Konfiguration von AWS's Amazon S3 für Speicher und Cloudfront für CDNs

Community-Wiki Systemadministratoren
,
1

The editing in draft mode is getting a bit wonky so I am publishing prematurely. Hopefully the wonkiness, love that word, will abate. For those up for reviewing and providing feedback, thanks in advance.

So you want to use AWS’s Amazon S3 for storage, Cloudfront for CDNs and ??? Hopefully this guide be helpful when configuring a need improvement here. Please let us know if something needs an adjustment, an improvement, or does not make sense.

Getting Started
Naming Strategy

AWS Configuration

Discourse Configuration

FAQ
Resources
To-Do

Getting Started

You will need:

  1. A self hosted Discourse instance with app.yml access
  2. AWS account
  3. ???

Naming Strategy

There are many places to make mistakes. Using a naming convention strategy that makes sense to you and perhaps others will help you with troubleshooting especially if you are configuring multiple Discourse instances.

  • IAM user: your-iam-user
  • Policy: s3-discourse-policy-your-iam-user
  • Backups bucket: yourdomain-subdomain-backups
  • Uploads bucket: yourdomain-subdomain-uploads
  • Distribution CDNs: cdn-yourdomain-subdomain and s3-yourdomain-subdomain-uploads

Optional: Configuration process bucket: a-origin-config-bucket

AWS Configuration

Use the default settings in the AWS configuration pages unless instructed to do otherwise.

S3 Names, names, names

  • Discourse instance domain: subdomain.yourdomain.tld (subdomain.yourdomain.tld including www.yourdomain.tld)
  • IAM user: yourdomain-subdomain (yourdomain-discourse, yourdomain-forum or Discourse in apex/root: yourdomain-tld-www )
  • Policy for IAM user: s3-discourse-policy-yourdomain-subdomain
  • Uploads bucket: yourdomain-subdomain-uploads Note: Don’t forget to set “Everyone (public access)” to “Read” in Bucket>Permissions: Access control list-(ACL) Access control list (ACL)-Grantee.
  • Backups bucket: yourdomain-subdomain-backups
  • Distribution CDNs: cdn-yourdomain-subdomain and s3-yourdomain-subdomain-uploads
  • Configuration process bucket: a-origin-config-bucket

You can see how this strategy works in a real world example:

IAM Users

  1. Go to IAM > Users > Select “Create user” https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/users/create
  2. IAM > Users > Create user > Specify user details > User details > User name > Enter name i.e. your-iam-user > Select “Next”
  3. IAM > Users > Create user > Set permissions > Permissions options > Select “Attach policies directly” > Select “Create policy” > Opens Create policy page (Alternatively the policy can be created first in Policies then selected when creating the user in “Permissions policies”.)
  4. IAM > Users > Create user > Set permissions > Permissions policies > Filter by Type dropdown selector > Select “Customer managed” > Select the newly created policy > Select “Next” > Select “Create user”
  5. IAM > Users > your-iam-user > Security credentials > Access keys > Select “Create access key”
  6. IAM > Users > your-iam-user > Create access key > Access key best practices & alternatives > Select “Other” > Select “Next”
  7. IAM > Users > your-iam-user > Create access key > Set description tag > Select “Create access key”
  8. IAM > Users > your-iam-user > Create access key > Retrieve access keys > Safely save Access key and Secret access key for use in Discourse app.yml > Select “Done”

Policies

  1. Modify s3-discourse-policy-your-iam-user.txt with your IAM user name and bucket names.
  2. Go to IAM > Policies > Create policy
  3. IAM > Policies > Create policy > Specify permissions > Policy editor > Select “JSON” in Policy editor > Copy policy from s3-discourse-policy-your-iam-user.txt and paste into JSON editor copying over existing JSON > Select “Next”
  4. IAM > Policies > Create policy > Review and create > Policy details > Policy name > Enter Policy name i.e. s3-discourse-policy-your-iam-user > Select “Next”
  5. Go to IAM Users : 4. IAM > Users > Create user to continue the create user process

Amazon S3 Buckets

Create and configure the backups bucket, uploads bucket, and the optional but useful configuration process bucket.

Create the backups bucket yourdomain-subdomain-backups

  1. Go to Amazon S3 Buckets > Select “Create bucket
  2. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “General Purpose” selection
  3. Amazon S3 > Buckets > Create bucket > General configuration > Bucket name > Enter backups bucket name i.e. yourdomain-subdomain-backups
  4. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “ACLs disabled (recommended)” selection
  5. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Deselect “Block all public access” then Select “Block public access to buckets and objects granted through new public bucket or access point policies” and “Block public and cross-account access to buckets and objects through any public bucket or access point policies”
  6. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Turning off block all public access might result in this bucket and the objects within becoming public > Select “I acknowledge that the current settings might result in this bucket and the objects within becoming public.”
  7. Amazon S3 > Buckets > Create bucket > Bucket Versioning > Bucket Versioning > Select “Enable” Info: Bucket Versioning is required for “Lifecycle rules”
  8. Amazon S3 > Buckets > Create bucket > Select “Create bucket”

Lifecycle rules configuration

Backup Retention Rule

  1. Amazon S3 > Buckets > Select newly created bucket i.e. yourdomain-subdomain-backups
  2. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Select “Create lifecycle rule”
  3. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule name > Enter rule name i.e. backup retention
  4. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Select “Apply to all objects in the bucket”
  5. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Apply to all objects in the bucket > Select “I acknowledge that this rule will apply to all objects in the bucket.”
  6. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule actions > Select “Transition noncurrent versions of objects between storage classes”, “Expire current versions of objects”, and “Permanently delete noncurrent versions of objects”
  7. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule actions > Transitions are charged per request > Select “I acknowledge that this lifecycle rule will incur a transition cost per request.”
  8. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Transition noncurrent versions of objects between storage classes > Choose storage class transitions > Select “Glacier Instant Retrieval”
  9. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Transition noncurrent versions of objects between storage classes > Days after objects become noncurrent > Enter “1”
  10. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Expire current versions of objects > Days after object creation > Enter “7” or 15 or 30 or ??? See FAQ or discussion
  11. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Days after objects become noncurrent > Enter “91”
  12. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Confirm “Review transition and expiration actions” is correct > Select “Create rule”

Cleanup Rule

  1. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Select “Create lifecycle rule”
  2. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule name > Enter rule name cleanup
  3. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Select “Apply to all objects in the bucket”
  4. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Apply to all objects in the bucket > Select “I acknowledge that this rule will apply to all objects in the bucket.”
  5. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule actions > Select “Permanently delete noncurrent versions of objects” and “Delete expired object delete markers or incomplete multipart uploads”
  6. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Days after objects become noncurrent > Enter “92”
  7. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Delete expired object delete markers or incomplete multipart uploads > Expired object delete markers > Select “Delete expired object delete markers”
  8. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Delete expired object delete markers or incomplete multipart uploads > Incomplete multipart uploads > Select “Delete incomplete multipart uploads”
  9. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Delete expired object delete markers or incomplete multipart uploads > Incomplete multipart uploads > Delete incomplete multipart uploads > Number of days > Enter “3” or ???
  10. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Confirm “Review transition and expiration actions” is correct > Select “Create rule”

Create the uploads bucket yourdomain-subdomain-uploads

  1. Go to Amazon S3 > Buckets > Select “Create bucket
  2. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “General Purpose” selection
  3. Amazon S3 > Buckets > Create bucket > General configuration > Bucket name > Enter uploads bucket name i.e. yourdomain-subdomain-uploads
  4. Amazon S3 > Buckets > Create bucket > General configuration Select “ACLs enabled”
  5. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Deselect “Block all public access” then Select “Block public access to buckets and objects granted through new public bucket or access point policies” and “Block public and cross-account access to buckets and objects through any public bucket or access point policies”
  6. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Turning off block all public access might result in this bucket and the objects within becoming public > Select “I acknowledge that the current settings might result in this bucket and the objects within becoming public.”
  7. Amazon S3 > Buckets > Create bucket > Select “Create bucket”
  8. Amazon S3 > Buckets > Buckets screen > Select newly created bucket i.e. yourdomain-subdomain-uploads
    Return to do step 9 after creating Distribution #2
  9. Amazon S3 > Buckets > yourdomain-subdomain-uploads > Permissions > Bucket policy > Select Edit > Paste JSON from Create distribution #2 11. CloudFront > Distributions > Distribution ID > Edit origin > Origin access control > Select “Save changes”
  10. Amazon S3 > Buckets > yourdomain-subdomain-uploads > Permissions > Access control list (ACL) > Select Edit > Everyone (public access) > Select “Read” > When you grant access to the Everyone or Authenticated users group grantees, anyone in the world can access the objects in this bucket. Select “I understand the effects of these changes on my objects and buckets.” > Select “Save changes”

Create a configuration process bucket a-origin-config-bucket

Create a bucket to be used during Distribution #1 configuration process. Name and configuration are unimportant since the bucket is only used temporarily as an initial origin which will be deleted during the configuration process.

  1. Go to Amazon S3 > Buckets > Select “Create bucket
  2. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “General Purpose” selection
  3. Amazon S3 > Buckets > Create bucket > General configuration > Bucket name > Enter uploads bucket name i.e. a-origin-config-bucket
  4. Toggle through the configuration pages and “Create bucket”

CloudFront Distributions

Create two AWS S3 Cloudfront distributions. One to serve website assets and the second to serve uploads bucket assets.

Create distribution #1

  Distribution #1
    DISCOURSE_CDN_URL
      Distribution name: cdn-yourdomain-subdomain
      Origin: subdomain.yourdomain.tld
      Distribution domain name (Cloudfront URL): AWS-assigned.cloudfront.net
      Alternate domain names: discourse-cdn.yourdomain.tld
  1. Go to CloudFront > Distributions > Select “Create
  2. CloudFront > Distributions > Create distribution > Choose a plan > Select “Pay as you go” > Select “Next”
  3. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution name > Enter distribution name i.e. cdn-yourdomain-subdomain
  4. CloudFront > Distributions > Create distribution > Get started > Distribution options > Description - optional > Enter “cdn-yourdomain-subdomain” (Optional but helps with visibilty)
  5. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution type > Confirm “Single website or app” selection > Select “Next”
  6. CloudFront > Distributions > Create distribution > Specify origin > Origin type > Confirm “Amazon S3” selection
  7. CloudFront > Distributions > Create distribution > Specify origin > Origin > S3 origin > Select “Browse S3” > Select the configuration process bucket “a-origin-config-bucket” > Select “Choose” > Select “Next”
  8. CloudFront > Distributions > Create distribution > Enable security > make your choices - for this guide > Select “Do not enable security protections” > Select “Next”
  9. CloudFront > Distributions > Create distribution > Review and create > Confirm "Review and create: is correct > Select “Create distribution” → Newly created distribution information page should open in CloudFront > Distributions > Distribution ID
  10. CloudFront > Distributions > Distribution ID > Origins > Select “Create origin” Info: The distribution requires the Discourse instance domain as the origin!
  11. CloudFront > Distributions > Distribution ID > Create origin > Settings > Origin domain > Enter discourse instance domain i.e. subdomain.yourdomain.tld > Select “Create origin”
  12. CloudFront > Distributions > Distribution ID > Behaviors > Select the lone behavior “Default (*)” > Select “Edit”
  13. CloudFront > Distributions > Distribution ID > Behaviors > Edit behavior > Settings > Origin and origin groups > Select the Custom origin “subdomain.yourdomain.tld” > Select “Save changes”
  14. CloudFront > Distributions > Distribution ID > Origins > Select the original origin “a-origin-config-bucket.s3.us-east-1.amazonaws.com” > Select “Delete” Info: The deployment must be complete, see CloudFront > Distributions > Distribution ID > Details > Last modified
    If using a branded CDN URL → Step 15
  15. CloudFront > Distributions > Distribution ID > Alternate domain names > Select “Add domain”
  16. CloudFront > Distributions > Distribution ID > Alternate domain names > Add domain > Configure domains > Domains > Domains to serve > Enter the DISCOURSE_CDN_URL i.e. discourse-cdn.yourdomain.tld > Select “Next”

Incomplete: Alternate domain names: discourse-cdn.yourdomain.tld

Create distribution #2

  Distribution #2
    DISCOURSE_S3_CDN_URL
      Distribution name: s3-yourdomain-subdomain-uploads
      Origin: yourdomain-subdomain-uploads
      Distribution domain name (Cloudfront URL: AWS-assigned.cloudfront.net
      Alternate domain names: s3-cdn.yourdomain.tld
  1. CloudFront > Distributions > Create distribution
  2. CloudFront > Distributions > Create distribution > Choose a plan > Select “Pay as you go” > Select “Next”
  3. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution name > Enter distribution name i.e. s3-yourdomain-subdomain-uploads
  4. CloudFront > Distributions > Create distribution > Get started > Distribution options > Description - optional > Enter “s3-yourdomain-subdomain-uploads” (Optional but helps with visibilty)
  5. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution type > Confirm “Single website or app” selection > Select “Next”
  6. CloudFront > Distributions > Create distribution > Specify origin > Origin type > Confirm “Amazon S3” selection
  7. CloudFront > Distributions > Create distribution > Specify origin > Origin > S3 origin > Select “Browse S3” > Select the uploads bucket “yourdomain-subdomain-uploads” > Select “Choose” > Select “Next”
  8. CloudFront > Distributions > Create distribution > Enable security > make your choices - for this guide > Select “Do not enable security protections” > Select “Next”
  9. CloudFront > Distributions > Create distribution > Review and create > Confirm "Review and create: is correct > Select “Create distribution” → Newly created distribution information page should open in CloudFront > Distributions > Distribution ID
  10. CloudFront > Distributions > Distribution ID > Origins > Select the origin > Select “Edit”
  11. CloudFront > Distributions > Distribution ID > Edit origin > Origin access control > ! You must allow access to CloudFront using this policy… > Select “Copy policy” > Go to Create the uploads bucket 9. Amazon S3 > Buckets > yourdomain-subdomain-uploads > Permissions > Bucket policy

Incomplete: Alternate domain names: s3-cdn.yourdomain.tld

Discourse Configuration

Current as of Discourse version: 2025.12.0-latest

Make these changes in Discourse Admin UI

Backups Settings /admin/backups/settings

  1. Maximum backups > Enter the number of backups to keep locally
  2. Backup with uploads > Select “Include uploads in scheduled backups. Disabling this will only backup the database.”

S3 Settings /admin/site_settings/category/all_results?filter=S3

  1. S3 use CDN URL for all uploads > Select “Use CDN URL for all the files uploaded to s3 instead of only for images.” (Discourse ships deselected)

Edit Config (app.yml) Unbranded URLs

Edit the app.yml making the changes below for branded URLs or unbranded Cloudfront URLs.

Discourse Unbranded URLs

Use this for unbranded Cloudfront distributions. Your DISCOURSE_S3_REGION might be different.
DISCOURSE_CDN_URL: https://amazonassigned.cloudfront.net

S3 storage config (unbranded)

## S3 storage config
DISCOURSE_USE_S3: true
DISCOURSE_S3_REGION:  us-east-1
DISCOURSE_S3_ACCESS_KEY_ID: key obfuscated
DISCOURSE_S3_SECRET_ACCESS_KEY: key obfuscated
DISCOURSE_S3_CDN_URL: https://amazonassigned.cloudfront.net
DISCOURSE_S3_BUCKET: your-bucket-name-uploads
DISCOURSE_S3_BACKUP_BUCKET: your-bucket-name-backups
DISCOURSE_BACKUP_LOCATION: s3

Discourse Branded URLs

DNS Configuration

If you prefer to use yourdomain.com based URLs for the CDNs you need to make some DNS changes and adjust your CDN URLs.

Tip: Don’t forget to add discourse-cdn.yourdomain.com and s3-cdn.yourdomain.com as a domain name in “Alternate domain names” for their respective Cloudfront distributions.

DNS config if you want to use domain branded Cloudfront distributions.

DISCOURSE_CDN_URL

Existing record:	A   discourseinstance.yourdomain.com   instance ip  Note: This is the existing Discourse install ip.
New record:		A   discourse-cdn-cloudfront.yourdomain.com   instance ip
New record: 		CNAME discourse-cdn.yourdomain.com  ->   amazonassigned.cloudfront.net

DISCOURSE_S3_CDN_URL

New record:		CNAME s3-cdn-cloudfront.yourdomain.com  ->   amazonassigned.cloudfront.net
New record: 	CNAME  s3-cdn.yourdomain.com  ->   s3-cdn-cloudfront.yourdomain.com

Edit Config (app.yml) Branded URLs

Once the DNS changes are complete you can edit your app.yml making the changes below.

Change DISCOURSE_CDN_URL and/or DISCOURSE_S3_CDN_URL if you are using domain CNAMES for the Cloudfront distribution (amazonassigned.cloudfront.net).

DISCOURSE_CDN_URL: https://discourse-cdn.yourdomain.com

S3 storage config (branded)

## S3 storage config
DISCOURSE_USE_S3: true
DISCOURSE_S3_REGION:  us-east-1
DISCOURSE_S3_ACCESS_KEY_ID: key obfuscated
DISCOURSE_S3_SECRET_ACCESS_KEY: key obfuscated
DISCOURSE_S3_CDN_URL: https://s3-cdn.yourdomain.com
DISCOURSE_S3_BUCKET: your-bucket-name-uploads
DISCOURSE_S3_BACKUP_BUCKET: your-bucket-name-backups
DISCOURSE_BACKUP_LOCATION: s3

Additional Config Edits (app.yml)

Regardless of which approach you use, branded or Cloudfront URLs, you will need the after_assets_precompile section below to ensure things stay updated during subsequent rebuilds.

  hooks:
    after_code:
      - exec:
          cd: $home/plugins
          cmd:
            - git clone https://github.com/discourse/docker_manager.git
            -you may have more plugins
    after_assets_precompile:
      - exec:
          cd: $home
          cmd:
            - sudo -E -u discourse bundle exec rake s3:upload_assets
            - sudo -E -u discourse bundle exec rake s3:expire_missing_assets

Rebuild your instance with ./launcher rebuild app

After ./launcher rebuild app completes successfully do these rakes.

./launcher enter app

rake posts:rebake
rake uploads:migrate_to_s3
rake posts:rebake_uncooked_posts

rake s3:upload_assets
rake s3:expire_missing_assets

If the rakes complete without errors then you are good to go.

On some sites the initial rebuild will fail with an error relating to s3:upload_assets. If this happens,

check “read” setting on uploads bucket. If correctly set then,

comment out or remove the after_assets_precompile section:

  after_assets_precompile:
      - exec:
          cd: $home
          cmd:
            - sudo -E -u discourse bundle exec rake s3:upload_assets
            - sudo -E -u discourse bundle exec rake s3:expire_missing_assets

and run ./launcher rebuild app again. Then run “rake s3:upload_assets” and “rake s3:expire_missing_assets”.

If both of the rakes complete without errors then re-add or uncomment the after_assets_precompile section, rebuild again and do the all the rakes listed above.

If either of the rakes give an error or the rebuild fails again you have something wrong in your app.yml and/or AWS S3 configs and/or DNS records. Happy hunting! :slight_smile:

FAQ

Getting Started FAQ

AWS FAQ

IAM User FAQ

S3 Buckets FAQ

  1. Why can’t I see the non-current backups in the backups bucket /Default folder?
  2. It has been many days since backups started disappearing from Backups /Default folder, where did they go?

S3 Distributions FAQ

Discourse Configuration FAQ

  1. Do I have to use app.yml if I only want to use S3 for backups?
  2. Why is using app.yml for using S3 the recommended approach?

Resources

To-Do

  1. Initial feedback based post publish edits
  2. Confirm approach in Cleanup rule
  3. Is there a more efficient way to replace a-origin-config-bucket with subdomain.yourdomain.tld in Create distribution #1 ??? Can selecting “Other” instead of “Amazon S3” as the Origin type in CloudFront > Distributions > Create distribution > Specify origin > Origin type work? Currently testing this approach again but still “no joy”.
  4. Better title
  5. Distribution #1 Need instructions Alternate domain names: discourse-cdn.yourdomain.tld
  6. Distribution #2 Need instructions Alternate domain names: s3-cdn.yourdomain.tld
  7. Create/find list of Discourse hosts
  8. Add screenshots
  9. Wrap initial round of edits
  10. Build FAQ
  11. Publish Discourse version here and in resource docs
  12. Update AWS_S3_Config.txt, s3-discourse-policy-your-iam-user.txt, AWS_S3_Config_Process.txt, Guide_AWS_S3_Config-sandbox.websystems360.txt, s3-discourse-policy-websystems360-sandbox.txt
Issues with AWS CDN and S3
2

OP-Antwort für Gedanken, Kommentare, Bearbeitungsinformationen, Prozess und???

Antwort des AWS Supports bezüglich: Bestätigung des Ansatzes in der Bereinigungsregel

Ich habe Ihre vorgeschlagene Konfiguration der Lebenszyklusregel überprüft und freue mich, Ihnen bestätigen zu können, dass Ihr Setup gut durchdacht ist und die AWS-Best Practices für die Verwaltung von Backup-Buckets befolgt.

========== Bewertung der Lebenszyklusregel ==========

Ihre Konfiguration ist ausgezeichnet und deckt die Schlüsselbereiche für die Backup-Bereinigung ab:

  • Bereinigung nicht aktueller Versionen (92 Tage): Dies ist eine sinnvolle Aufbewahrungsfrist, die Speicherkosten und Wiederherstellungsanforderungen in Einklang bringt. Die 92-tägige Aufbewahrung bietet ausreichend Zeit für die Backup-Validierung und verhindert gleichzeitig eine unbegrenzte Speicherkumulation.

  • Entfernung abgelaufener Löschmarkierungen: Korrekt konfiguriert, um verwaiste Löschmarkierungen automatisch zu bereinigen, was zur Optimierung der Speicherkosten und der Bucket-Leistung beiträgt.

  • Bereinigung unvollständiger Multipart-Uploads (3 Tage): Die Einstellung von 3 Tagen ist optimal – kurz genug, um Speicherverschwendung durch fehlgeschlagene Uploads zu verhindern, aber lang genug, um legitime große Backup-Vorgänge zu ermöglichen.

  • Anwendung des Geltungsbereichs: Die Anwendung auf „alle Objekte im Bucket“ ist für dedizierte Backup-Buckets angemessen, bei denen sich der gesamte Inhalt demselben Lebenszyklusmuster folgt.

Antwort des AWS Supports bezüglich: Lebenszykluskonfiguration von Backup-Buckets

Überprüfung der S3-Lebenszykluskonfiguration für Backup-Buckets

Ich habe Ihr vollständiges Setup der Lebenszykluskonfiguration analysiert und kann bestätigen, dass Ihre „Backup-Aufbewahrungs“-Regel gut strukturiert ist und den AWS-Best Practices für das Backup-Management folgt.

Wichtige Ergebnisse meiner Untersuchung:

  • Ihr Bucket verfügt über zwei sich ergänzende Lebenszyklusregeln, die effektiv zusammenarbeiten
  • Die Regel „Backup-Aufbewahrung“ verwaltet aktuelle und nicht aktuelle Versionen ordnungsgemäß mit entsprechenden Zeitplänen
  • Die Konfiguration beinhaltet kosteneffiziente Speicherübergänge für nicht aktuelle Versionen
  • Alle Regelkomponenten sind mit den entsprechenden Zeitparametern korrekt konfiguriert
  • Der Bucket ist in us-east-1 mit den entsprechenden Berechtigungen korrekt eingerichtet

Konfigurationsbewertung:

Ihre Regel „Backup-Aufbewahrung“ verwaltet Ihre Backup-Objekte effektiv während ihres gesamten Lebenszyklus:

  • Übergang nicht aktueller Versionen nach 1 Tag zu Glacier Instant Retrieval (Kostenoptimierung)
  • Ablauf aktueller Versionen nach 7 Tagen (angemessen für reguläre Backups)
  • Permanente Löschung nicht aktueller Versionen nach 91 Tagen (guter Aufbewahrungszeitraum)

Diese Regel ergänzt Ihre „Bereinigungs“-Regel, die Folgendes handhabt:

  • Entfernung abgelaufener Löschmarkierungen (verhindert verwaiste Markierungen)
  • Bereinigung unvollständiger Multipart-Uploads nach 3 Tagen (verhindert Speicherverschwendung)
  • Löschung nicht aktueller Versionen nach 92 Tagen (stellt eine vollständige Bereinigung sicher)

Beide Regeln gelten für alle Objekte im Bucket, was für dedizierte Speicher-Backups angemessen ist, bei denen sich der gesamte Inhalt demselben Lebenszyklusmuster folgt.

Der Ablauf aktueller Versionen nach 7 Tagen scheint für reguläre Backup-Szenarien angemessen zu sein, Sie können dies jedoch an Ihre spezifischen Aufbewahrungsanforderungen anpassen (15 oder 30 Tage, falls eine längere Aufbewahrung erforderlich ist).

Ihre Implementierung ist vollständig und folgt den AWS-Best Practices für das S3-Lebenszyklusmanagement.