s3

Verified·Scanned 2/18/2026

This skill documents best practices for S3-compatible object storage, access patterns, and lifecycle rules. It instructs to Generate server-side, never expose credentials to client, a purpose-aligned guidance on credential handling.

from clawhub.ai·v7f061fc·3.5 KB·0 installs
Scanned from 1.0.0 at 7f061fc · Transparency log ↗
$ vett add clawhub.ai/ivangdavila/s3

Public Access Control

  • Default deny public access—only open when explicitly needed (static hosting)
  • Bucket policy vs IAM: bucket policy for cross-account/public, IAM for same-account roles
  • Check both bucket-level AND account-level block settings—account can override bucket
  • For web assets, prefer CDN in front of bucket over direct public access

Presigned URLs

  • Set shortest expiration practical—minutes for immediate use, not days
  • URL is a bearer token—anyone with it has access; treat as secret
  • Specify HTTP method in signature—GET for download, PUT for upload
  • Include Content-Type for uploads—mismatch between signature and request causes 403
  • Generate server-side, never expose credentials to client

Lifecycle Rules

  • Transition to cheaper tiers for infrequent access—but check minimum storage duration penalties
  • Auto-delete for temp files, logs, old versions—prevents unbounded storage growth
  • Clean incomplete multipart uploads—accumulate invisibly; set abort rule (7 days typical)
  • Versioned buckets: separate rules for current vs noncurrent versions

Versioning Behavior

  • Enable before you need it—can't recover deleted objects without versioning
  • "Delete" creates delete marker—object hidden but versions remain; storage still consumed
  • Permanent deletion requires explicit version ID—without it, just adds marker
  • Noncurrent version expiration essential—otherwise old versions accumulate forever

Multipart Uploads

  • Required above 5GB, recommended above 100MB—single PUT has size limits
  • Incomplete uploads invisible in normal listings—consume storage silently
  • Abort incomplete uploads via lifecycle—or manually with list-multipart-uploads
  • Parallel part uploads for speed—parts can upload concurrently

CORS for Browser Access

  • Required for JavaScript direct upload/download—blocked without CORS headers
  • Specify exact origins—avoid wildcard * for authenticated requests
  • Expose headers that JavaScript needs to read—Content-Length, ETag, custom headers
  • AllowedMethods: GET for download, PUT for upload, DELETE if needed

Key Naming

  • Use prefixes like directories: users/123/avatar.jpg—but S3 is flat, not hierarchical
  • Avoid sequential prefixes for high throughput—2024-01-01/file1 can hotspot
  • Random prefix or hash for write-heavy buckets—distributes across partitions
  • No leading slash—/images/file.jpg creates empty-string prefix

Cost Awareness

  • Request volume matters—many small files more expensive than few large files
  • Egress typically costly—CDN reduces egress by caching at edge
  • Minimum storage duration varies by tier—early deletion still charged full period
  • Lifecycle transitions have per-object cost—millions of tiny files expensive to transition

Replication

  • Cross-region for disaster recovery, same-region for compliance copies
  • Versioning required on both source and destination
  • Only new objects replicate—existing objects need manual copy or batch operation
  • Delete markers not replicated by default—explicitly enable if needed

Provider Differences

  • AWS S3: full feature set, most tools assume AWS behavior
  • Cloudflare R2: no egress fees, subset of features
  • Backblaze B2: S3-compatible API, different pricing model
  • MinIO: self-hosted, full S3 API compatibility
  • Check presigned URL compatibility—some providers have quirks