S3

Bucket creation (Terraform)

resource "aws_s3_bucket" "artifacts" {
  bucket = "my-org-artifacts-production"
}

resource "aws_s3_bucket_versioning" "artifacts" {
  bucket = aws_s3_bucket.artifacts.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "artifacts" {
  bucket = aws_s3_bucket.artifacts.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "aws:kms"
    }
    bucket_key_enabled = true
  }
}

resource "aws_s3_bucket_public_access_block" "artifacts" {
  bucket                  = aws_s3_bucket.artifacts.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Lifecycle rules

resource "aws_s3_bucket_lifecycle_configuration" "artifacts" {
  bucket = aws_s3_bucket.artifacts.id

  rule {
    id     = "expire-old-artifacts"
    status = "Enabled"

    transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }

    transition {
      days          = 90
      storage_class = "GLACIER_IR"
    }

    expiration {
      days = 365
    }

    noncurrent_version_expiration {
      noncurrent_days = 90
    }
  }
}

Bucket policy (IRSA access)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/s3-reader-production"
      },
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": [
        "arn:aws:s3:::my-org-artifacts-production",
        "arn:aws:s3:::my-org-artifacts-production/*"
      ]
    }
  ]
}

CLI quick reference

# List bucket contents
aws s3 ls s3://my-bucket/prefix/

# Sync local → S3
aws s3 sync ./dist s3://my-bucket/releases/v1.0/ --delete

# Copy with metadata
aws s3 cp file.tar.gz s3://my-bucket/ --storage-class STANDARD_IA

# Presigned URL (15 min)
aws s3 presign s3://my-bucket/artifact.tar.gz --expires-in 900