AWS S3 Complete Guide 2026: Buckets, Boto3 and Production Patterns

⏱️5 min read · 1,010 words

Amazon S3 (Simple Storage Service) is the foundation of cloud storage. Every serious AWS workload uses S3 — from static websites and backups to data lakes and ML training datasets. This complete guide covers S3 from first bucket to production-grade architecture in 2026.

📋 Table of Contents

What is S3?
Creating Buckets and Uploading Files
Boto3 — Python SDK for S3
Static Website Hosting
Pre-signed URLs — Secure Temporary Access
S3 Storage Classes (Cost Optimization)
Lifecycle Policies — Automate Cost Savings
S3 Versioning and Replication
Security Best Practices

What is S3?

S3 is object storage: files (objects) stored in buckets, accessed via HTTP. Key concepts:

Bucket — container for objects, globally unique name
Object — file + metadata, up to 5TB each
Key — object’s full path within bucket (e.g., images/2026/photo.jpg)
Region — bucket lives in one AWS region
Durability — 99.999999999% (11 nines) — data is replicated across 3+ AZs

Creating Buckets and Uploading Files

# AWS CLI setup
pip install awscli
aws configure  # enter Access Key, Secret, region

# Create bucket
aws s3 mb s3://my-bucket-2026 --region us-east-1

# Upload file
aws s3 cp file.jpg s3://my-bucket-2026/images/file.jpg

# Upload directory
aws s3 sync ./dist s3://my-bucket-2026/website/ --delete

# List objects
aws s3 ls s3://my-bucket-2026/
aws s3 ls s3://my-bucket-2026/images/ --recursive

# Download
aws s3 cp s3://my-bucket-2026/data.csv ./data.csv

# Delete
aws s3 rm s3://my-bucket-2026/old-file.txt
aws s3 rm s3://my-bucket-2026/old-folder/ --recursive

Boto3 — Python SDK for S3

import boto3
from botocore.exceptions import ClientError
from pathlib import Path
import json

# Initialize client
s3 = boto3.client('s3', region_name='us-east-1')

# Or use resource (higher-level API)
s3_resource = boto3.resource('s3')
bucket = s3_resource.Bucket('my-bucket-2026')

# Create bucket
def create_bucket(bucket_name: str, region: str = 'us-east-1') -> bool:
    try:
        if region == 'us-east-1':
            s3.create_bucket(Bucket=bucket_name)
        else:
            s3.create_bucket(
                Bucket=bucket_name,
                CreateBucketConfiguration={'LocationConstraint': region}
            )
        return True
    except ClientError as e:
        print(f"Error: {e}")
        return False

# Upload file
def upload_file(file_path: str, bucket: str, key: str = None) -> bool:
    if key is None:
        key = Path(file_path).name
    try:
        s3.upload_file(file_path, bucket, key,
                       ExtraArgs={'ContentType': 'image/jpeg'})
        return True
    except ClientError as e:
        print(f"Upload failed: {e}")
        return False

# Upload from memory (no temp file needed)
def upload_bytes(data: bytes, bucket: str, key: str, content_type: str = 'application/octet-stream'):
    s3.put_object(Body=data, Bucket=bucket, Key=key, ContentType=content_type)

# Download
def download_file(bucket: str, key: str, dest_path: str):
    s3.download_file(bucket, key, dest_path)

def download_bytes(bucket: str, key: str) -> bytes:
    response = s3.get_object(Bucket=bucket, Key=key)
    return response['Body'].read()

# List objects
def list_objects(bucket: str, prefix: str = '') -> list[dict]:
    paginator = s3.get_paginator('list_objects_v2')
    objects = []
    for page in paginator.paginate(Bucket=bucket, Prefix=prefix):
        objects.extend(page.get('Contents', []))
    return objects

# Delete
def delete_object(bucket: str, key: str):
    s3.delete_object(Bucket=bucket, Key=key)

Static Website Hosting

# Enable static hosting
aws s3 website s3://my-website-bucket/   --index-document index.html   --error-document 404.html

# Bucket policy for public access
cat > policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my-website-bucket/*"
  }]
}
EOF

aws s3api put-bucket-policy   --bucket my-website-bucket   --policy file://policy.json

# Deploy website
aws s3 sync ./dist s3://my-website-bucket/   --delete   --cache-control "max-age=31536000"   --exclude "*.html"

# HTML files: no cache
aws s3 sync ./dist s3://my-website-bucket/   --exclude "*" --include "*.html"   --cache-control "no-cache"

# Website URL: http://my-website-bucket.s3-website-us-east-1.amazonaws.com

Pre-signed URLs — Secure Temporary Access

# Generate time-limited URLs for private objects

def get_presigned_url(bucket: str, key: str, expiry_seconds: int = 3600) -> str:
    url = s3.generate_presigned_url(
        'get_object',
        Params={'Bucket': bucket, 'Key': key},
        ExpiresIn=expiry_seconds
    )
    return url

# Upload pre-signed URL — let clients upload directly to S3
def get_presigned_upload_url(bucket: str, key: str, content_type: str, expiry: int = 300) -> dict:
    response = s3.generate_presigned_post(
        bucket,
        key,
        Fields={'Content-Type': content_type},
        Conditions=[
            {'Content-Type': content_type},
            ['content-length-range', 1, 10 * 1024 * 1024]  # max 10MB
        ],
        ExpiresIn=expiry
    )
    return response

# FastAPI endpoint returning upload URL
# @app.get('/upload-url')
# def get_upload_url(filename: str, content_type: str):
#     key = f'uploads/{uuid4()}/{filename}'
#     url_data = get_presigned_upload_url(BUCKET, key, content_type)
#     return {'url': url_data['url'], 'fields': url_data['fields'], 'key': key}

S3 Storage Classes (Cost Optimization)

Class	Use Case	Cost
Standard	Frequently accessed	$0.023/GB
Intelligent-Tiering	Unknown access patterns	Auto-optimize
Standard-IA	Infrequent access	$0.0125/GB
Glacier Instant	Archives, ms retrieval	$0.004/GB
Glacier Deep Archive	Compliance archives	$0.00099/GB

Lifecycle Policies — Automate Cost Savings

{
  "Rules": [{
    "ID": "archive-old-logs",
    "Status": "Enabled",
    "Filter": {"Prefix": "logs/"},
    "Transitions": [
      {"Days": 30, "StorageClass": "STANDARD_IA"},
      {"Days": 90, "StorageClass": "GLACIER"}
    ],
    "Expiration": {"Days": 365}
  }]
}

S3 Versioning and Replication

# Enable versioning
aws s3api put-bucket-versioning   --bucket my-bucket   --versioning-configuration Status=Enabled

# Cross-region replication (in AWS Console or CloudFormation)
# Requires versioning on both source and destination buckets

# List object versions
aws s3api list-object-versions --bucket my-bucket --prefix data.csv

Security Best Practices

Block public access by default — only open what you need
Use IAM roles for EC2/Lambda access — no hardcoded keys
Enable server-side encryption (SSE-S3 or SSE-KMS)
Enable CloudTrail — audit all S3 API calls
Use VPC endpoints for private access from EC2
Enable MFA delete for versioned buckets with critical data

S3 is infinitely scalable, costs pennies per GB, and integrates with every AWS service. Master the CLI and Boto3, use pre-signed URLs for user uploads, Lifecycle policies for cost optimization, and always block public access by default.

📚 You might also like

🔗 Share this article

X / Twitter Facebook WhatsApp LinkedIn Telegram