Configurando o Amazon S3 da AWS para armazenamento e o Cloudfront para CDNs

Wiki da comunidade Administradores de sistemas
,
1

The editing in draft mode is getting a bit wonky so I am publishing prematurely. Hopefully the wonkiness, love that word, will abate. For those up for reviewing and providing feedback, thanks in advance.

So you want to use AWS’s Amazon S3 for storage, Cloudfront for CDNs and ??? Hopefully this guide be helpful when configuring a need improvement here. Please let us know if something needs an adjustment, an improvement, or does not make sense.

Getting Started
Naming Strategy

AWS Configuration

Discourse Configuration

FAQ
Resources
To-Do

Getting Started

You will need:

  1. A self hosted Discourse instance with app.yml access
  2. AWS account
  3. ???

Naming Strategy

There are many places to make mistakes. Using a naming convention strategy that makes sense to you and perhaps others will help you with troubleshooting especially if you are configuring multiple Discourse instances.

  • IAM user: your-iam-user
  • Policy: s3-discourse-policy-your-iam-user
  • Backups bucket: yourdomain-subdomain-backups
  • Uploads bucket: yourdomain-subdomain-uploads
  • Distribution CDNs: cdn-yourdomain-subdomain and s3-yourdomain-subdomain-uploads

Optional: Configuration process bucket: a-origin-config-bucket

AWS Configuration

Use the default settings in the AWS configuration pages unless instructed to do otherwise.

S3 Names, names, names

  • Discourse instance domain: subdomain.yourdomain.tld (subdomain.yourdomain.tld including www.yourdomain.tld)
  • IAM user: yourdomain-subdomain (yourdomain-discourse, yourdomain-forum or Discourse in apex/root: yourdomain-tld-www )
  • Policy for IAM user: s3-discourse-policy-yourdomain-subdomain
  • Uploads bucket: yourdomain-subdomain-uploads Note: Don’t forget to set “Everyone (public access)” to “Read” in Bucket>Permissions: Access control list-(ACL) Access control list (ACL)-Grantee.
  • Backups bucket: yourdomain-subdomain-backups
  • Distribution CDNs: cdn-yourdomain-subdomain and s3-yourdomain-subdomain-uploads
  • Configuration process bucket: a-origin-config-bucket

You can see how this strategy works in a real world example:

IAM Users

  1. Go to IAM > Users > Select “Create user” https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/users/create
  2. IAM > Users > Create user > Specify user details > User details > User name > Enter name i.e. your-iam-user > Select “Next”
  3. IAM > Users > Create user > Set permissions > Permissions options > Select “Attach policies directly” > Select “Create policy” > Opens Create policy page (Alternatively the policy can be created first in Policies then selected when creating the user in “Permissions policies”.)
  4. IAM > Users > Create user > Set permissions > Permissions policies > Filter by Type dropdown selector > Select “Customer managed” > Select the newly created policy > Select “Next” > Select “Create user”
  5. IAM > Users > your-iam-user > Security credentials > Access keys > Select “Create access key”
  6. IAM > Users > your-iam-user > Create access key > Access key best practices & alternatives > Select “Other” > Select “Next”
  7. IAM > Users > your-iam-user > Create access key > Set description tag > Select “Create access key”
  8. IAM > Users > your-iam-user > Create access key > Retrieve access keys > Safely save Access key and Secret access key for use in Discourse app.yml > Select “Done”

Policies

  1. Modify s3-discourse-policy-your-iam-user.txt with your IAM user name and bucket names.
  2. Go to IAM > Policies > Create policy
  3. IAM > Policies > Create policy > Specify permissions > Policy editor > Select “JSON” in Policy editor > Copy policy from s3-discourse-policy-your-iam-user.txt and paste into JSON editor copying over existing JSON > Select “Next”
  4. IAM > Policies > Create policy > Review and create > Policy details > Policy name > Enter Policy name i.e. s3-discourse-policy-your-iam-user > Select “Next”
  5. Go to IAM Users : 4. IAM > Users > Create user to continue the create user process

Amazon S3 Buckets

Create and configure the backups bucket, uploads bucket, and the optional but useful configuration process bucket.

Create the backups bucket yourdomain-subdomain-backups

  1. Go to Amazon S3 Buckets > Select “Create bucket
  2. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “General Purpose” selection
  3. Amazon S3 > Buckets > Create bucket > General configuration > Bucket name > Enter backups bucket name i.e. yourdomain-subdomain-backups
  4. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “ACLs disabled (recommended)” selection
  5. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Deselect “Block all public access” then Select “Block public access to buckets and objects granted through new public bucket or access point policies” and “Block public and cross-account access to buckets and objects through any public bucket or access point policies”
  6. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Turning off block all public access might result in this bucket and the objects within becoming public > Select “I acknowledge that the current settings might result in this bucket and the objects within becoming public.”
  7. Amazon S3 > Buckets > Create bucket > Bucket Versioning > Bucket Versioning > Select “Enable” Info: Bucket Versioning is required for “Lifecycle rules”
  8. Amazon S3 > Buckets > Create bucket > Select “Create bucket”

Lifecycle rules configuration

Backup Retention Rule

  1. Amazon S3 > Buckets > Select newly created bucket i.e. yourdomain-subdomain-backups
  2. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Select “Create lifecycle rule”
  3. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule name > Enter rule name i.e. backup retention
  4. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Select “Apply to all objects in the bucket”
  5. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Apply to all objects in the bucket > Select “I acknowledge that this rule will apply to all objects in the bucket.”
  6. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule actions > Select “Transition noncurrent versions of objects between storage classes”, “Expire current versions of objects”, and “Permanently delete noncurrent versions of objects”
  7. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule actions > Transitions are charged per request > Select “I acknowledge that this lifecycle rule will incur a transition cost per request.”
  8. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Transition noncurrent versions of objects between storage classes > Choose storage class transitions > Select “Glacier Instant Retrieval”
  9. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Transition noncurrent versions of objects between storage classes > Days after objects become noncurrent > Enter “1”
  10. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Expire current versions of objects > Days after object creation > Enter “7” or 15 or 30 or ??? See FAQ or discussion
  11. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Days after objects become noncurrent > Enter “91”
  12. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Confirm “Review transition and expiration actions” is correct > Select “Create rule”

Cleanup Rule

  1. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Select “Create lifecycle rule”
  2. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule name > Enter rule name cleanup
  3. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Select “Apply to all objects in the bucket”
  4. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Apply to all objects in the bucket > Select “I acknowledge that this rule will apply to all objects in the bucket.”
  5. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule actions > Select “Permanently delete noncurrent versions of objects” and “Delete expired object delete markers or incomplete multipart uploads”
  6. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Days after objects become noncurrent > Enter “92”
  7. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Delete expired object delete markers or incomplete multipart uploads > Expired object delete markers > Select “Delete expired object delete markers”
  8. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Delete expired object delete markers or incomplete multipart uploads > Incomplete multipart uploads > Select “Delete incomplete multipart uploads”
  9. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Delete expired object delete markers or incomplete multipart uploads > Incomplete multipart uploads > Delete incomplete multipart uploads > Number of days > Enter “3” or ???
  10. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Confirm “Review transition and expiration actions” is correct > Select “Create rule”

Create the uploads bucket yourdomain-subdomain-uploads

  1. Go to Amazon S3 > Buckets > Select “Create bucket
  2. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “General Purpose” selection
  3. Amazon S3 > Buckets > Create bucket > General configuration > Bucket name > Enter uploads bucket name i.e. yourdomain-subdomain-uploads
  4. Amazon S3 > Buckets > Create bucket > General configuration Select “ACLs enabled”
  5. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Deselect “Block all public access” then Select “Block public access to buckets and objects granted through new public bucket or access point policies” and “Block public and cross-account access to buckets and objects through any public bucket or access point policies”
  6. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Turning off block all public access might result in this bucket and the objects within becoming public > Select “I acknowledge that the current settings might result in this bucket and the objects within becoming public.”
  7. Amazon S3 > Buckets > Create bucket > Select “Create bucket”
  8. Amazon S3 > Buckets > Buckets screen > Select newly created bucket i.e. yourdomain-subdomain-uploads
    Return to do step 9 after creating Distribution #2
  9. Amazon S3 > Buckets > yourdomain-subdomain-uploads > Permissions > Bucket policy > Select Edit > Paste JSON from Create distribution #2 11. CloudFront > Distributions > Distribution ID > Edit origin > Origin access control > Select “Save changes”
  10. Amazon S3 > Buckets > yourdomain-subdomain-uploads > Permissions > Access control list (ACL) > Select Edit > Everyone (public access) > Select “Read” > When you grant access to the Everyone or Authenticated users group grantees, anyone in the world can access the objects in this bucket. Select “I understand the effects of these changes on my objects and buckets.” > Select “Save changes”

Create a configuration process bucket a-origin-config-bucket

Create a bucket to be used during Distribution #1 configuration process. Name and configuration are unimportant since the bucket is only used temporarily as an initial origin which will be deleted during the configuration process.

  1. Go to Amazon S3 > Buckets > Select “Create bucket
  2. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “General Purpose” selection
  3. Amazon S3 > Buckets > Create bucket > General configuration > Bucket name > Enter uploads bucket name i.e. a-origin-config-bucket
  4. Toggle through the configuration pages and “Create bucket”

CloudFront Distributions

Create two AWS S3 Cloudfront distributions. One to serve website assets and the second to serve uploads bucket assets.

Create distribution #1

  Distribution #1
    DISCOURSE_CDN_URL
      Distribution name: cdn-yourdomain-subdomain
      Origin: subdomain.yourdomain.tld
      Distribution domain name (Cloudfront URL): AWS-assigned.cloudfront.net
      Alternate domain names: discourse-cdn.yourdomain.tld
  1. Go to CloudFront > Distributions > Select “Create
  2. CloudFront > Distributions > Create distribution > Choose a plan > Select “Pay as you go” > Select “Next”
  3. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution name > Enter distribution name i.e. cdn-yourdomain-subdomain
  4. CloudFront > Distributions > Create distribution > Get started > Distribution options > Description - optional > Enter “cdn-yourdomain-subdomain” (Optional but helps with visibilty)
  5. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution type > Confirm “Single website or app” selection > Select “Next”
  6. CloudFront > Distributions > Create distribution > Specify origin > Origin type > Confirm “Amazon S3” selection
  7. CloudFront > Distributions > Create distribution > Specify origin > Origin > S3 origin > Select “Browse S3” > Select the configuration process bucket “a-origin-config-bucket” > Select “Choose” > Select “Next”
  8. CloudFront > Distributions > Create distribution > Enable security > make your choices - for this guide > Select “Do not enable security protections” > Select “Next”
  9. CloudFront > Distributions > Create distribution > Review and create > Confirm "Review and create: is correct > Select “Create distribution” → Newly created distribution information page should open in CloudFront > Distributions > Distribution ID
  10. CloudFront > Distributions > Distribution ID > Origins > Select “Create origin” Info: The distribution requires the Discourse instance domain as the origin!
  11. CloudFront > Distributions > Distribution ID > Create origin > Settings > Origin domain > Enter discourse instance domain i.e. subdomain.yourdomain.tld > Select “Create origin”
  12. CloudFront > Distributions > Distribution ID > Behaviors > Select the lone behavior “Default (*)” > Select “Edit”
  13. CloudFront > Distributions > Distribution ID > Behaviors > Edit behavior > Settings > Origin and origin groups > Select the Custom origin “subdomain.yourdomain.tld” > Select “Save changes”
  14. CloudFront > Distributions > Distribution ID > Origins > Select the original origin “a-origin-config-bucket.s3.us-east-1.amazonaws.com” > Select “Delete” Info: The deployment must be complete, see CloudFront > Distributions > Distribution ID > Details > Last modified
    If using a branded CDN URL → Step 15
  15. CloudFront > Distributions > Distribution ID > Alternate domain names > Select “Add domain”
  16. CloudFront > Distributions > Distribution ID > Alternate domain names > Add domain > Configure domains > Domains > Domains to serve > Enter the DISCOURSE_CDN_URL i.e. discourse-cdn.yourdomain.tld > Select “Next”

Incomplete: Alternate domain names: discourse-cdn.yourdomain.tld

Create distribution #2

  Distribution #2
    DISCOURSE_S3_CDN_URL
      Distribution name: s3-yourdomain-subdomain-uploads
      Origin: yourdomain-subdomain-uploads
      Distribution domain name (Cloudfront URL: AWS-assigned.cloudfront.net
      Alternate domain names: s3-cdn.yourdomain.tld
  1. CloudFront > Distributions > Create distribution
  2. CloudFront > Distributions > Create distribution > Choose a plan > Select “Pay as you go” > Select “Next”
  3. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution name > Enter distribution name i.e. s3-yourdomain-subdomain-uploads
  4. CloudFront > Distributions > Create distribution > Get started > Distribution options > Description - optional > Enter “s3-yourdomain-subdomain-uploads” (Optional but helps with visibilty)
  5. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution type > Confirm “Single website or app” selection > Select “Next”
  6. CloudFront > Distributions > Create distribution > Specify origin > Origin type > Confirm “Amazon S3” selection
  7. CloudFront > Distributions > Create distribution > Specify origin > Origin > S3 origin > Select “Browse S3” > Select the uploads bucket “yourdomain-subdomain-uploads” > Select “Choose” > Select “Next”
  8. CloudFront > Distributions > Create distribution > Enable security > make your choices - for this guide > Select “Do not enable security protections” > Select “Next”
  9. CloudFront > Distributions > Create distribution > Review and create > Confirm "Review and create: is correct > Select “Create distribution” → Newly created distribution information page should open in CloudFront > Distributions > Distribution ID
  10. CloudFront > Distributions > Distribution ID > Origins > Select the origin > Select “Edit”
  11. CloudFront > Distributions > Distribution ID > Edit origin > Origin access control > ! You must allow access to CloudFront using this policy… > Select “Copy policy” > Go to Create the uploads bucket 9. Amazon S3 > Buckets > yourdomain-subdomain-uploads > Permissions > Bucket policy

Incomplete: Alternate domain names: s3-cdn.yourdomain.tld

Discourse Configuration

Current as of Discourse version: 2025.12.0-latest

Make these changes in Discourse Admin UI

Backups Settings /admin/backups/settings

  1. Maximum backups > Enter the number of backups to keep locally
  2. Backup with uploads > Select “Include uploads in scheduled backups. Disabling this will only backup the database.”

S3 Settings /admin/site_settings/category/all_results?filter=S3

  1. S3 use CDN URL for all uploads > Select “Use CDN URL for all the files uploaded to s3 instead of only for images.” (Discourse ships deselected)

Edit Config (app.yml) Unbranded URLs

Edit the app.yml making the changes below for branded URLs or unbranded Cloudfront URLs.

Discourse Unbranded URLs

Use this for unbranded Cloudfront distributions. Your DISCOURSE_S3_REGION might be different.
DISCOURSE_CDN_URL: https://amazonassigned.cloudfront.net

S3 storage config (unbranded)

## S3 storage config
DISCOURSE_USE_S3: true
DISCOURSE_S3_REGION:  us-east-1
DISCOURSE_S3_ACCESS_KEY_ID: key obfuscated
DISCOURSE_S3_SECRET_ACCESS_KEY: key obfuscated
DISCOURSE_S3_CDN_URL: https://amazonassigned.cloudfront.net
DISCOURSE_S3_BUCKET: your-bucket-name-uploads
DISCOURSE_S3_BACKUP_BUCKET: your-bucket-name-backups
DISCOURSE_BACKUP_LOCATION: s3

Discourse Branded URLs

DNS Configuration

If you prefer to use yourdomain.com based URLs for the CDNs you need to make some DNS changes and adjust your CDN URLs.

Tip: Don’t forget to add discourse-cdn.yourdomain.com and s3-cdn.yourdomain.com as a domain name in “Alternate domain names” for their respective Cloudfront distributions.

DNS config if you want to use domain branded Cloudfront distributions.

DISCOURSE_CDN_URL

Existing record:	A   discourseinstance.yourdomain.com   instance ip  Note: This is the existing Discourse install ip.
New record:		A   discourse-cdn-cloudfront.yourdomain.com   instance ip
New record: 		CNAME discourse-cdn.yourdomain.com  ->   amazonassigned.cloudfront.net

DISCOURSE_S3_CDN_URL

New record:		CNAME s3-cdn-cloudfront.yourdomain.com  ->   amazonassigned.cloudfront.net
New record: 	CNAME  s3-cdn.yourdomain.com  ->   s3-cdn-cloudfront.yourdomain.com

Edit Config (app.yml) Branded URLs

Once the DNS changes are complete you can edit your app.yml making the changes below.

Change DISCOURSE_CDN_URL and/or DISCOURSE_S3_CDN_URL if you are using domain CNAMES for the Cloudfront distribution (amazonassigned.cloudfront.net).

DISCOURSE_CDN_URL: https://discourse-cdn.yourdomain.com

S3 storage config (branded)

## S3 storage config
DISCOURSE_USE_S3: true
DISCOURSE_S3_REGION:  us-east-1
DISCOURSE_S3_ACCESS_KEY_ID: key obfuscated
DISCOURSE_S3_SECRET_ACCESS_KEY: key obfuscated
DISCOURSE_S3_CDN_URL: https://s3-cdn.yourdomain.com
DISCOURSE_S3_BUCKET: your-bucket-name-uploads
DISCOURSE_S3_BACKUP_BUCKET: your-bucket-name-backups
DISCOURSE_BACKUP_LOCATION: s3

Additional Config Edits (app.yml)

Regardless of which approach you use, branded or Cloudfront URLs, you will need the after_assets_precompile section below to ensure things stay updated during subsequent rebuilds.

  hooks:
    after_code:
      - exec:
          cd: $home/plugins
          cmd:
            - git clone https://github.com/discourse/docker_manager.git
            -you may have more plugins
    after_assets_precompile:
      - exec:
          cd: $home
          cmd:
            - sudo -E -u discourse bundle exec rake s3:upload_assets
            - sudo -E -u discourse bundle exec rake s3:expire_missing_assets

Rebuild your instance with ./launcher rebuild app

After ./launcher rebuild app completes successfully do these rakes.

./launcher enter app

rake posts:rebake
rake uploads:migrate_to_s3
rake posts:rebake_uncooked_posts

rake s3:upload_assets
rake s3:expire_missing_assets

If the rakes complete without errors then you are good to go.

On some sites the initial rebuild will fail with an error relating to s3:upload_assets. If this happens,

check “read” setting on uploads bucket. If correctly set then,

comment out or remove the after_assets_precompile section:

  after_assets_precompile:
      - exec:
          cd: $home
          cmd:
            - sudo -E -u discourse bundle exec rake s3:upload_assets
            - sudo -E -u discourse bundle exec rake s3:expire_missing_assets

and run ./launcher rebuild app again. Then run “rake s3:upload_assets” and “rake s3:expire_missing_assets”.

If both of the rakes complete without errors then re-add or uncomment the after_assets_precompile section, rebuild again and do the all the rakes listed above.

If either of the rakes give an error or the rebuild fails again you have something wrong in your app.yml and/or AWS S3 configs and/or DNS records. Happy hunting! :slight_smile:

FAQ

Getting Started FAQ

AWS FAQ

IAM User FAQ

S3 Buckets FAQ

  1. Why can’t I see the non-current backups in the backups bucket /Default folder?
  2. It has been many days since backups started disappearing from Backups /Default folder, where did they go?

S3 Distributions FAQ

Discourse Configuration FAQ

  1. Do I have to use app.yml if I only want to use S3 for backups?
  2. Why is using app.yml for using S3 the recommended approach?

Resources

To-Do

  1. Initial feedback based post publish edits
  2. Confirm approach in Cleanup rule
  3. Is there a more efficient way to replace a-origin-config-bucket with subdomain.yourdomain.tld in Create distribution #1 ??? Can selecting “Other” instead of “Amazon S3” as the Origin type in CloudFront > Distributions > Create distribution > Specify origin > Origin type work? Currently testing this approach again but still “no joy”.
  4. Better title
  5. Distribution #1 Need instructions Alternate domain names: discourse-cdn.yourdomain.tld
  6. Distribution #2 Need instructions Alternate domain names: s3-cdn.yourdomain.tld
  7. Create/find list of Discourse hosts
  8. Add screenshots
  9. Wrap initial round of edits
  10. Build FAQ
  11. Publish Discourse version here and in resource docs
  12. Update AWS_S3_Config.txt, s3-discourse-policy-your-iam-user.txt, AWS_S3_Config_Process.txt, Guide_AWS_S3_Config-sandbox.websystems360.txt, s3-discourse-policy-websystems360-sandbox.txt
Issues with AWS CDN and S3
2

Resposta do OP para pensamentos, comentários, informações de edição, processo e???

Resposta do Suporte da AWS sobre: Confirmação da abordagem na regra de Limpeza

Analisei a configuração da sua regra de Ciclo de Vida proposta e tenho o prazer de confirmar que sua configuração está bem elaborada e segue as melhores práticas da AWS para gerenciamento de buckets de backup.

========== Avaliação da Regra de Ciclo de Vida ==========

Sua configuração é excelente e aborda as áreas chave para a limpeza de backups:

• Limpeza de Versões Não Atuais (92 dias): Este é um período de retenção sensato que equilibra os custos de armazenamento com as necessidades de recuperação. A retenção de 92 dias oferece tempo suficiente para validação de backup, ao mesmo tempo que evita o acúmulo indefinido de armazenamento.

• Remoção de Marcadores de Exclusão Expirados: Configurado corretamente para limpar automaticamente marcadores de exclusão órfãos, o que ajuda a otimizar os custos de armazenamento e o desempenho do bucket.

• Limpeza de Uploads Multipart Não Concluídos (3 dias): A configuração de 3 dias é ideal - curta o suficiente para evitar desperdício de armazenamento de uploads com falha, mas longa o suficiente para acomodar operações de backup grandes legítimas.

• Aplicação do Escopo: Aplicar a “todos os objetos no bucket” é apropriado para buckets de backup dedicados onde todo o conteúdo segue o mesmo padrão de ciclo de vida.

Resposta do Suporte da AWS sobre: Configuração do ciclo de vida dos buckets de backup

Revisão da Configuração do Ciclo de Vida do S3 para Buckets de Backup

Analisei sua configuração completa de ciclo de vida e posso confirmar que sua regra de “retenção de backup” está bem estruturada e segue as melhores práticas da AWS para gerenciamento de backups.

Principais descobertas da minha investigação:

  • Seu bucket possui duas regras de ciclo de vida complementares que funcionam juntas de forma eficaz
  • A regra de “retenção de backup” gerencia corretamente as versões atuais e não atuais com cronogramas apropriados
  • A configuração inclui transições de armazenamento econômicas para versões não atuais
  • Todos os componentes da regra estão configurados corretamente com parâmetros de tempo apropriados
  • O bucket está configurado corretamente em us-east-1 com permissões adequadas

Avaliação da Configuração:

Sua regra de “retenção de backup” gerencia eficazmente seus objetos de backup durante seu ciclo de vida:

  • Transiciona versões não atuais para o Glacier Instant Retrieval após 1 dia (otimização de custos)
  • Expira versões atuais após 7 dias (apropriado para backups regulares)
  • Exclui permanentemente versões não atuais após 91 dias (bom período de retenção)

Esta regra complementa sua regra de “limpeza”, que lida com:

  • Remoção de marcadores de exclusão expirados (evita marcadores órfãos)
  • Limpeza de uploads multipart não concluídos após 3 dias (evita desperdício de armazenamento)
  • Exclusão de versões não atuais após 92 dias (garante limpeza completa)

Ambas as regras se aplicam a todos os objetos no bucket, o que é apropriado para armazenamento de backup dedicado onde todo o conteúdo segue o mesmo padrão de ciclo de vida.

A expiração de 7 dias para versões atuais parece apropriada para cenários de backup regulares, mas você pode ajustar isso com base em seus requisitos específicos de retenção (15 ou 30 dias, se for necessária uma retenção mais longa).

Sua implementação está completa e segue as melhores práticas da AWS para gerenciamento de ciclo de vida do S3.