Amazon S3 on Outposts FAQs

General

Amazon S3 on Outposts delivers object storage to your on-premises AWS Outposts environment to meet local data processing and data residency needs. Using the S3 APIs and features available in AWS Regions today, S3 on Outposts makes it easy to store and retrieve data on your Outpost, as well as secure the data, control access, tag, and report on it. AWS Outposts is a fully managed service that extends AWS infrastructure, services, and tools to virtually any data center, co-location space, or on-premises facility for a truly consistent hybrid experience.

Using S3 on Outposts, you can store data on your Outpost to meet local data residency requirements, reduce costs by processing data generated on-premises before moving some or all to AWS Regions for long-term storage, or keep data close to on-premises applications. S3 on Outposts provides a new Amazon S3 storage class, named ‘OUTPOSTS’, which uses the S3 APIs, and is designed to durably and redundantly store data across multiple devices and servers on your Outposts. AWS DataSync, a service that makes it easy to move data to and from AWS Storage services, supports S3 on Outposts, so you can automate data transfer between your Outposts and AWS Regions, choosing what to transfer, when to transfer, and how much network bandwidth to use.

S3 on Outposts supports the full range of S3 object API actions (GetObject, PutObject, ListObjects, and DeleteObjects), bucket API actions (e.g. CreateBucket, ListBuckets, UpdateBucket, and DeleteBucket), and S3 features such as AWS Identity and Access Management (IAM), and S3 Access Points and policies to control access to objects and buckets, Amazon CloudWatch to monitor operational health, and AWS CloudTrail to track and report on bucket and object level activity.

To start using S3 on Outposts, you visit the AWS Outposts Management Console to order an Outposts configuration that includes your desired S3 storage capacity, or you can add S3 storage to an existing Outpost by working with your AWS account team. You then use the AWS console or S3 SDK, or CLI to create buckets and S3 Access Points on your Outposts. You can control access and monitor your S3 on Outposts using the same services that you use with Amazon S3 today, such as AWS Identity and Access Management (IAM), S3 Access Points and policies to control access to objects and buckets, Amazon CloudWatch to monitor operational health, and AWS CloudTrail to track and report on bucket-level activity.

S3 on Outposts enables you to run workloads that depend on data stored on your AWS Outposts using the same applications and familiar S3 programming model that you use in AWS Regions today. Using S3 on Outposts, you can store data on your Outpost to meet local data residency requirements, reduce costs by processing data generated on-premises before moving some or all to AWS Regions for long-term storage, or keep data close to on-premises applications.

S3 on Outposts is ideal for customers with data residency requirements or those in regulated industries that need to securely store and process customer data on-premises or in locations where there is no AWS Region. For on-premises applications that require high-throughput local process, such as medical imaging in hospitals, autonomous vehicle data capture, and manufacturing processes, you can use S3 on Outposts to process and store data locally. For customers building or testing applications on-premises that may eventually move these applications to an AWS Region, you can now minimize the changes required to your application by staging and validating these applications on S3 on Outposts.

Yes. Data stored in S3 on Outposts stays on your Outposts by default. You may choose if and when to transfer any data to AWS Regions based on specific residency requirements. Certain data management and telemetry data, such as bucket names and metrics, may be stored in the AWS Region for reporting and management. We recommend you confirm with your compliance teams to ensure your particular requirements are met.

S3 on Outposts provides a new Amazon S3 storage class, named ‘OUTPOSTS’, which uses the S3 APIs, and is designed to durably and redundantly store data across multiple devices and servers on your Outposts. The 'OUTPOSTS' storage class is only available for objects stored in buckets on Outposts, and attempting to use this storage class with a S3 bucket in an AWS Region will result in an InvalidStorageClass error. Similarly, attempting to use other S3 storage classes with S3 on Outposts will result in this same error response.

S3 on Outposts supports the full range of Amazon S3 APIs, and features such as object and bucket-level encryption, S3 Lifecycle expiration actions, S3 Object Tagging, S3 Block Public Access, encryption using SSE-S3 and SSE-C, CloudTrail management and data events, and CloudWatch Events and Metrics. S3 on Outposts controls access to data using AWS Identity and Access Management (IAM).

Using the AWS Management Console, customers provision and manage their S3 storage, add, delete, and configure their buckets on Outposts. Additionally, customers can use AWS DataSync to copy objects between AWS Outposts and Amazon S3 in an AWS Region. Customers can configure one-time or periodic data transfers, and can control how much of the network bandwidth between the Outpost and AWS is used for transferring data.

S3 on Outposts is designed to durably and redundantly store data across multiple devices and servers on your Outpost. In the event of a device or server failure, S3 on Outposts will automatically balance storage across the remaining devices and servers to maintain durability. If there is a physical hardware failure, AWS will reach out to schedule a time to visit your site. As with any environment, the best practice is to create a backup copy of your data, and to put in place safeguards against malicious or accidental deletion. For S3 data, this includes secure access permissions, replication to AWS Regions where applicable, and a functioning, regularly tested backup.

You can add 26 TB, 48 TB, 96 TB, 240 TB, or 380 TB of S3 storage capacity to your Outposts (the 26 TB S3 option is only supported on Outposts with 11 TB EBS configured). You can create up to 100 buckets per AWS account on each Outpost. Object size limits are consistent with S3 in the AWS Region (5 TB object max, and 5 GB max per PUT).

Yes. Depending on your current Outpost configuration and storage capacity, you may be able to add S3 storage to an existing Outpost, or you may need to work with your AWS account team to add additional hardware to support S3 on Outposts.

If there is not enough space to store an object on your Outpost, the API will return an insufficient capacity exemption (ICE). To avoid this, you can create CloudWatch alerts that alert when storage utilization exceeds a threshold. You can use this to free up space by explicitly deleting data, using a lifecycle expiration policy, or copying data from your Outposts to an S3 bucket in an AWS Region using AWS DataSync. There is a 50 TB limit on bucket size, and you manage storage across all your S3 buckets on the Outpost as a whole.

Yes. By default, all data stored in S3 on Outposts is encrypted using server-side encryption with SSE-S3. You can optionally use server-side encryption with customer-provided encryption keys (SSE-C) by specifying an encryption key as part of your object API requests. Server-side encryption encrypts only the object data, not object metadata.

Yes. Provisioning S3 on your Outpost does not change or prevent access to S3 in AWS Regions. Applications can access the buckets in AWS Regions using their global bucketname endpoint or configured S3 Access Points via the Outposts Internet Gateway or the Direct Connect between your Outpost and AWS. Access to buckets in AWS Regions can be restricted to the VPC on the Outpost.

S3 on Outposts is available in all AWS regions where Outposts is supported. For the current list, please visit the Outposts FAQs page.

S3 on Outposts pricing is based on the capacity options you select. Pricing details can be found on the Outposts pricing page.

Getting started

You can get started with S3 on Outposts by using the AWS Outposts Management Console. If you are a new Outposts customer, you can order S3 on Outposts by selecting an Outposts configuration that offers the amount of S3 storage that meets your use case needs. If you are an existing Outposts customer, you can add S3 to your existing Outpost or expand your existing S3 storage, depending on the Outposts configuration previously provisioned.

Once S3 storage is provisioned, use the AWS console or S3 SDK/CLI to create buckets and S3 Access Points on your Outposts. You can then use S3 APIs to store and retrieve objects from these buckets or use DataSync to transfer data between your Outpost and the region. You can manage your S3 storage on Outposts using the same services you use in-region today, such as AWS Identity and Access Management (IAM) and S3 Access Points to control access to objects and buckets, Amazon CloudWatch to monitor operational health, and AWS CloudTrail to track and report on bucket-level activity.

You first create a bucket on your Outpost using the Outposts Console or AWS SDK/CLI and then create an S3 Access Point that provides a customized path into that bucket. You can optionally set AWS Identity and Access Management (IAM) policies to control access to the data stored in your bucket.

Access to your S3 buckets stored on Outposts is controlled by AWS Identity and Access Management (IAM) policies. Customers can configure both bucket and access point policies using the S3 on Outposts IAM namespace which provides granular access control for all S3 object and buckets API actions.

Requests made to S3 on Outposts are authenticated using AWS Identity and Access Management (IAM). Object API requests made to the local endpoint on the Outpost will be authenticated using the regional IAM service.

Requests made to S3 on Outposts control API in an AWS Region are authenticated using AWS Identity and Access Management (IAM) and authorized against the S3 on Outposts IAM namespace. Requests made to the object API endpoints on the Outpost will be authenticated using the IAM service in the home region of the Outpost and authorized against the S3 on Outposts IAM namespace. S3 Access Point policies configured on the Outpost access point will control authorization of object API requests in addition to IAM user policies.

S3 on Outposts supports both bucket and access point policies. S3 on Outposts policies use a different IAM actions namespace from S3 to provide you with distinct controls for data stored on your Outpost. S3 on Outposts does not support object-level ACLs and defaults to S3 Object Ownership, which ensures that the owner of a bucket cannot be prevented from accessing or deleting objects. S3 on Outposts buckets always have S3 Block Public Access enabled to ensure that objects never have public access.

No, S3 on Outposts does not support using VPC endpoint policies.

Your applications use the S3 SDK or CLI to store and retrieve objects stored on Outposts using an S3 Access Point hosted on an endpoint in a VPC on your Outpost.

To track the operational health of your buckets on Outposts and configure billing and capacity management alerts, S3 on Outposts generates dedicated metrics and events in Amazon CloudWatch. You can also record an event history or detect unusual activity on your Outposts buckets by configuring S3 on Outposts to use AWS CloudTrail.

Yes, you can optionally configure an S3 on Outposts bucket to create access log records for all requests made against it. Alternatively, if you need to capture IAM/user identity information in your logs, you can configure AWS CloudTrail Data Events. These access log records can be used for audit purposes and contain details about the request, such as the request type, the resources specified in the request, and the time and date the request was processed.

S3 on Outposts automatically stores all data across multiple servers on your Outpost. Objects are not sent to, or stored in, an AWS Region unless explicitly transferred using DataSync or the CLI/SDK. Buckets are managed from the Outposts console or through control plane endpoints in an AWS Region, and management information such as CloudWatch metrics and CloudTrail logs are sent from the Outpost to that AWS Region.

Yes. S3 on Outposts doesn't force you to migrate or to store any of your data in the AWS cloud. Although we believe that most IT workloads can be more efficiently served in the AWS cloud, we also believe that the best way to earn your trust is to help you build and grow your business wherever your applications live. We hope that you'll benefit from S3 on Outposts whether you want to migrate to AWS tomorrow, next year, or have no cloud migration plans.

No, if the network connection to your Outpost is lost, you will not be able to access your objects. Requests to store and retrieve objects are authenticated using the regional IAM service, and as such if the Outpost has no connectivity to the home AWS Region you are not able to access your data.

Data transfer

You can use AWS DataSync to transfer data between buckets on the Outpost and buckets in an AWS Region.

AWS DataSync provides explicit control on data to be transferred between Outposts and AWS regions. With AWS DataSync support for S3 on Outposts, you can automate transferring data between your Outposts and AWS Regions, choosing what to transfer, when to transfer, and how much network bandwidth to use.