavily tested, especially in the security domain.

Bucket Policies

JSON-based policies attached to the bucket. They can grant or deny access to specific principals (IAM users, roles, accounts, or the public). Common uses:

• Grant cross-account access
• Enforce encryption on uploads (deny PutObject without encryption header)
• Restrict access to specific VPC endpoints
• Allow CloudFront Origin Access Control

IAM Policies

Identity-based policies attached to IAM users, groups, or roles. Control what S3 actions a principal can perform. The effective permissions are the intersection of IAM policies and bucket policies (both must allow the action for it to succeed, unless there is an explicit deny).

S3 Access Points

Simplify managing access for shared datasets. Each access point has its own DNS name and access policy. Useful when multiple teams or applications need different access permissions to the same bucket. You can restrict access points to specific VPCs.

S3 Block Public Access

Account-level and bucket-level settings that override any policy or ACL that would grant public access. Four settings:

1. Block new public ACLs
2. Remove public access granted through ACLs
3. Block new public bucket policies
4. Block public and cross-account access through any public bucket policy

Best practice: Enable all four Block Public Access settings at the account level and only disable at the bucket level for buckets that genuinely need public access (like static website hosting).

Access Control Lists (ACLs)

A legacy access control mechanism. AWS now recommends using bucket policies and IAM policies instead. For new buckets, ACLs are disabled by default with the “Bucket owner enforced” setting. The exam may mention ACLs in the context of legacy configurations or migrating to modern access control.

Exam Tip: When a question asks about preventing any S3 bucket in an account from being publicly accessible, the answer is enabling S3 Block Public Access at the account level.

S3 Event Notifications

S3 can publish notifications when certain events occur in your bucket. Supported destinations:

• SNS — Fan out notifications to multiple subscribers
• SQS — Queue events for asynchronous processing
• Lambda — Trigger serverless functions for real-time processing
• EventBridge — Route events to multiple targets with filtering and transformation

Common event types: object creation, object deletion, object restore from Glacier, replication events.

Exam Scenario: An application needs to generate thumbnails automatically when images are uploaded to S3. The answer is an S3 event notification triggering a Lambda function on the s3:ObjectCreated:* event.

S3 Transfer Acceleration

S3 Transfer Acceleration uses CloudFront edge locations to accelerate uploads to S3 over long distances. Data is routed to the nearest edge location over the internet, then transferred to S3 over the optimized AWS backbone network.

Key points:

• Must be enabled on the bucket
• Uses a distinct endpoint: bucketname.s3-accelerate.amazonaws.com
• Most effective for uploads over long geographic distances
• Charges apply only when acceleration provides measurable improvement
• Compatible with multipart upload

Exam Scenario: A global application needs to upload large files to a single S3 bucket in us-east-1. Users in Asia and Europe experience slow uploads. Transfer Acceleration is the correct solution.

Multipart Upload

Multipart upload allows you to upload a single object as a set of parts independently and in parallel.

• Recommended for objects over 100 MB
• Required for objects over 5 GB
• Upload parts in parallel to improve throughput
• Retry only failed parts instead of the entire upload
• Parts can be uploaded in any order
• Must complete or abort the multipart upload; incomplete uploads consume storage

Exam Tip: Always use lifecycle policies to clean up incomplete multipart uploads. They are a common source of unexpected S3 storage costs.

Presigned URLs

Presigned URLs grant temporary access to a specific S3 object without requiring AWS credentials or making the object public.

• Can be generated for both uploads (PUT) and downloads (GET)
• Include an expiration time (default 1 hour for AWS CLI, configurable up to 7 days)
• The permissions of the presigned URL are based on the permissions of the identity that generated it
• If the identity’s permissions are revoked, the presigned URL stops working

Exam Scenario: A web application needs to allow authenticated users to download files from a private S3 bucket without making the bucket public. The answer is generating presigned URLs server-side and returning them to the client.

S3 Select and Glacier Select

S3 Select allows you to retrieve a subset of data from an object using SQL expressions. Instead of downloading an entire CSV or JSON file and processing it client-side, you can filter server-side and retrieve only the rows and columns you need.

Benefits:

• Up to 400% faster than downloading and filtering entire objects
• Reduces data transfer costs by retrieving only needed data
• Supports CSV, JSON, and Parquet formats
• Works with GZIP and BZIP2 compressed files

For more complex analytics, consider Amazon Athena, which queries S3 data using standard SQL without loading it into a database.

Common S3 Exam Scenarios

Scenario 1: Cost-Effective Log Storage

Problem: Store application logs that are accessed frequently for 7 days, occasionally for 30 days, and must be retained for 1 year. Solution: Store in S3 Standard. Lifecycle policy to transition to Standard-IA at 30 days, Glacier Flexible Retrieval at 90 days, and delete at 365 days.

Scenario 2: Secure Cross-Account Data Sharing

Problem: Two AWS accounts need to share data in an S3 bucket. Solution: Use a bucket policy that grants access to the other account’s IAM role. The other account’s users assume the role to access the data. Alternatively, use S3 Access Points for more granular control.

Scenario 3: Static Website with Global Distribution

Problem: Host a static website with low latency worldwide. Solution: Store website files in S3, configure static website hosting. Use CloudFront distribution with the S3 bucket as origin. Use Origin Access Control (OAC) to ensure users access content only through CloudFront.

Scenario 4: Compliance Data with Immutability

Problem: Financial records must be stored for 7 years and cannot be modified or deleted. Solution: Use S3 Object Lock in Compliance mode with a 7-year retention period. Store in Glacier Deep Archive for cost optimization. Compliance mode prevents anyone, including the root account, from deleting objects before the retention period expires.

Scenario 5: High-Throughput Data Processing

Problem: Application reads thousands of objects per second from S3. Solution: S3 automatically supports at least 3,500 PUT/COPY/POST/DELETE or 5,500 GET/HEAD requests per second per prefix. Distribute objects across multiple prefixes to scale beyond these limits. No pre-warming required.

Practice S3 Concepts with Realistic Questions

S3 is woven throughout the SAA-C03 exam, appearing in storage, security, cost optimization, and architecture design questions. The best way to solidify your knowledge is through scenario-based practice.

Sailor.sh’s SAA-C03 mock exams include detailed S3 scenarios that match the depth and complexity of the actual exam. Each question comes with comprehensive explanations covering why each answer choice is correct or incorrect, helping you understand S3 service interactions that frequently trip up candidates.

For additional preparation, review our exam tips and practice questions guide.

Frequently Asked Questions

How many S3 questions are on the SAA-C03 exam?

S3 appears directly or indirectly in approximately 15 to 25 percent of exam questions. Direct questions test S3 features like storage classes, encryption, and replication. Indirect questions use S3 as part of a larger architecture involving Lambda triggers, CloudFront distributions, or data analytics pipelines.

Do I need to memorize exact S3 pricing for the exam?

No. You need to understand the relative cost ordering (Standard is most expensive for storage, Glacier Deep Archive is cheapest) and that retrieval fees apply to IA and Glacier classes. The exam tests your ability to choose the right storage class based on access patterns, not calculate exact costs.

What is the most commonly tested S3 topic?

Storage class selection and lifecycle policies are the most frequently tested topics, as they directly relate to the cost optimization domain. Encryption (especially SSE-S3 vs SSE-KMS) and access control (bucket policies, Block Public Access) are also very common.

How does S3 Object Lock differ from versioning with MFA Delete?

Both protect against deletion, but they serve different purposes. MFA Delete requires multi-factor authentication to delete object versions, protecting against unauthorized deletion. S3 Object Lock prevents any deletion or overwrite for a defined retention period, even by the root account in Compliance mode. Object Lock is designed for regulatory compliance (WORM storage), while MFA Delete is a general security measure.

Can S3 replace EBS or EFS?

No. S3 is object storage accessed via HTTP APIs, suitable for files, backups, data lakes, and static content. EBS provides block storage for EC2 instances (like a hard drive). EFS provides shared file system storage accessible by multiple EC2 instances simultaneously. Each serves a different access pattern and use case.

What is the difference between S3 Transfer Acceleration and CloudFront?

Both use edge locations, but for different directions. Transfer Acceleration speeds up uploads to S3 from distant locations. CloudFront speeds up downloads (content delivery) to users worldwide. For upload-heavy applications, use Transfer Acceleration. For download-heavy content delivery, use CloudFront. They can be used together.