# Store and manage data with Lightsail object storage buckets
Use the Amazon Lightsail object storage service to store and retrieve objects, at any time, from anywhere on the internet. It is designed to make web-scale computing easier for developers, and is built using the Amazon Simple Storage Service (Amazon S3). Lightsail object storage gives you access to the same highly scalable, reliable, fast, inexpensive data storage infrastructure that Amazon uses to run its own global network of websites. The service aims to maximize benefits of scale and to pass those benefits on to you.
## Object storage concepts
The following concepts and terminology apply to Lightsail object storage.
**Buckets**
A bucket is a container for objects stored in the Lightsail object storage service. Every object is contained in a bucket, which has its own URL. For example, if the object named `media/sailbot.jpg` is stored in the `amzn-s3-demo-bucket` bucket in the US East (N. Virginia) Region (`us-east-1`), then it is addressable using a URL that is similar to `https://amzn-s3-demo-bucket.us-east-1.amazonaws.com/media/sailbot.jpg`.
You can create buckets in AWS Regions where Lightsail is available. For more information about which AWS Regions Lightsail is available in, see [Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/lightsail.html) in the *AWS General Reference*.
**Bucket storage plans**
A storage plan, referred to as a *bundle* in the AWS API, specifies the monthly cost, storage space, and data transfer quota for your bucket. You must choose a storage plan when you first create your bucket. You can change it later after your bucket is up and running.
You can change your bucket's plan only one time within your monthly AWS billing cycle. Change your bucket's plan if it's consistently going over its storage space or data transfer quota, or if your bucket's usage is consistently in the lower range of its storage space or data transfer quota. Because your bucket might experience unpredictable usage fluctuations, we strongly recommend that you change your bucket's plan only as a long-term strategy, instead of as a short-term, monthly cost-cutting measure. Choose a storage plan that will provide your bucket with ample an storage space and data transfer quotas for a long time to come.
**Objects**
Objects are the fundamental entities stored in buckets. A file that you upload to your bucket is referred to as an object while it is being stored. Objects consist of *data* and *metadata*. The *data* portion is opaque to the Lightsail object storage service. The *metadata* is a set of name-value pairs that describe the object. These include some default metadata (such as the last modified date), and standard HTTP metadata (such as Content-Type).
An object is uniquely identified within a bucket by a key name and a version ID.
**Object key names**
A key name is the unique identifier for an object in a bucket. Every object in a bucket has exactly one key. The combination of a bucket, key, and version ID uniquely identifies each object. So you can think of Lightsail object storage as a basic data map between "bucket \$1 key \$1 version" and the object itself. Every object in Lightsail object storage can be uniquely addressed through the combination of the web service endpoint, bucket name, key, and optionally, a version. For example, in the URL `https://amzn-s3-demo-bucket.us-east-1.amazonaws.com/media/sailbot.jpg`, `amzn-s3-demo-bucket` is the name of the bucket and `media/sailbot.jpg` is the object key name.
**Object versioning**
Versioning is a feature that allows you to keep multiple variants of an object in the same bucket. Enable versioning to preserve, retrieve, and restore every version of every object stored in your bucket. With versioning, you can recover more easily from both unintended user actions and application failures.
Versioning is disabled by default when you create a bucket. After you enable versioning, every version of every object that you store in your bucket is retained until you manually delete the stored version. For example, if you store the `media/sailbot.jpg` object, and later you store a larger file with the same object key name, then the original smaller object is retained as a *previous version*. The new, larger object becomes the *current version*. If you decide that you don't need the previous version of the object, you can delete it. All stored previous versions of an object are deleted when you delete the current version of the object.
Stored object versions consume your bucket's storage space in the same way as stored current versions of an object. After you enable versioning, you can suspend it to stop storing object versions. This also consumes less of your bucket's storage space when you upload new object versions. When you suspend versioning, stored object versions are retained, but new object versions that you upload while versioning is suspended are not retained.
**Bucket and object access**
By default, all object storage resources—buckets and objects—are private. This means only the bucket owner, the Lightsail account that created it, can access the bucket and its objects. The bucket owner can optionally grant access permissions to others. This can be done by setting all objects or individual objects to public, which makes them readable to anyone in the world. You can also grant full programmatic access by attaching Lightsail instances to your bucket, or by creating access keys for your bucket. Finally, you can grant other AWS accounts programmatic read-only access to your bucket.
**AWS Regions**
You can create Lightsail object storage buckets in all of the AWS Regions in which Lightsail is available. You might choose a Region to optimize latency, minimize costs, or address regulatory requirements. Objects stored in an AWS Region do not leave the Region unless you explicitly transfer them to another Region. For example, objects stored in the US West (Oregon) Region do not leave it.
## Manage buckets and objects
Lightsail object storage is intentionally built with a minimal feature set that focuses on simplicity and robustness. Following are some of the elements of managing buckets and objects:
+ **Create buckets** – Create a bucket that stores data. Buckets are the fundamental containers in the Lightsail object storage service. For more information, see [Create a bucket](amazon-lightsail-creating-buckets.md).
+ **Store data** – Upload files to your bucket using the Lightsail console, AWS Command Line Interface (AWS CLI), and AWS APIs. For more information about uploading files, see [Upload files to a bucket](amazon-lightsail-uploading-files-to-a-bucket.md).
+ **Download data** – Download your stored objects anytime you want. For more information, see [Download objects from a bucket](amazon-lightsail-downloading-bucket-objects.md).
+ **Grant access** – Grant or deny access to others (such as software or individuals), who want to upload data or download data that is in your bucket. Authentication mechanisms can help keep data secure from unauthorized access. For more information, see [Bucket permissions](amazon-lightsail-understanding-bucket-permissions.md).
+ **Manage versioning** – Enable versioning to retain every version of every object stored in your bucket. For more information, see [Enable and suspend object versioning in a bucket](amazon-lightsail-managing-bucket-object-versioning.md).
+ **Monitor usage** – Monitor the number of objects stored in your bucket, and the amount of storage space being used. For more information, see [View bucket metrics](amazon-lightsail-viewing-bucket-metrics.md).
+ **Change the storage plan** – Upsize your bucket if it's being over-utilized, or downsize it if it's being under-utilized. For more information, see [Change the plan of your bucket](amazon-lightsail-changing-bucket-plans.md).
+ **Connect your bucket** – Connect your Lightsail bucket to your WordPress website to store website images and attachments. You can also specify your bucket as the origin of a Lightsail content delivery network (CDN) distribution. This speeds up the delivery of objects in your bucket to your users around the world. For more information, see [Tutorial: Connect a bucket to your WordPress instance](amazon-lightsail-connecting-buckets-to-wordpress.md) and [Tutorial: Use a bucket with a content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md).
+ **Delete your bucket** – Delete your bucket if you are no longer using it. For more information, see [Delete a bucket](amazon-lightsail-deleting-buckets.md).
# Create a Lightsail bucket for object storage
Create a bucket in the Amazon Lightsail object storage service when you're ready to start uploading your files to the cloud. Every file that you upload to the Lightsail object storage service is stored in a Lightsail bucket. For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Create a bucket
Complete the following procedure to create a Lightsail bucket.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose **Create bucket**.
1. Choose **Change AWS Region** to choose the Region in which to create your bucket.
We recommend that you create your bucket in the same AWS Region as the resources that you plan to use with your bucket. You cannot change the Region of your bucket after you create it.
1. Choose a storage plan for your bucket.
The storage plan specifies the monthly cost, storage space quota, and data transfer quota for your bucket.
You can change your bucket's plan only one time within your monthly AWS billing cycle. Change your bucket's plan if it's consistently going over its storage space or data transfer quota, or if your bucket's usage is consistently in the lower range of its storage space or data transfer quota. For more information see [Change the plan of your bucket](amazon-lightsail-changing-bucket-plans.md).
1. Enter a name for your bucket.
For more information about bucket names, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Choose **Create bucket**.
You are redirected to the management page of your new bucket. Continue to the Next steps section of this guide for additional documentation to use and manage your bucket.
## Manage buckets and objects
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](#amazon-lightsail-creating-buckets).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md)
+ [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md)
+ [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md)
+ [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md)
+ [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md).
# Delete Lightsail object storage buckets
Delete your bucket in the Amazon Lightsail object storage service if you're no longer using it. When you delete your bucket, all objects in the bucket, including stored versions of objects and access keys, are permanently deleted.
For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Force deleting a bucket
Buckets that have one of the following conditions cannot be deleted unless you acknowledge the deletion:
+ The bucket is the origin of a distribution.
+ The bucket has instances attached to it.
+ The bucket has objects.
+ The bucket has access keys.
You must acknowledge the deletion to ensure that you don't disrupt an existing workflow that relies on the bucket. For example, a WordPress website that is storing media on the bucket or a distribution that is caching and serving objects in your bucket.
To acknowledge deletion of a bucket that has one of the preceding conditions, you must force delete the bucket. Before you delete the bucket, the Lightsail service prompts you about which of these conditions exist on it. If you use the Lightsail console to delete your bucket, you are presented with the option to force delete it. If you use the AWS CLI, you must specify the `--force-delete` flag when making a `delete-bucket` request. Both of these procedures are covered in the [Delete your bucket using the Lightsail console](#delete-bucket-using-lightsail-console) and [Delete your bucket using the AWS CLI](#delete-bucket-using-aws-cli) sections of this guide.
## Delete your bucket using the Lightsail console
Complete the following procedure to delete your bucket using the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket that you want to delete.
1. Choose the ellipsis (⋮) icon in the tab menu, then choose **Delete**.
1. Choose **Delete bucket**.
1. In the prompt that appears, confirm if your bucket meets any of the following conditions:
+ Contains an object
+ Has access keys
+ Is attached to an instance
+ Is the origin of a distribution
If it has any of those conditions, then you must choose to force delete the bucket.
1. Choose one of the following options:
+ Choose **Force delete** to delete your bucket even if it has any of the conditions listed in step 6 of this procedure.
+ Choose **Yes, delete** to delete your bucket when it doesn't have any of the conditions listed in step 6 of this procedure.
+ Choose **No, cancel** to cancel deletion.
## Delete your bucket using the AWS CLI
Complete the following procedure to delete your bucket using the AWS Command Line Interface (AWS CLI). You do this by using the `delete-bucket` command. For more information, see [delete-bucket](https://docs.aws.amazon.com/cli/latest/reference/lightsail/delete-bucket.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. In the command prompt or terminal window, enter one of the following commands:
+ Enter the following command to delete a bucket that doesn't have the conditions listed in the [Force deleting a bucket](#force-delete-bucket) section of this guide.
```
aws lightsail delete-bucket --bucket-name BucketName
```
+ Enter the following command to force delete a bucket that has the conditions listed in the [Force deleting a bucket](#force-delete-bucket) section of this guide.
```
aws lightsail delete-bucket --bucket-name BucketName --force-delete
```
In the commands, replace *BucketName* with the name of the bucket you want to delete.
Example:
```
aws lightsail delete-bucket --bucket-name amzn-s3-demo-bucket
```
You should see a result similar to the following example:
![\[Result of the delete bucket request\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-delete-bucket-cli.png)
## Manage buckets and objects
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md)
+ [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md)
+ [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md)
+ [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md)
+ [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](#amazon-lightsail-deleting-buckets).
# Create Lightsail object storage bucket access keys
You can use access keys to create a set of credentials that grant full access to a bucket and its objects. Access keys consist of an access key ID and a secret access key as a set. The secret access key is visible only when you create it. When you configure access keys on your software or plugin, it can have full read and write access to a bucket using the AWS APIs, and AWS SDKs. You can also configure access keys on the AWS CLI.
**Important**
Although you can have two access keys per bucket, we recommend that you only create one bucket access key at a time. We also recommend that you periodically rotate your keys and take inventory of your existing keys. If your secret access key is copied, lost, or becomes compromised, you should delete your access key and create a new one. For more information on the best practices for rotating your bucket access keys, see [Rotate bucket access keys](amazon-lightsail-bucket-security-best-practices.md#bucket-security-best-practices-rotate-bucket-access-keys).
For more information about permission options, see [Bucket permissions](amazon-lightsail-understanding-bucket-permissions.md). For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Create access keys for a bucket
Complete the following procedure to create access keys for a bucket.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to configure access permissions.
1. Choose the **Permissions** tab.
The **Access keys** section of the page displays the existing access keys for the bucket, if any.
1. Choose **Create access key** to create a new access key for the bucket.
1. In the prompt that appears, choose **Yes, create** to confirm that you want to create a new access key. Otherwise, choose **No, cancel**.
1. In the success prompt that appears, make a note of the access key ID.
1. Choose **Show secret access key** to view the secret access key, and make a note of it. The secret access key will not be shown again.
**Important**
Store your access key ID and secret access key in a secure location. If it becomes compromised, you should delete it and create a new one. For more information, see [Delete access keys for a Lightsail object storage bucket](amazon-lightsail-deleting-bucket-access-keys.md).
1. Choose **Continue** to finish.
The new access key is listed in the **Access keys** section of the page. If your access key becomes compromised, or lost, delete it and create a new one.
**Note**
The **Last used** column displayed next to each access key identifies when the key was last used. A dash is displayed when the key has not been used. Expand the access key node to view the service and AWS Region where the key was last used.
# Delete access keys for a Lightsail object storage bucket
Access keys are a set of credentials that grant full access to a bucket and its objects. Access keys consist of an access key ID and a secret access key as a set. If your secret access key is copied, is lost, or becomes compromised, you should delete your access key.
## Delete access keys for a bucket
You can use the following procedure to delete a bucket access key.
**Warning**
After you delete an access key, it's gone forever and can't be restored. You can only replace it with a new access key.
**To delete an existing Lightsail object storage bucket access key**
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to delete an access key.
1. Choose the **Permissions** tab.
1. Under **Access keys**, choose the remove icon for the access key that you want to delete.
![\[Displays how to delete an access key for a Lightsail object storage bucket.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bucket-access-keys-delete.png)
1. Choose **Yes, delete** to proceed with deleting the access key.
Once the existing key is deleted, you can create a new access key and configure it for your software or plugin. For more information, see [Rotate bucket access keys](amazon-lightsail-bucket-security-best-practices.md#bucket-security-best-practices-rotate-bucket-access-keys).
# Restrict public access to Lightsail buckets and objects
Amazon Simple Storage Service (Amazon S3) is an object storage service on which customers can store and protect data. The Amazon Lightsail object storage service is built on Amazon S3 technology. Amazon S3 offers *account-level block public access*, which you can use to limit public access to all S3 buckets in an AWS account. Account-level block public access can make all S3 buckets in an AWS account private, regardless of existing individual bucket and object permissions.
When allowing or denying public access, Lightsail object storage buckets take into account the following:
+ Lightsail bucket access permissions. For more information see [Bucket permissions](amazon-lightsail-understanding-bucket-permissions.md).
+ Amazon S3 account-level block public access configurations, which override the Lightsail bucket access permissions.
If you turn on account-level **Block *all* public access** in Amazon S3, your public Lightsail buckets and objects become private and are no longer publicly accessible.
## Configuring block public access settings for your account
You can use the Amazon S3 console, AWS Command Line Interface (AWS CLI), AWS SDKs, and REST API to configure block public access settings. You can access the account-level block public access feature in the navigation pane of the Amazon S3 console as shown in the following example.
![\[Block public access navigation pane option in the Amazon S3 console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3-block-public-access-navigation-pane.png)
The Amazon S3 console offers settings to block all public access, block public access granted through new or any access control lists, and block public access to buckets and objects granted through new or any public bucket or access point policies.
![\[Block public access options in the Amazon S3 console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3-block-public-access-in-s3-console.png)
You can turn each setting **On** or **Off** in the Amazon S3 console. In the API, the corresponding setting is `TRUE` (On) or `FALSE` Off). The following sections describe each setting's effects on S3 buckets and Lightsail buckets.
**Note**
The following sections mention access control lists (ACLs). An ACL defines the users who own or have access to a bucket or individual objects. For more information, see [Access control list overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon S3 User Guide.*
+ **Block *all* public access** — Turn on this setting to block all public access to your S3 buckets, Lightsail buckets, and their corresponding objects. This setting incorporates all of the following settings. When you turn on this setting, only you (the bucket owner) and authorized users are allowed to access your buckets and their objects. You can only turn this setting on in the Amazon S3 console. It is not available in the AWS CLI, Amazon S3 API, or AWS SDKs.
+ **Block public access to buckets and objects granted through *new* access control lists (ACLs)** — Turn on this setting to block putting public ACLs on buckets and objects. This setting does not impact existing ACLs. Therefore, an object that already has a public ACL remains public. This setting also has no impact on objects that are public due to a bucket access permission being set to **All objects are public and read-only**. This setting is labeled as `BlockPublicAcls` in the Amazon S3 API.
**Note**
WordPress plugins that put media in Lightsail buckets, such as the Offload Media Light plugin, might stop working when this setting is turned on. This is because most WordPress plugins configure the public-read ACL on objects. WordPress plugins that toggle object ACLs might also stop working.
+ **Block public access to buckets and objects granted through *any* access control lists (ACLs)** — Turn on this setting to ignore public ACLs and block public access to buckets and objects. This setting allows public ACLs to be put on buckets and objects, but ignores them when granting access. For Lightsail buckets, setting a bucket's access permission to **All objects are public and read-only** or setting an individual object's permission to **Public (read-only)** is the equivalent of putting a public ACL on either. This setting is labeled as `IgnorePublicAcls` in the Amazon S3 API.
+ **Block public access to buckets and objects granted through *new* public bucket or access point policies** — Turn on this setting to block the **All objects are public and read-only** bucket access permission from being configured on your Lightsail buckets. This setting does not impact buckets that are already configured with the **All objects are public and read-only** bucket access permission. This setting is labeled as `BlockPublicPolicy` in the Amazon S3 API.
+ **Block public and cross-account access to buckets and objects through *any* public bucket or access point policies** — Turn on this setting to make all of your Lightsail buckets private. This makes all Lightsail buckets private, even if they are configured with the **All objects are public and read-only** bucket access permission. This setting is labeled as `RestrictPublicBuckets` in the Amazon S3 API.
**Important**
This setting also blocks cross-account access that is configured on a Lightsail bucket that is also configured with the **All objects are public and read-only** bucket access permission in Lightsail. To continue allowing cross-account access, make sure to configure the Lightsail bucket with the **All objects are private** bucket access permission in Lightsail before turning on the **Block public and cross-account access to buckets and objects through *any* public bucket or access point policies** setting in Amazon S3.
For more information about block public access and how to configure it, see the following resources in the *Amazon S3 User Guide*:
+ [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)
+ [Configuring block public access settings for your account](https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-account.html)
Use the Lightsail console, AWS CLI, AWS SDKs, and REST API to configure access permissions for your Lightsail buckets. For more information, see [Bucket permissions](amazon-lightsail-understanding-bucket-permissions.md).
**Note**
Lightsail uses a service-linked role to get the current account-level block public access configuration from Amazon S3 and apply it to Lightsail object storage resources. After configuring block public access in Amazon S3, wait at least one hour for it to take effect in Lightsail. For more information, see [Service-linked roles](amazon-lightsail-using-service-linked-roles.md).
## Manage buckets and objects
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](#amazon-lightsail-block-public-access-for-buckets)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md)
+ [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md)
+ [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md)
+ [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md)
+ [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md).
# Track object storage bucket requests with access logs
Access logging provides detailed records for the requests that are made to a bucket in the Amazon Lightsail object storage service. This information can include the request type, the resources that are specified in the request, and the time and date that the request was processed. Access logs are useful for many applications. For example, access log information can be useful in security and access audits. It can also help you learn about your customer base.
**Contents**
+ [What do I need to enable log delivery](#access-log-delivery)
+ [Log object key format](#log-object-key-format)
+ [How are logs delivered?](#how-are-logs-delivered)
+ [Best effort access log delivery](#best-effort-access-log-delivery)
+ [Bucket logging status changes take effect over time](#bucket-logging-status-changes)
## What do I need to enable log delivery?
Consider the following before enabling log delivery. For details, see [Enable bucket access logging](amazon-lightsail-enabling-bucket-access-logs.md).
1. **Identify the target bucket for the logs.** This bucket is where you want Lightsail to save the access logs as objects. Both the source and target buckets must be in the same AWS Region and owned by the same account.
You can have logs delivered to any bucket that you own that is in the same Region as the source bucket, including the source bucket itself. But for simpler log management, we recommend that you save access logs in a different bucket.
When your source bucket and target bucket are the same bucket, additional logs are created for the logs that are written to the bucket. This might not be ideal because it could result in a small increase in your storage consumption. In addition, the extra logs about logs might make it harder to find the log that you are looking for. If you choose to save access logs in the source bucket, we recommend that you specify a prefix for the log object keys so that the object names begin with a common string and the log objects are easier to identify. Key prefixes are also useful to distinguish between source buckets when multiple buckets log to the same target bucket.
1. **(Optional) Identify a prefix for the log object keys.** The prefix makes it simpler for you to locate the log objects. For example, if you specify the prefix value `logs/`, each log object that Lightsail creates begins with the `logs/` prefix in its key. The trailing slash `/` is required to denote the end of the prefix. Following is an example of a log object key with the `logs/` prefix:
```
logs/2021-11-31-21-32-16-E568B2907131C0C0
```
## Log object key format
Lightsail uses the following object key format for the log objects it uploads in the target bucket:
```
TargetPrefix/YYYY-mm-DD-HH-MM-SS-UniqueString
```
In the key, `YYYY`, `mm`, `DD`, `HH`, `MM`, and `SS` are the digits of the year, month, day, hour, minute, and seconds (respectively) when the log file was delivered. These dates and times are in Coordinated Universal Time (UTC).
A log file delivered at a specific time can contain records written at any point before that time. There is no way to know whether all log records for a certain time interval have been delivered or not.
The `UniqueString` component of the key is there to prevent overwriting of files. It has no meaning, and log processing software should ignore it.
## How are logs delivered?
Lightsail periodically collects access log records, consolidates the records in log files, and then uploads log files to your target bucket as log objects. If you enable logging on multiple source buckets that deliver to the same target bucket, the target bucket will have access logs for all those source buckets. However, each log object reports access log records for a specific source bucket.
## Best effort access log delivery
Access log records are delivered on a best effort basis. Most requests for a bucket that is properly configured for logging result in a delivered log record. Most log records are delivered within a few hours of the time that they are recorded, but they can be delivered more frequently.
The completeness and timeliness of access logging is not guaranteed. The log record for a particular request might be delivered long after the request was actually processed, or it might not be delivered at all. The purpose of access logs is to give you an idea of the nature of traffic against your bucket. It is rare to lose log records, but access logging is not meant to be a complete accounting of all requests.
## Bucket logging status changes take effect over time
Changes to the logging status of a bucket take time to actually affect the delivery of log files. For example, if you enable logging for a bucket, some requests made in the following hour might be logged, while others might not. If you change the target bucket for logging from bucket A to bucket B, some logs for the next hour might continue to be delivered to bucket A, while others might be delivered to the new target bucket B. In all cases, the new settings eventually take effect without any further action on your part.
**Topics**
+ [What do I need to enable log delivery?](#access-log-delivery)
+ [Log object key format](#log-object-key-format)
+ [How are logs delivered?](#how-are-logs-delivered)
+ [Best effort access log delivery](#best-effort-access-log-delivery)
+ [Bucket logging status changes take effect over time](#bucket-logging-status-changes)
+ [Access log format](amazon-lightsail-bucket-access-log-format.md)
+ [Manage access logs](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Use access logs](amazon-lightsail-using-bucket-access-logs.md)
# Analyze object storage access with Lightsail bucket logs
Access logging provides detailed records for the requests that are made to a bucket in the Amazon Lightsail object storage service. You can use access logs for security and access audits, or learn about your customer base. This section describes the format and other details about access log files. For more information about logging basics, see [Bucket access logs](amazon-lightsail-bucket-access-logs.md).
Access log files consist of a sequence of newline-delimited log records. Each log record represents one request and consists of space-delimited fields.
The following is an example log consisting of five log records.
```
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be amzn-s3-demo-bucket [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 3E57427F3EXAMPLE REST.GET.VERSIONING - "GET /amzn-s3-demo-bucket?versioning HTTP/1.1" 200 - 113 - 7 - "-" "S3Console/0.4" - s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader amzn-s3-demo-bucket.s3.us-west-1.amazonaws.com TLSV1.1
```
```
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be amzn-s3-demo-bucket [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 891CE47D2EXAMPLE REST.GET.LOGGING_STATUS - "GET /amzn-s3-demo-bucket?logging HTTP/1.1" 200 - 242 - 11 - "-" "S3Console/0.4" - 9vKBE6vMhrNiWHZmb2L0mXOcqPGzQOI5XLnCtZNPxev+Hf+7tpT6sxDwDty4LHBUOZJG96N1234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader amzn-s3-demo-bucket.s3.us-west-1.amazonaws.com TLSV1.1
```
```
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be amzn-s3-demo-bucket [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be A1206F460EXAMPLE REST.GET.BUCKETPOLICY - "GET /amzn-s3-demo-bucket?policy HTTP/1.1" 404 NoSuchBucketPolicy 297 - 38 - "-" "S3Console/0.4" - BNaBsXZQQDbssi6xMBdBU2sLt+Yf5kZDmeBUP35sFoKa3sLLeMC78iwEIWxs99CRUrbS4n11234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader amzn-s3-demo-bucket.s3.us-west-1.amazonaws.com TLSV1.1
```
```
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be amzn-s3-demo-bucket [06/Feb/2019:00:01:00 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 7B4A0FABBEXAMPLE REST.GET.VERSIONING - "GET /amzn-s3-demo-bucket?versioning HTTP/1.1" 200 - 113 - 33 - "-" "S3Console/0.4" - Ke1bUcazaN1jWuUlPJaxF64cQVpUEhoZKEG/hmy/gijN/I1DeWqDfFvnpybfEseEME/u7ME1234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader amzn-s3-demo-bucket.s3.us-west-1.amazonaws.com TLSV1.1
```
```
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be amzn-s3-demo-bucket [06/Feb/2019:00:01:57 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DD6CC733AEXAMPLE REST.PUT.OBJECT s3-dg.pdf "PUT /amzn-s3-demo-bucket/s3-dg.pdf HTTP/1.1" 200 - - 4406583 41754 28 "-" "S3Console/0.4" - 10S62Zv81kBW7BB6SX4XJ48o6kpcl6LPwEoizZQQxJd5qDSCTLX0TgS37kYUBKQW3+bPdrg1234= SigV4 ECDHE-RSA-AES128-SHA AuthHeader amzn-s3-demo-bucket.s3.us-west-1.amazonaws.com TLSV1.1
```
**Note**
Any log record field can be set to `–` (dash) to indicate that the data was unknown or unavailable, or that the field was not applicable to the request.
**Contents**
+ [Log record fields](#log-record-fields)
+ [Additional logging for copy operations](#additional-logging-for-copy-operations)
+ [Custom access log information](#custom-access-log-information)
+ [Programming considerations for extensible access log format](#programing-considerations)
## Log record fields
The following list describes the log record fields.
**Access Point ARN (Amazon Resource Name)**
The Amazon Resource Name (ARN) of the access point of the request. If access point ARN is malformed or not used, the field will contain a '-'. For more information on access points, see [Using access points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-access-points.html). For more information on ARNs, see the topic on [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*.
Example entry
```
arn:aws:s3:us-east-1:123456789012:accesspoint/example-AP
```
**Bucket Owner**
The canonical user ID of the owner of the source bucket. The canonical user ID is another form of the AWS account ID. For more information about the canonical user ID, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html) in the *AWS General Reference*. For information about how to find the canonical user ID for your account, see [Finding the canonical user ID for your AWS account](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html#FindingCanonicalId).
Example entry
```
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
```
**Bucket**
The name of the bucket that the request was processed against. If the system receives a malformed request and cannot determine the bucket, the request will not appear in any access log.
Example entry
```
amzn-s3-demo-bucket
```
**Time**
The time at which the request was received; these dates and times are in Coordinated Universal Time (UTC). The format, using *strftime()* terminology, is as follows: *[%d/%b/%Y:%H:%M:%S %z]*
Example entry
```
[06/Feb/2019:00:00:38 +0000]
```
**Remote IP**
The apparent internet address of the requester. Intermediate proxies and firewalls might obscure the actual address of the machine making the request.
Example entry
```
192.0.2.3
```
**Requester**
The canonical user ID of the requester, or a `-` for unauthenticated requests. If the requester was an IAM user, this field returns the requester's IAM user name along with the AWS root account that the IAM user belongs to. This identifier is the same one used for access control purposes.
Example entry
```
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
```
**Request ID**
A string generated by Lightsail to uniquely identify each request.
Example entry
```
3E57427F33A59F07
```
**Operation**
The operation listed here is declared as `SOAP.operation`, `REST.HTTP_method.resource_type`, `WEBSITE.HTTP_method.resource_type`, or `BATCH.DELETE.OBJECT`.
Example entry
```
REST.PUT.OBJECT
```
**Key**
The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter.
Example entry
```
/photos/2019/08/puppy.jpg
```
**Request-URI**
The Request-URI part of the HTTP request message.
Example Entry
```
"GET /amzn-s3-demo-bucket/photos/2019/08/puppy.jpg?x-foo=bar HTTP/1.1"
```
**HTTP status**
The numeric HTTP status code of the response.
Example entry
```
200
```
**Error Code**
The Amazon S3 [Error code](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingRESTError.html#ErrorCode), or "-" if no error occurred.
Example entry
```
NoSuchBucket
```
**Bytes Sent**
The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero.
Example entry
```
2662992
```
**Object Size**
The total size of the object in question.
Example entry
```
3462992
```
**Total Time**
The number of milliseconds the request was in flight from the bucket's perspective. This value is measured from the time your request is received to the time that the last byte of the response is sent. Measurements made from the client's perspective might be longer due to network latency.
Example entry
```
70
```
**Turn-Around Time**
The number of milliseconds that Lightsail spent processing your request. This value is measured from the time the last byte of your request was received until the time the first byte of the response was sent.
Example entry
```
10
```
**Referer**
The value of the HTTP Referer header, if present. HTTP user-agents (for example, browsers) typically set this header to the URL of the linking or embedding page when making a request.
Example entry
```
"http://www.amazon.com/webservices"
```
**User-Agent**
The value of the HTTP User-Agent header.
Example entry
```
"curl/7.15.1"
```
**Version Id**
The version ID in the request, or `-` if the operation does not take a `versionId` parameter.
Example entry
```
3HL4kqtJvjVBH40Nrjfkd
```
**Host Id**
The x-amz-id-2 or Lightsail extended request ID.
Example entry
```
s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234=
```
**Signature Version**
The signature version, `SigV2` or `SigV4`, that was used to authenticate the request or a `-` for unauthenticated requests.
Example entry
```
SigV2
```
**Cipher Suite**
The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a `-` for HTTP.
Example entry
```
ECDHE-RSA-AES128-GCM-SHA256
```
**Authentication Type**
The type of request authentication used, `AuthHeader` for authentication headers, `QueryString` for query string (pre-signed URL) or a `-` for unauthenticated requests.
Example entry
```
AuthHeader
```
**Host Header**
The endpoint used to connect to Lightsail.
Example entry
```
s3.us-west-2.amazonaws.com
```
**TLS version**
The Transport Layer Security (TLS) version negotiated by the client. The value is one of following: `TLSv1`, `TLSv1.1`, `TLSv1.2`; or `-` if TLS wasn't used.
Example entry
```
TLSv1.2
```
## Additional logging for copy operations
A copy operation involves a `GET` and a `PUT`. For that reason, we log two records when performing a copy operation. The previous section describes the fields related to the `PUT` part of the operation. The following list describes the fields in the record that relate to the `GET` part of the copy operation.
**Bucket Owner**
The canonical user ID of the bucket that stores the object being copied. The canonical user ID is another form of the AWS account ID. For more information about the canonical user ID, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html) in the *AWS General Reference*. For information about how to find the canonical user ID for your account, see [Finding the canonical user ID for your AWS account](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html#FindingCanonicalId).
Example entry
```
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
```
**Bucket**
The name of the bucket that stores the object being copied.
Example entry
```
amzn-s3-demo-bucket
```
**Time**
The time at which the request was received; these dates and times are in Coordinated Universal time (UTC). The format, using `strftime()` terminology, is as follows: `[%d/%B/%Y:%H:%M:%S %z]`
Example entry
```
[06/Feb/2019:00:00:38 +0000]
```
**Remote IP**
The apparent internet address of the requester. Intermediate proxies and firewalls might obscure the actual address of the machine making the request.
Example entry
```
192.0.2.3
```
**Requester**
The canonical user ID of the requester, or a `-` for unauthenticated requests. If the requester was an IAM user, this field will return the requester's IAM user name along with the AWS root account that the IAM user belongs to. This identifier is the same one used for access control purposes.
Example entry
```
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
```
**Request ID**
A string generated by Lightsail to uniquely identify each request.
Example entry
```
3E57427F33A59F07
```
**Operation**
The operation listed here is declared as `SOAP.operation`, `REST.HTTP_method.resource_type`, `WEBSITE.HTTP_method.resource_type`, or `BATCH.DELETE.OBJECT`.
Example entry
```
REST.COPY.OBJECT_GET
```
**Key**
The "key" of the object being copied or "-" if the operation does not take a key parameter.
Example entry
```
/photos/2019/08/puppy.jpg
```
**Request-URI**
The Request-URI part of the HTTP request message.
Example entry
```
"GET /amzn-s3-demo-bucket/photos/2019/08/puppy.jpg?x-foo=bar"
```
**HTTP status**
The numeric HTTP status code of the `GET` portion of the copy operation.
Example entry
```
200
```
**Error Code**
The Amazon S3 Error code, of the `GET` portion of the copy operation or `-` if no error occurred.
Example entry
```
NoSuchBucket
```
**Bytes Sent**
The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero.
Example entry
```
2662992
```
**Object Size**
The total size of the object in question.
Example entry
```
3462992
```
**Total Time**
The number of milliseconds the request was in flight from the bucket's perspective. This value is measured from the time your request is received to the time that the last byte of the response is sent. Measurements made from the client's perspective might be longer due to network latency.
Example entry
```
70
```
**Turn-Around Time**
The number of milliseconds that Lightsail spent processing your request. This value is measured from the time the last byte of your request was received until the time the first byte of the response was sent.
Example entry
```
10
```
**Referer**
The value of the HTTP Referer header, if present. HTTP user-agents (for example, browsers) typically set this header to the URL of the linking or embedding page when making a request.
Example entry
```
"http://www.amazon.com/webservices"
```
**User-Agent**
The value of the HTTP User-Agent header.
Example entry
```
"curl/7.15.1"
```
**Version Id**
The version ID of the object being copied or `-` if the `x-amz-copy-source` header didn’t specify a `versionId` parameter as part of the copy source.
Example entry
```
3HL4kqtJvjVBH40Nrjfkd
```
**Host Id**
The x-amz-id-2 or Lightsail extended request ID.
Example entry
```
s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234=
```
**Signature Version**
The signature version, `SigV2` or `SigV4`, that was used to authenticate the request or a `-` for unauthenticated requests.
Example entry
```
SigV2
```
**Cipher Suite**
The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a `-` for HTTP.
Example entry
```
ECDHE-RSA-AES128-GCM-SHA256
```
**Authentication Type**
The type of request authentication used, `AuthHeader` for authentication headers, `QueryString` for query string (presigned URL) or a `-` for unauthenticated requests.
Example entry
```
AuthHeader
```
**Host Header**
The endpoint used to connect to Lightsail.
Example entry
```
s3.us-west-2.amazonaws.com
```
**TLS version**
The Transport Layer Security (TLS) version negotiated by the client. The value is one of following: `TLSv1`, `TLSv1.1`, `TLSv1.2`; or `-` if TLS wasn't used.
Example entry
```
TLSv1.2
```
## Custom access log information
You can include custom information to be stored in the access log record for a request. To do this, add a custom query-string parameter to the URL for the request. Lightsail ignores query-string parameters that begin with "x-", but includes those parameters in the access log record for the request, as part of the `Request-URI` field of the log record.
For example, a `GET` request for `"s3.amazonaws.com/amzn-s3-demo-bucket/photos/2019/08/puppy.jpg?x-user=johndoe"` works the same as the request for `"s3.amazonaws.com/amzn-s3-demo-bucket/photos/2019/08/puppy.jpg"`, except that the `"x-user=johndoe"` string is included in the `Request-URI` field for the associated log record. This functionality is available in the REST interface only.
## Programming considerations for extensible access log format
Occasionally we might extend the access log record format by adding new fields to the end of each line. Therefore, you should write any code that parses access logs to handle trailing fields that it might not understand.
# Enable bucket access logging in Lightsail
Access logging provides detailed records for the requests that are made to a bucket in the Amazon Lightsail object storage service. Access logs are useful for many applications. For example, access log information can be useful in security and access audits. It can also help you learn about your customer base.
By default, Lightsail doesn't collect access logs for your buckets. When you enable logging, Lightsail delivers access logs for a source bucket to a target bucket that you choose. Both the source and target buckets must be in the same AWS Region and owned by the same account.
An access log record contains details about the requests that are made to a bucket. This information can include the request type, the resources that are specified in the request, and the time and date that the request was processed. In this guide, we show you how to enable or disable access logging for your buckets by using the Lightsail API, the AWS Command Line Interface (AWS CLI), or AWS SDKs.
For more information about logging basics, see [Bucket access logs](amazon-lightsail-bucket-access-logs.md).
**Contents**
+ [Costs for access logging](#costs-for-access-logging)
+ [Enable access logging using the AWS CLI](#enabling-access-logging)
+ [Disable access logging using the AWS CLI](#disabling-access-logging)
## Costs for access logging
There is no extra charge for enabling access logging on a bucket. However, log files that the system delivers to a bucket will use up storage space. You can delete the log files at any time. We do not assess data transfer charges for log file delivery when the log bucket's data transfer is within its configured monthly allowance.
Your target bucket should not have access logging enabled. You can have logs delivered to any bucket that you own that is in the same Region as the source bucket, including the source bucket itself. However, for simpler log management, we recommend that you save access logs in a different bucket.
## Enable access logging using the AWS CLI
To enable access logging for your buckets, we recommend that you create a dedicated logging bucket in each AWS Region that you have buckets. Then have the access log delivered to that dedicated logging bucket.
Complete the following procedure to enable access logging using the AWS CLI.
**Note**
You must install the AWS CLI and configure it for Lightsail before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window on your local computer.
1. Enter the following command to enable access logging.
```
aws lightsail update-bucket --bucket-name SourceBucketName --access-log-config "{\"enabled\": true, \"destination\": \"TargetBucketName\", \"prefix\": \"ObjectKeyNamePrefix/\"}"
```
In the command, replace the following example text with your own:
+ *SourceBucketName* - The name of the source bucket for which the access logs will be created.
+ *TargetBucketName* – The name of the target bucket where the access logs will be saved.
+ *ObjectKeyNamePrefix/* - The optional object key name prefix for the access logs. Note that the prefix must end with a forward slash (`/`).
**Example**
```
aws lightsail update-bucket --bucket-name amzn-s3-demo-bucket1 --access-log-config "{\"enabled\": true, \"destination\": \"amzn-s3-demo-bucket2\", \"prefix\": \"logs/amzn-s3-demo-bucket1/\"}"
```
In the example, *amzn-s3-demo-bucket1* is the source bucket for which access logs will be created, *amzn-s3-demo-bucket2* is the destination bucket where the access logs will be saved, and *logs/amzn-s3-demo-bucket1/* is the object key name prefix for the access logs.
You should see a result similar to the following example after running the command. The source bucket is updated, and the access logs should begin generating and being stored on the destination bucket.
![\[Access logging for a bucket enabled\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-enable-access-logging-for-a-bucket.png)
## Disabling access logging using the AWS CLI
Complete the following procedure to disable access logging using the AWS CLI.
**Note**
You must install the AWS CLI and configure it for Lightsail before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window on your local computer.
1. Enter the following command to disable access logging.
```
aws lightsail update-bucket --bucket-name SourceBucketName --access-log-config "{\"enabled\": false}"
```
In the command, replace *SourceBucketName* with the name of the source bucket for which to disable access logging.
**Example**
```
aws lightsail update-bucket --bucket-name amzn-s3-demo-bucket --access-log-config "{\"enabled\": false}"
```
You should see a result similar to the following example after running the command.
![\[Access logging for a bucket disabled\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-disable-access-logging-for-a-bucket.png)
# Analyze bucket access logs with Amazon Athena in Lightsail
In this guide, we show you how to identify requests to a bucket using access logs. For more information, see [Bucket access logs](amazon-lightsail-bucket-access-logs.md).
**Contents**
+ [Query access logs for requests using Amazon Athena](#querying-access-logs-for-requests)
+ [Identify object access requests using Amazon S3 access logs](#identifying-object-access-requests)
## Query access logs for requests using Amazon Athena
You can use Amazon Athena to query and identify requests to a bucket in access logs.
Lightsail stores access logs as objects in a Lightsail bucket. It is often easier to use a tool that can analyze the logs. Athena supports analysis of objects and can be used to query access logs.
**Example**
The following example shows how you can query bucket server access logs in Amazon Athena.
**Note**
To specify a bucket location in an Athena query, you need to format the target bucket name and target prefix where your logs are delivered as an S3 URI, as follows: `s3://amzn-s3-demo-bucket1-logs/prefix/`
1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/).
1. In the **Query Editor**, run a command similar to the following.
```
create database bucket_access_logs_db
```
**Note**
It's a best practice to create the database in the same AWS Region as your S3 bucket.
1. In the **Query Editor**, run a command similar to the following to create a table schema in the database that you created in step 2. The `STRING` and `BIGINT` data type values are the access log properties. You can query these properties in Athena. For `LOCATION`, enter the bucket and prefix path as noted earlier.
```
CREATE EXTERNAL TABLE `s3_access_logs_db.amzn-s3-demo-bucket_logs`(
`bucketowner` STRING,
`bucket_name` STRING,
`requestdatetime` STRING,
`remoteip` STRING,
`requester` STRING,
`requestid` STRING,
`operation` STRING,
`key` STRING,
`request_uri` STRING,
`httpstatus` STRING,
`errorcode` STRING,
`bytessent` BIGINT,
`objectsize` BIGINT,
`totaltime` STRING,
`turnaroundtime` STRING,
`referrer` STRING,
`useragent` STRING,
`versionid` STRING,
`hostid` STRING,
`sigv` STRING,
`ciphersuite` STRING,
`authtype` STRING,
`endpoint` STRING,
`tlsversion` STRING)
ROW FORMAT SERDE
'org.apache.hadoop.hive.serde2.RegexSerDe'
WITH SERDEPROPERTIES (
'input.regex'='([^ ]*) ([^ ]*) \\[(.*?)\\] ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) (\"[^\"]*\"|-) (-|[0-9]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) (\"[^\"]*\"|-) ([^ ]*)(?: ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*))?.*$')
STORED AS INPUTFORMAT
'org.apache.hadoop.mapred.TextInputFormat'
OUTPUTFORMAT
'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION
's3://amzn-s3-demo-bucket1-logs/prefix/'
```
1. In the navigation pane, under **Database**, choose your database.
1. Under **Tables**, choose **Preview** table next to your table name.
In the **Results** pane, you should see data from the server access logs, such as `bucketowner`, `bucket`, `requestdatetime`, and so on. This means that you successfully created the Athena table. You can now query the bucket server access logs.
**Example — Show who deleted an object and when (timestamp, IP address, and IAM user)**
```
SELECT RequestDateTime, RemoteIP, Requester, Key
FROM s3_access_logs_db.amzn-s3-demo-bucket_logs
WHERE key = 'images/picture.jpg' AND operation like '%DELETE%';
```
**Example — Show all operations that were performed by an IAM user**
```
SELECT *
FROM s3_access_logs_db.amzn-s3-demo-bucket_logs
WHERE requester='arn:aws:iam::123456789123:user/user_name';
```
**Example — Show all operations that were performed on an object in a specific time period**
```
SELECT *
FROM s3_access_logs_db.amzn-s3-demo-bucket_logs
WHERE Key='prefix/images/picture.jpg'
AND parse_datetime(RequestDateTime,'dd/MMM/yyyy:HH:mm:ss Z')
BETWEEN parse_datetime('2017-02-18:07:00:00','yyyy-MM-dd:HH:mm:ss')
AND parse_datetime('2017-02-18:08:00:00','yyyy-MM-dd:HH:mm:ss');
```
**Example — Show how much data was transferred by a specific IP address in a specific time period**
```
SELECT SUM(bytessent) AS uploadTotal,
SUM(objectsize) AS downloadTotal,
SUM(bytessent + objectsize) AS Total
FROM s3_access_logs_db.amzn-s3-demo-bucket_logs
WHERE RemoteIP='1.2.3.4'
AND parse_datetime(RequestDateTime,'dd/MMM/yyyy:HH:mm:ss Z')
BETWEEN parse_datetime('2017-06-01','yyyy-MM-dd')
AND parse_datetime('2017-07-01','yyyy-MM-dd');
```
## Identify object access requests using Amazon S3 access logs
You can use queries on access logs to identify object access requests, for operations such as *GET*, *PUT*, and *DELETE*, and discover further information about those requests.
The following Amazon Athena query example shows how to get all `PUT` object requests for a bucket from the server access log.
**Example — Show all requesters that are sending PUT object requests in a certain period**
```
SELECT Bucket, Requester, RemoteIP, Key, HTTPStatus, ErrorCode, RequestDateTime
FROM s3_access_logs_db
WHERE Operation='REST.PUT.OBJECT' AND
parse_datetime(RequestDateTime,'dd/MMM/yyyy:HH:mm:ss Z')
BETWEEN parse_datetime('2019-07-01:00:42:42','yyyy-MM-dd:HH:mm:ss')
AND
parse_datetime('2019-07-02:00:42:42','yyyy-MM-dd:HH:mm:ss')
```
The following Amazon Athena query example shows how to get all GET object requests for Amazon S3 from the server access log.
**Example — Show all requesters that are sending GET object requests in a certain period**
```
SELECT Bucket, Requester, RemoteIP, Key, HTTPStatus, ErrorCode, RequestDateTime
FROM s3_access_logs_db
WHERE Operation='REST.GET.OBJECT' AND
parse_datetime(RequestDateTime,'dd/MMM/yyyy:HH:mm:ss Z')
BETWEEN parse_datetime('2019-07-01:00:42:42','yyyy-MM-dd:HH:mm:ss')
AND
parse_datetime('2019-07-02:00:42:42','yyyy-MM-dd:HH:mm:ss')
```
The following Amazon Athena query example shows how to get all anonymous requests to your S3 buckets from the server access log.
**Example — Show all anonymous requesters that are making requests to a bucket in a certain period**
```
SELECT Bucket, Requester, RemoteIP, Key, HTTPStatus, ErrorCode, RequestDateTime
FROM s3_access_logs_db.amzn-s3-demo-bucket_logs
WHERE Requester IS NULL AND
parse_datetime(RequestDateTime,'dd/MMM/yyyy:HH:mm:ss Z')
BETWEEN parse_datetime('2019-07-01:00:42:42','yyyy-MM-dd:HH:mm:ss')
AND
parse_datetime('2019-07-02:00:42:42','yyyy-MM-dd:HH:mm:ss')
```
**Note**
You can modify the date range to suit your needs.
These query examples might also be useful for security monitoring. You can review the results for `PutObject` or `GetObject` calls from unexpected or unauthorized IP addresses/requesters and for identifying any anonymous requests to your buckets.
This query only retrieves information from the time at which logging was enabled.
# Manage files and folders in Lightsail buckets
You can view all objects stored in your bucket in the Amazon Lightsail object storage service by using the Lightsail console. You can also use the AWS Command Line Interface (AWS CLI) and AWS SDKs to list object keys in your bucket. For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Filter objects using the Lightsail console
Complete the following procedure to view objects stored in a bucket using the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to view objects.
1. The **Objects browser** pane in the **Objects tab** displays the objects and folders that are stored in your bucket.
![\[The object browser pane in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bucket-object-browser-pane.png)
1. Browse to the location of the object for which you want to view properties.
1. Add a check mark next to the object for which you want to view properties.
1. The **Object properties** pane on the right side of the page displays information about the object.
![\[The object properties pane in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bucket-object-properties-pane.png)
The information displayed includes:
1. Links to view and download the object.
1. Actions menu (⋮) to copy or delete the object. For more information about copying and deleting objects, see [Copy or move objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md) and [Delete bucket objects](amazon-lightsail-deleting-bucket-objects.md).
1. Object size, and last modified timestamp.
1. The access permission of the individual object, which could be private or public (read-only). For more information about object permissions, see [Bucket permissions](amazon-lightsail-understanding-bucket-permissions.md).
1. The metadata of the object. The content type (`ContentType`) key is the only metadata supported by the Lightsail object storage service at this time.
1. The object key value tags. For more information, see [Tag bucket objects](amazon-lightsail-tagging-bucket-objects.md).
1. The option to manage stored versions of the object. For more information, see [Enable and suspend object versioning in a bucket](amazon-lightsail-managing-bucket-object-versioning.md).
**Note**
When you select multiple objects, the **Object properties** pane displays only the total size of the selected objects.
## View objects using the AWS CLI
Complete the following procedure to list object keys in a bucket using the AWS Command Line Interface (AWS CLI). You do this by using the `list-objects-v2` command. For more information, see [list-objects-v2](https://docs.aws.amazon.com/cli/latest/reference/s3api/list-objects-v2.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS Command Line Interface to work with Amazon Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter one of the following commands.
+ Enter the following command to list all object keys in your bucket.
```
aws s3api list-objects-v2 --bucket BucketName --query "Contents[].{Key: Key, Size: Size}"
```
In the command, replace *BucketName* with the name of the bucket for which you want to list all objects.
+ Enter the following command to list objects that start with a specific object key name prefix.
```
aws s3api list-objects-v2 --bucket BucketName --prefix ObjectKeyNamePrefix --query "Contents[].{Key: Key, Size: Size}"
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket for which you want to list all objects.
+ *ObjectKeyNamePrefix* - An object key name prefix to limit the response to keys that begin with the specified prefix.
**Note**
These commands use the `--query` parameter to filter the response of the `list-objects-v2` request to the key value and size of each object.
Examples:
Listing all object keys in a bucket:
```
aws s3api list-objects-v2 --bucket amzn-s3-demo-bucket --query "Contents[].{Key: Key, Size: Size}"
```
For the preceding command, you should see a result similar to the following example.
![\[Result of the AWS CLI list-objects-v2 command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-list-objects-v2-result.png)
Listing object keys that start with the `archived/` object key name prefix:
```
aws s3api list-objects-v2 --bucket amzn-s3-demo-bucket --prefix archived/ --query "Contents[].{Key: Key, Size: Size}"
```
For the preceding command, you should see a result similar to the following example.
![\[Result of the AWS CLI list-objects-v2 command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-list-objects-v2-prefix-result.png)
## Manage buckets and objects
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](#amazon-lightsail-viewing-objects-in-a-bucket)
+ [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md)
+ [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md)
+ [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md)
+ [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md).
**Topics**
+ [Filter objects using the Lightsail console](#view-objects-lightsail-console)
+ [View objects using the AWS CLI](#view-objects-aws-cli)
+ [Manage buckets and objects](#viewing-objects-managing-buckets-and-objects)
+ [Copy and move objects](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Delete objects](amazon-lightsail-deleting-bucket-objects.md)
+ [Download objects](amazon-lightsail-downloading-bucket-objects.md)
+ [Filter objects](amazon-lightsail-filtering-bucket-objects.md)
+ [Manage object versioning](amazon-lightsail-managing-bucket-object-versioning.md)
+ [Restore object versions](amazon-lightsail-restoring-bucket-object-versions.md)
+ [Tag objects](amazon-lightsail-tagging-bucket-objects.md)
# Copy and move objects between Lightsail buckets
You can copy objects that are already stored in your bucket in the Amazon Lightsail object storage service. In this guide, we show you how to copy objects using the Lightsail console and using the AWS Command Line Interface (AWS CLI). Copy objects in your bucket to create duplicate copies of objects, rename objects, or move objects across Lightsail locations (for example, moving objects from one AWS Region to another one, in which Lightsail is available). You can copy objects across locations only using the AWS APIs, AWS SDKs, and AWS Command Line Interface (AWS CLI).
For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Restrictions for copying objects
You can create a copy of an object that is up to 2 GB in size by using the Lightsail console. You can create a copy of an object that is up to 5 GB in size with a single copy object action by using the AWS Command Line Interface (AWS CLI), AWS APIs, and AWS SDKs. To copy an object that is greater than 5 GB in size, you must use the multipart upload action of the AWS CLI, AWS APIs, and AWS SDKs. For more information, see [Upload files to a bucket using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md).
## Copy objects using the Lightsail console
Complete the following procedure to copy an object stored in a bucket using the Lightsail console. To move an object in a bucket, you should copy it to the new location, and delete the original object.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to copy an object.
1. In the **Objects** tab, use the **Objects browser pane** to browse to the location of the object that you want to copy.
1. Add a check mark next to the object that you want to copy.
1. In the **Object information** pane, choose the actions (⋮) menu, and then choose **Copy to**.
1. In the **Select destination** pane that appears, browse to the location in the bucket where you want to copy the selected object. You can also create a new path by entering folder names into the **Destination path** text box.
1. Choose **Copy** to copy the object to the selected or specified destination. Otherwise, choose **No, cancel**.
A **Copy complete** message is displayed when the object is successfully copied. You should delete the original object if your intent was to move the object. For more information, see [Delete bucket objects](amazon-lightsail-deleting-bucket-objects.md).
## Copy objects using the AWS CLI
Complete the following procedure to copy objects in a bucket using the AWS Command Line Interface (AWS CLI). You do this by using the `copy-object` command. For more information, see [copy-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/copy-object.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to copy an object in your bucket.
```
aws s3api copy-object --copy-source SourceBucketNameAndObjectKey --key DestinationObjectKey --bucket DestinationBucketName --acl bucket-owner-full-control
```
In the command, replace the following example text with your own:
+ *SourceBucketNameAndObjectKey* - The name of the bucket in which the source object currently exists, and the full object key of the object to be copied. For example, to copy the object `images/sailbot.jpg` from the bucket `amzn-s3-demo-bucket`, specify `amzn-s3-demo-bucket/images/sailbot.jpg`.
+ *DestinationObjectKey* - The full object key of the new object copy.
+ *DestinationBucket* - The name of the destination bucket.
Examples:
+ Copying an object in a bucket to the same bucket:
```
aws s3api copy-object --copy-source amzn-s3-demo-bucket1/images/sailbot.jpg --key media/sailbot.jpg --bucket amzn-s3-demo-bucket --acl bucket-owner-full-control
```
+ Copying an object from one bucket to another bucket:
```
aws s3api copy-object --copy-source amzn-s3-demo-bucket1/images/sailbot.jpg --key images/sailbot.jpg --bucket amzn-s3-demo-bucket2 --acl bucket-owner-full-control
```
You should see a result similar to the following example:
![\[Result of the AWS CLI copy-object command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-copy-object-result.png)
## Manage buckets and objects
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md)
+ [Copying or moving objects in a bucket in Amazon Lightsail](#amazon-lightsail-copying-moving-bucket-objects)
+ [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md)
+ [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md)
+ [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md)
+ [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md).
# Clear Lightsail bucket storage by deleting objects
You can delete objects from your bucket in the Amazon Lightsail object storage service. To free-up storage space, delete objects that you no longer need . For example, if you're collecting log files, it's a good idea to delete them when you don't need them anymore.
For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
**Contents**
+ [Delete objects from a version-enabled bucket](#deleting-objects-from-version-enabled-buckets)
+ [Delete objects using the Lightsail console](#deleting-objects-lightsail-console)
+ [Delete object versions using the Lightsail console](#deleting-object-versions-lightsail-console)
+ [Delete a single object or object version using the AWS CLI](#deleting-single-object-aws-cli)
+ [Delete multiple objects or object versions using the AWS CLI](#delete-objects-aws-cli)
## Delete objects from a version-enabled bucket
If versioning is enabled on your bucket, multiple versions of the same object can exist in it. You can delete any version of an object using the Lightsail console, AWS CLI, AWS APIs, or AWS SDKS. However, you should consider the following options.
**Delete objects and object versions using the Lightsail console**
When you delete the current version of an object in the **Objects browser pane** of the **Objects** tab in the Lightsail console, this also deletes all previous versions of the object. To delete a specific version of an object, you must do so from the **Manage versions** pane. If you use the **Manage versions** pane to delete the current version of an object, then the most recent previous version is restored as the current version. For more information, see [Delete object versions using the Lightsail console](#deleting-object-versions-lightsail-console) later in this guide.
**Delete objects and object versions using the Lightsail API, AWS CLI, or AWS SDKs**
To delete a single object and all of its stored versions, specify only the object's key in your delete request. To delete a specific version of an object, specify both the object key and also a version ID. For more information, see [Delete a single object or object version using the AWS CLI](#deleting-single-object-aws-cli) later in this guide.
## Delete objects using the Lightsail console
Complete the following procedure to delete an object, including its stored previous versions, using the Lightsail console. You can delete only one object at a time using the Lightsail console. Use the AWS CLI to delete multiple objects at once. For more information, see [Delete multiple objects or object versions using the AWS CLI](#delete-objects-aws-cli) later in this guide.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to delete objects.
1. Use the **Objects browser** pane in the **Objects** tab to browse to the location of the object that you want to delete.
1. Add a check mark next to the object that you want to delete.
1. In the **Object information** pane, choose the actions (⋮) menu, and then choose **Delete**.
1. In the confirmation pane that appears, confirm that you want to permanently delete the object by choosing **Yes, delete**.
If you delete the only object in the folder that you're in, this also deletes the folder. This happens because the folder is part of the object key name, and deleting the object also deletes the preceding folders when no other objects in the bucket share the same object prefix. For more information, see [Key names for object storage buckets](understanding-bucket-object-key-names-in-amazon-lightsail.md).
## Delete object versions using the Lightsail console
Complete the following procedure to delete stored versions of an object. This is only possible for version-enabled buckets. For more information, see [Enable and suspend object versioning in a bucket](amazon-lightsail-managing-bucket-object-versioning.md).
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to delete objects.
1. Use the **Objects browser** pane to browse to the location of the object that you want to delete.
1. Add a check mark next to the object for which you want to delete stored previous versions.
1. Choose **Manage** in the **Versions** section of the **Object information** pane, and then choose Manage.
1. In the **Manage stored object versions** pane that appears, add a check mark next to the versions of the object that you want to delete.
You can also choose to delete the current version of an object.
1. Choose **Delete selected** to delete the selected versions.
If you delete:
+ The current version of an object - The most recent previous version of the object is restored as the current version.
+ The only version of an object - The object is deleted from the bucket. If the version you deleted is the only object in the current folder, then the folder is deleted also. This happens because the folder is part of the object key name, and deleting the object also deletes the preceding folders when no other objects in the bucket share the same object key prefix. For more information, see [Enable and suspend object versioning in a bucket](amazon-lightsail-managing-bucket-object-versioning.md).
## Delete a single object or object version using the AWS CLI
Complete the following procedure to delete a single object or object version in your bucket using the AWS Command Line Interface (AWS CLI). You do this by using the `delete-object` command. For more information, see [delete-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-object.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS Command Line Interface to work with Amazon Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to delete an object or an object version in your bucket.
To delete an object:
```
aws s3api delete-object --bucket BucketName --key ObjectKey
```
To delete an object version:
**Note**
Deleting object versions is only possible for version-enabled buckets. For more information, see [Enable and suspend object versioning in a bucket](amazon-lightsail-managing-bucket-object-versioning.md).
```
aws s3api delete-object --bucket BucketName --key ObjectKey --version-id VersionID
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket from which you want to delete an object.
+ *ObjectKey* - The full object key of the object you want to delete.
+ *VersionID* - The ID of the object version you want to delete.
Examples:
Deleting an object:
```
aws s3api delete-object --bucket amzn-s3-demo-bucket --key images/sailbot.jpg
```
Deleting an object version:
```
aws s3api delete-object --bucket amzn-s3-demo-bucket --key images/sailbot.jpg --version-id YF0YMBlUvexampleO07l2vJi9hRz4ujX
```
You should see a result similar to the following example:
![\[Result of the AWS CLI delete-object command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-delete-object-version-result.png)
## Delete multiple objects or object versions using the AWS CLI
Complete the following procedure to delete multiple objects in your bucket using the AWS Command Line Interface (AWS CLI). You do this by using the `delete-objects` command. For more information, see [delete-objects](https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-objects.html) in the AWS CLI Command Reference.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS Command Line Interface to work with Amazon Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to delete multiple objects or multiple object versions in your bucket.
```
aws s3api delete-objects --bucket BucketName --delete file://LocalDirectory
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket from which you want to delete multiple objects or multiple object versions.
+ *LocalDirectory* - The directory path on your computer of the .json document that specifies the objects or versions to delete. The .json document can be formatted as follows.
To delete objects, enter the following text in the .json file and replace *ObjectKey* with the object key of the objects you want to delete.
```
{
"Objects": [
{
"Key": "ObjectKey1"
},
{
"Key": "ObjectKey2"
}
],
"Quiet": false
}
```
To delete object versions, enter the following text in the .json file. Replace *ObjectKey* and *VersionID* with the object key and IDs of the object versions that you want to delete.
**Note**
Deleting object versions is only possible for version-enabled buckets. For more information, see [Enable and suspend object versioning in a bucket](amazon-lightsail-managing-bucket-object-versioning.md).
```
{
"Objects": [
{
"Key": "ObjectKey1",
"VersionId": "VersionID1"
},
{
"Key": "ObjectKey2",
"VersionId": "VersionID2"
}
],
"Quiet": false
}
```
Examples:
+ On a Linux or Unix computer:
```
aws s3api delete-objects --bucket amzn-s3-demo-bucket --delete file://home/user/Documents/delete-objects.json
```
+ On a Windows computer:
```
aws s3api delete-objects --bucket amzn-s3-demo-bucket --delete file://C:\Users\user\Documents\delete-objects.json
```
You should see a result similar to the following example:
![\[Result of the AWS CLI delete-objects command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-delete-objects-version-result.png)
## Manage buckets and objects
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md)
+ [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md)
+ [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md)
+ [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md)
+ [Deleting objects in a bucket in Amazon Lightsail](#amazon-lightsail-deleting-bucket-objects)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md).
# Download objects from a Lightsail bucket
You can download objects from buckets that you have access to or that are public (read-only) in the Amazon Lightsail object storage service. You can download a single object at a time using the Lightsail console. To download multiple objects in one request, use the AWS Command Line Interface (AWS CLI), AWS SDKs, or REST API. In this guide, we show you how to download objects using the Lightsail console and AWS CLI. For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Download objects using the Lightsail console
Complete the following procedure to download objects from a bucket using the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket from which you want to download a file.
1. In the **Objects** tab, use the **Objects browser pane** to browse to the location of the object that you want to download.
1. Add a check mark next to the object that you want to download.
1. In the **Object information** pane, choose the download icon.
![\[Download icon for an object in a bucket\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/bucket-object-download-icon.png)
Depending on the configuration of your browser, the file that you chose is either displayed on the page or is downloaded to your computer. If the file is displayed on the page, you can right-click it and choose **Save as** to save it to your computer.
## Download objects using the AWS CLI
Complete the following procedure to download objects from a bucket using the AWS Command Line Interface (AWS CLI). You do this by using the `get-object` command. For more information, see [get-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/get-object.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS Command Line Interface to work with Amazon Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to download an object from your bucket.
```
aws s3api get-object --bucket BucketName --key ObjectKey LocalFilePath
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket from which you want to download an object.
+ *ObjectKey* - The full object key of the object you want to download.
+ *LocalFilePath* - The full file path on your computer where you want to save the downloaded file.
Example:
```
aws s3api get-object --bucket amzn-s3-demo-bucket --key images/sailbot.jpg C:\Users\user\Pictures\sailbot.jpg
```
You should see a result similar to the following example:
![\[Result of the AWS CLI download-object command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-download-object-result.png)
## Manage buckets and objects
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md)
+ [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Downloading objects from a bucket in Amazon Lightsail](#amazon-lightsail-downloading-bucket-objects)
+ [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md)
+ [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md)
+ [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md).
# Filter objects in Lightsail buckets by name prefix
You can use filtering to find objects in your bucket in the Amazon Lightsail object storage service. In this guide, we show you how to filter objects using the Lightsail console, and the AWS Command Line Interface (AWS CLI). For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Filter objects using the Lightsail console
Complete the following procedure to filter objects in a bucket using the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to find objects.
1. In the **Objects** tab, type an object prefix in the **Filter by name** text box.
The list of objects in the folder that you're currently viewing are filtered to match the text you enter. The following example shows that if you enter `sail`, the list of objects on the page are filtered to display only those that start with `sail`.
![\[Filtering bucket objects in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-filter-bucket-objects-using-console.png)
To filter the list of objects in a different folder, navigate to that folder. Then, enter the object prefix into the **Filter by name** text box there.
## Filter objects using the AWS CLI
Complete the following procedure to filter objects in a bucket using the AWS Command Line Interface (AWS CLI). You do this by using the `list-objects-v2` command. For more information, see [list-objects-v2](https://docs.aws.amazon.com/cli/latest/reference/s3api/list-objects-v2.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS Command Line Interface to work with Amazon Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to list objects that start with a specific object key name prefix.
```
aws s3api list-objects-v2 --bucket BucketName --prefix ObjectKeyNamePrefix --query "Contents[].{Key: Key, Size: Size}"
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket for which you want to list all objects.
+ *ObjectKeyNamePrefix* - An object key name prefix to limit the response to keys that begin with the specified prefix.
**Note**
This command uses the `--query` parameter to filter the response of the `list-objects-v2` request to the key value and size of each object.
Example:
```
aws s3api list-objects-v2 --bucket amzn-s3-demo-bucket --prefix archived/ --query "Contents[].{Key: Key, Size: Size}"
```
You should see a result similar to the following example.
![\[Result of the AWS CLI list-objects-v2 command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-list-objects-v2-prefix-result.png)
## Manage buckets and objects
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md)
+ [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md)
+ [Filtering objects in a bucket in Amazon Lightsail](#amazon-lightsail-filtering-bucket-objects)
+ [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md)
+ [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md).
# Enable and suspend object versioning in Lightsail
Versioning in Amazon Lightsail object storage service is a means of keeping multiple variants of an object in the same bucket. You can use the versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. With versioning, you can recover more easily from both unintended user actions and application failures. When you enable versioning for a bucket, if the Lightsail object storage service receives multiple write requests for the same object simultaneously, it stores all of those objects. Versioning is disabled by default on buckets in the Lightsail object storage service, so you must explicitly enable it. For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
**Important**
When you enable or suspend versioning on a bucket that has the **Individual objects can be made public (read-only)** access permission configured, the permission resets to **All objects are private**. If you want to continue having the option to make individual objects public, you must manually change the bucket access permission back to **Individual objects can be made public (read-only)**. For more information, see [Configure bucket access permissions](amazon-lightsail-configuring-bucket-permissions.md).
## Version disabled, enabled, and suspended buckets
Bucket versioning can be in one of three states in the Lightsail console:
+ Disabled (`NeverEnabled` in the API and SDKs)
+ Enabled (`Enabled` in the API and SDKs)
+ Suspended (`Suspended` in the API and SDKs)
After you enable versioning in a bucket, it cannot return to a disabled state. But you can suspend versioning. You enable and suspend versioning at the bucket level.
The versioning state applies to all (not some) of the objects in that bucket. When you enable versioning in a bucket, all new objects are versioned and given a unique version ID. Objects that already exist in the bucket when versioning is enabled are always versioned going forward. They are given a unique version ID when they are modified by future requests.
## Version IDs
If you enable versioning for a bucket, the Lightsail object storage service automatically generates a unique version ID for the object that is being stored. For example, in one bucket you can have two objects with the same key but different version IDs, such as `photo.gif` (version 111111) and `photo.gif` (version 121212).
![\[Bucket versioning enabled\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bucket-versioning-versioning-enabled.png)
Version IDs cannot be edited. They are Unicode, UTF-8 encoded, URL-ready, opaque strings that are no more than 1,024 bytes long. The following is an example of a version ID:
```
3sL4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo
```
## Enable or suspend object versioning using the Lightsail console
Complete the following procedure to enable or suspend object versioning using the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to enable or suspend versioning.
1. Choose the Versioning tab.
1. Complete one of the following actions depending on the current versioning state of your bucket:
+ If versioning is currently suspended or has not been enabled, choose the toggle under the **Object versioning** section of the page to enable versioning.
+ If versioning is currently enabled, choose the toggle under the **Object versioning** section of the page to suspend versioning.
## Enable or suspend object versioning using the AWS CLI
Complete the following procedure to enable or suspend object versioning using the AWS Command Line Interface (AWS CLI). You do this by using the `update-bucket` command. For more information, see [update-bucket](https://docs.aws.amazon.com/cli/latest/reference/lightsail/update-bucket.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to enable or suspend object versioning.
```
aws lightsail update-bucket --bucket-name BucketName --versioning VersioningState
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket for which you want to enable object versioning.
+ *VersioningState* - One of the following:
+ `Enabled` - Enables object versioning.
+ `Suspended` - Suspends object versioning if it was previously enabled.
Example:
```
aws lightsail update-bucket --bucket-name amzn-s3-demo-bucket --versioning Enabled
```
You should see a result similar to the following example:
![\[Response to the update bucket request\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-update-bucket-objects-versioning-cli.png)
## Manage buckets and objects
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md)
+ [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md)
+ [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md)
+ [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md)
+ [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](#amazon-lightsail-managing-bucket-object-versioning).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md).
# Recover previous object versions in Lightsail buckets
If your bucket in the Amazon Lightsail object storage service is version-enabled, then you can restore previous versions of an object. Restore a previous version of an object recover from unintended user actions or application failures.
You can restore a previous version of an object using the Lightsail console. You can also use the AWS Command Line Interface (AWS CLI) and AWS SDKs restore a previous version of an object. To do this, copy a specific version of the object into the same bucket, and use the same object key name. This replaces the current version with the previous version, making the previous version the current version. For more information about versioning, see [Enable and suspend bucket object versioning](amazon-lightsail-managing-bucket-object-versioning.md). For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Restore a previous version of an object using the Lightsail console
Complete the following procedure to restore a previous version of an object using the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to restore a previous version of an object.
1. Use the **Objects browser** pane in the **Objects** tab to browse to the location of the object.
1. Add a check mark next to the object for which you want to restore a previous version.
1. Choose **Manage** under the Versions section of the **Object information** pane.
1. Choose **Restore**.
1. In the **Restore object** from a stored version pane that appears, choose the version of the object that you want to restore.
1. Choose **Continue**.
1. In the confirmation prompt that appears, choose **Yes, restore** to restore the object version. Otherwise, choose **No, cancel**.
## Restore a previous version of an object using the AWS CLI
Complete the following procedure to restore a previous version of an object the AWS Command Line Interface (AWS CLI). You do this by using the `copy-object` command. You must copy the previous version of the object into the same bucket, using the same object key. For more information, see [copy-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/copy-object.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS Command Line Interface to work with Amazon Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to restore a previous version of an object.
```
aws s3api copy-object --copy-source "BucketName/ObjectKey?versionId=VersionId" --key ObjectKey --bucket BucketName
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket for which you want to restore a previous version of an object. You must specify the same bucket name for the `--copy-source` and `--bucket` parameters.
+ *ObjectKey* - The name of the object to restore. You must specify the same object key name for the `--copy-source` and `--key` parameters.
+ *VersionId* - The ID of the previous object version that you want to restore to the current version. Use the `list-object-versions` command to get a list of version IDs for objects in your bucket.
Example:
```
aws s3api copy-object --copy-source "amzn-s3-demo-bucket/sailbot.jpg?versionId=GQWEexample87Mdl8Q_DKdVTiVMi_VyU" –key sailbot.jpg --bucket amzn-s3-demo-bucket
```
You should see a result similar to the following example:
![\[Result of the AWS CLI copy-object-version command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-copy-object-version-result.png)
## Manage buckets and objects
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md)
+ [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md)
+ [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md)
+ [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md)
+ [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](#amazon-lightsail-restoring-bucket-object-versions).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md).
# Tag objects in Lightsail buckets
Tag objects in your bucket to categorize them by purpose, owner, environment, or other criteria. Tags can be added to objects when you upload them, or after they are uploaded. For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Add and delete tags for objects using the Lightsail console
Complete the following procedure to add or delete tags from objects in a bucket using the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to tag objects.
1. Use the **Objects browser** pane in the **Objects** tab to browse to the location of the object.
1. Add a check mark next to the object for which you want to add or delete a tag.
1. In the object information pane, choose one of the following options under the **Object tags** section:
+ **Add** or **Edit** (if tags have already been added). Enter a key into the Key text box, and a value into the **Value** text box. Then, choose **Save** to add the tag. Otherwise, choose **Cancel**.
+ **Edit**, and then choose the **X** next to the key-value tag that you want to delete. Choose **Save** when you're done to delete the tag, or choose **Cancel** to not delete it.
## Add and delete tags for objects using the AWS CLI
Complete the following procedure to add tags to objects or delete tags from objects using the AWS Command Line Interface (AWS CLI). You do this by using the `put-object-tagging` and `delete-object-tagging` commands. For more information, see [put-object-tagging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object-tagging.html) and [delete-object-tagging](https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-object-tagging.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter one of the following commands:
+ To add a tag to an object:
```
aws s3api put-object-tagging --bucket BucketName --key ObjectKey --tagging "{\"TagSet\":[{ \"Key\": \"KeyTag\", \"Value\": \"ValueTag\" }]}"
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket that contains the object you want to tag.
+ *ObjectKey* - The full object key of the object you want to tag.
+ *KeyTag* - The key value of your tag.
+ *ValueTag* - The value of your tag.
+ To add a tag to an object:
```
aws s3api put-object-tagging --bucket BucketName --key ObjectKey --tagging "{\"TagSet\":[{ \"Key\": \"KeyTag1\", \"Value\": \"ValueTag1\" }, { \"Key\": \"KeyTag2\", \"Value\": \"ValueTag2\" }]}"
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket that contains the object you want to tag.
+ *ObjectKey* - The full object key of the object you want to tag.
+ *KeyTag1* - The key value of your first tag.
+ *ValueTag1* - The value of your first tag.
+ *KeyTag2* - The key value of your second tag.
+ *ValueTag2* - The value of your second tag.
+ To delete all tags from an object:
```
aws s3api delete-object-tagging --bucket BucketName --key ObjectKey
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket that contains the object for which you want to delete all tags.
+ *ObjectKey* - The full object key of the object you want to tag.
Example:
```
aws s3api delete-object --bucket amzn-s3-demo-bucket --key nptLmg6jqDo.jpg --tagging "{\"TagSet\":[{ \"Key\": \"Importance\", \"Value\": \"High\" }]}"
```
You should see a result similar to the following example:
![\[Result of the AWS CLI put-object-tagging command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-put-object-tagging-result.png)
## Manage buckets and objects
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md)
+ [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md)
+ [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md)
+ [Tagging objects in a bucket in Amazon Lightsail](#amazon-lightsail-tagging-bucket-objects)
+ [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md).
# Control access to Lightsail buckets for instances
Attach an Amazon Lightsail instance to a Lightsail bucket to give it full programmatic access to the bucket and its objects. When you attach instances to buckets, you don't have to manage credentials like access keys. The instances and buckets that you attach must be in the same AWS Region. You cannot attach instances to buckets that are in a different Region.
Resource access is ideal if you're configuring software or a plugin on your instance to upload files directly to your bucket. For example, if you want to configure a WordPress instance to store media files on a bucket. For more information, see [Tutorial: Connect a bucket to your WordPress instance](amazon-lightsail-connecting-buckets-to-wordpress.md#amazon-lightsail-connecting-buckets-to-wordpress.title).
For more information about permission options, see [Bucket permissions](amazon-lightsail-understanding-bucket-permissions.md). For more information about security best practices, see [Security Best Practices for object storage](amazon-lightsail-bucket-security-best-practices.md). For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Configure resource access for a bucket
Complete the following procedure to configure resource access for a bucket.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to configure resource access.
1. Choose the **Permissions** tab.
The **Resource access** section of the page displays the instances currently attached to the bucket, if any.
1. Choose **Attach instance** to attach an instance to the bucket.
1. In the **Select an instance** dropdown menu, select the instance that you want to attach to the bucket.
**Note**
You can attach instances that are in a running or stopped state only. Additionally, you can attach only instances that are in the same AWS Region as the bucket.
1. Choose **Attach** to attach the instance. Otherwise, choose **Cancel**.
The instance has full access to the bucket and its objects after it's attached. You can configure software or a plugin on your instance to programmatically upload and access files on your bucket. For example, if you want to configure a WordPress instance to store media files on a bucket. For more information, see [Tutorial: Connect a bucket to your WordPress instance](amazon-lightsail-connecting-buckets-to-wordpress.md).
# Adjust Lightsail bucket storage plan for usage fluctuations
In the Amazon Lightsail object storage service, a bucket's storage plan specifies its monthly cost, storage space quota, and data transfer quota. You can update your bucket's storage plan only one time within a monthly AWS billing cycle. When you change your bucket's storage plan, the storage space and network transfer quotas are reset. However, the excess storage space and data transfer charges you might have incurred from using the previous storage plan are not covered.
Update your bucket's storage plan if it's consistently going over its storage space or data transfer quota, or if your bucket's usage is consistently in the lower range of these quotas. Because your bucket might experience unpredictable usage fluctuations, we strongly recommend that you update your bucket's storage plan only as a long-term strategy, instead of as a short-term, monthly cost-cutting measure. Choose a storage plan that will provide your bucket with an ample storage space and data transfer quota for a long time to come.
For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Change your bucket's storage plan using the Lightsail console
Complete the following procedure to change your bucket's storage plan using the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to change the plan.
1. Choose the **Metrics** tab in the bucket management page.
1. Choose **Change storage plan**.
1. In the confirmation prompt that appears, choose **Yes, change** to continue to change your bucket storage plan. Otherwise, choose **No, cancel**.
1. Choose the plan that you want to use, and then choose **Select plan**.
1. In the confirmation prompt that appears, choose **Yes, apply** to apply the change to your bucket, or choose **No, go back** to not apply it.
## Change your bucket's storage plan using the AWS CLI
Complete the following procedure to change the plan of your bucket using the AWS Command Line Interface (AWS CLI). You do this by using the `update-bucket-bundle` command. Note that a bucket storage plan is referred to as a bucket bundle in the API. For more information, see [update-bucket-bundle](https://docs.aws.amazon.com/cli/latest/reference/lightsail/update-bucket-bundle.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to change the plan of your bucket.
```
aws lightsail update-bucket-bundle --bucket-name BucketName --bundle-id BundleID
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket for which you want to update the storage plan.
+ *BundleID* - The ID of the new bucket bundle you want to apply to the bucket. Use the `get-bucket-bundles` command to see a list of available bucket bundles and their IDs. For more information, see [get-bucket-bundles](https://docs.aws.amazon.com/cli/latest/reference/lightsail/get-bucket-bundle.html) in the *AWS CLI Command Reference*.
Example:
```
aws lightsail update-bucket-bundle --bucket-name amzn-s3-demo-bucket --bundle-id medium_1_0
```
You should see a result similar to the following example:
![\[Result of the update bucket bundle request\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-update-bucket-bundle-cli.png)
# Manage Lightsail bucket access permissions for enhanced security
Use bucket access permissions to control public (unauthenticated) read-only access to objects in a bucket. You can make a bucket private or public (read-only). You can also make a bucket private, while having the option to make individual objects public (read-only).
**Important**
When you make a bucket public (read-only), you make all objects in the bucket readable by anyone on the internet through the bucket's URL (for example, `https://amzn-s3-demo-bucket.us-east-1.amazonaws.com/media/sailbot.jpg`). Don't make a bucket public (read-only) if you don't want anyone on the internet to have access to your objects.
For more information about permission options, see [Bucket permissions](amazon-lightsail-understanding-bucket-permissions.md). For more information about security best practices, see [Security Best Practices for object storage](amazon-lightsail-bucket-security-best-practices.md). For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
**Important**
Lightsail object storage resources take into account both Lightsail bucket access permissions and Amazon S3 account-level block public access configurations when allowing or denying public access. For more information, see [Block public access for buckets](amazon-lightsail-block-public-access-for-buckets.md).
## Configure bucket access permissions
Complete the following procedure to configure access permissions for a bucket.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to configure access permissions.
1. Choose the **Permissions** tab.
The **Bucket access permissions** section of the page displays the currently configured access permission for the bucket.
1. Choose **Change permission** to change the bucket access permissions.
1. Choose one of the following options:
+ **All objects are private** – All objects in the bucket are readable only by you or anyone you give access to.
+ **Individual objects can be made public (read-only)** – Objects in the bucket are readable only by you or anyone you give access to, unless you specify an individual object to be public (read-only). For more information about individual object access permissions, see [Configure access permissions for individual objects in a bucket](amazon-lightsail-configuring-individual-object-access.md).
We recommend that you select the **Individual objects can be made public (read-only)** option only if you have a specific need to do so, such as making only some of the objects in your bucket public while keeping all other objects private. For example, some WordPress plugins require that your bucket allows individual objects to be made public. For more information, see [Tutorial: Connect a bucket to your WordPress instance](amazon-lightsail-connecting-buckets-to-wordpress.md) and [Tutorial: Use a bucket with a content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md).
+ **All objects are public (read-only)** – All objects in the bucket are readable by anyone on the internet.
**Important**
When you make a bucket public (read-only), you make all objects in the bucket readable by anyone on the internet through the bucket's URL (for example, `https://amzn-s3-demo-bucket.us-east-1.amazonaws.com/media/sailbot.jpg`). Don't make a bucket public (read-only) if you don't want anyone on the internet to have access to your objects.
1. Choose **Save** to save the change. Otherwise, choose **Cancel**.
The following changes are implemented depending on which bucket access permission you change to:
+ **All objects are private** - All objects in the bucket become private even if they were previously configured with a **Public (read-only)** individual object access permission.
+ **Individual objects can be made public (read-only)** - Objects that were previously configured with a **Public (read-only)** individual object access permission become public. You can now configure individual object access permissions for objects.
+ **All objects are public (read-only)** - All objects in the bucket become public (read-only) even if they were previously configured with a **Private** individual object access permission.
For more information about individual object access permissions, see [Configure access permissions for individual objects in a bucket](amazon-lightsail-configuring-individual-object-access.md).
# Grant read-only access to Lightsail buckets across AWS accounts
Use cross-account access to grant read-only access to all objects in a bucket for other AWS accounts and their users. Cross-account access is ideal if you want to share objects with another AWS account. When you grant cross-account access to another AWS account, users in that account have read-only access to objects in a bucket through the URL of the bucket and objects (for example, `https://amzn-s3-demo-bucket.us-east-1.amazonaws.com/media/sailbot.jpg`). You can give bucket access to a maximum of 10 AWS accounts.
For more information about permission options, see [Bucket permissions](amazon-lightsail-understanding-bucket-permissions.md). For more information about security best practices, see [Security Best Practices for object storage](amazon-lightsail-bucket-security-best-practices.md). For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Configure cross-account access for a bucket
Complete the following procedure to configure cross-account access for a bucket.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to configure cross-account access.
1. Choose the **Permissions** tab.
The **Cross-account access** section of the page displays the AWS account IDs that are currently configured to access the bucket, if any.
1. Choose **Add cross-account access** to grant access to the bucket for another AWS account.
1. Enter the ID of the AWS account for which you want to grant access in the **Account ID** text box.
1. Choose **Save** to grant access. Otherwise, choose **Cancel**.
The AWS account ID you added is listed in the **Cross-account access** section of the page. To remove cross-account access for an AWS account, choose the delete (trash can) icon next to the AWS account ID that you want to remove.
# Grant public access to individual bucket objects in Amazon Lightsail
Use individual object access permissions to control public (unauthenticated) read-only access to individual objects in a bucket. You can make individual objects in a bucket private or public (read-only).
**Important**
Individual object access permissions can be configured only when the access permission of a bucket is set to **Individual objects can be made public (read-only)**. For more information about bucket permission options, see [Bucket permissions](amazon-lightsail-understanding-bucket-permissions.md). For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
We recommend that you configure individual object access permissions only if you have a specific need to do so, such as making only some of the objects in your bucket public while keeping all other objects private. For example, some WordPress plugins require that your bucket allows individual objects to be made public. For more information, see [Tutorial: Connect a bucket to your WordPress instance](amazon-lightsail-connecting-buckets-to-wordpress.md) and [Tutorial: Use a bucket with a content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md).
For more information about permission options, see [Bucket permissions](amazon-lightsail-understanding-bucket-permissions.md). For more information about security best practices, see [Security Best Practices for object storage](amazon-lightsail-bucket-security-best-practices.md). For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Configure individual object access permissions
Complete the following procedure to configure access permissions for an individual object in a bucket. For an example IAM policy that grants a user the ability to manage a bucket in Lightsail, see , [IAM policy to manage buckets](amazon-lightsail-bucket-management-policies.md).
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket for which you want to configure access permissions for an individual object.
1. Choose the **Objects** tab.
1. Add a check mark next to the object for which you want to configure an access permission.
The object information pane displays the current access permissions for the object.
1. Choose **Edit** in the **Permissions** section of the object information pane to change the access permission for the object.
**Note**
If the edit option is not available, then the access permission of your bucket does not allow for individual object access permissions to be configured. To configure individual object access permissions, the bucket access permission must be set to **Individual objects can be made public (read-only)**. For more information, see [Configure bucket access permissions](amazon-lightsail-configuring-bucket-permissions.md).
1. Choose one of the following options in the **Select a permission** dropdown menu:
+ **Private** – The object is readable only by you or anyone you give access to.
+ **Public (read-only)** – The object is readable by anyone in the world.
1. Choose **Save** to save the change. Otherwise, choose **Cancel**.
The **Bucket access permission** setting of the bucket has the following effects on individual object access permissions:
+ If you change the bucket access permission to **All objects are private**, all objects in the bucket become private even if they were configured with a **Public (read-only)** individual object access permission. However, individual object access permissions that were configured are retained. For example, if you change the bucket access permission back to **Individual objects can be made public (read-only)**, all objects with a **Public (read-only)** individual access permission become publicly readable again.
+ If you change the bucket access permission to **All objects are public (read-only)**, all objects in the bucket become public (read-only), even if they were configured with a **Private** individual object access permission.
For more information about bucket access permissions, see [Configure bucket access permissions](amazon-lightsail-configuring-bucket-permissions.md).
# Upload files to a Lightsail bucket with multipart upload
With multipart upload, you can upload a single file to your bucket as a set of parts. Each part is a contiguous portion of the file's data. You can upload these file parts independently and in any order. If transmission of any part fails, you can retransmit that part without affecting other parts. After all parts of your file are uploaded, Amazon S3 assembles these parts and creates the object in your bucket in Amazon Lightsail. In general, when your object size reaches 100 MB, you should consider using multipart uploads instead of uploading the object in a single operation. For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
Using multipart upload provides the following advantages:
+ Improved throughput - You can upload parts in parallel to improve throughput.
+ Quick recovery from any network issues - Smaller part size minimizes the impact of restarting a failed upload due to a network error.
+ Upload over time - You can upload file parts over time. After you initiate a multipart upload, you have 24 hours to complete the multipart upload.
+ Begin an upload before you know the final file size - You can upload a file as you are creating it.
We recommend that you use multipart upload in the following ways:
+ If you're uploading large files over a stable high-bandwidth network, multipart upload maximizes the use of your available bandwidth by uploading file parts in parallel for multi-threaded performance.
+ If you're uploading over a spotty network, use multipart upload to increase resiliency to network errors by avoiding upload restarts. When using multipart upload, you retry uploads only for the interrupted parts. There's no need to start over or upload the entire file again.
**Contents**
+ [Multipart upload process](#mutipart-upload-process)
+ [Concurrent multipart upload operations](#concurrent-multipart-upload-operations)
+ [Multipart upload retention](#multipart-upload-retention)
+ [Amazon Simple Storage Service multipart upload limits](#multipart-upload-limits)
+ [Split the file to upload](#split-the-file-to-upload)
+ [Initiate a multipart upload using the AWS CLI](#initiate-multipart-upload)
+ [Upload a part using the AWS CLI](#upload-a-part)
+ [List parts of a multipart upload using the AWS CLI](#list-parts-of-multipart-upload)
+ [Create a multipart upload .json file](#create-multipart-upload-json-file)
+ [Complete a multipart upload using the AWS CLI](#complete-multipart-upload)
+ [List multipart uploads for a bucket using the AWS CLI](#list-multipart-uploads)
+ [Stop a multipart upload using the AWS CLI](#stop-multipart-uploads)
## Multipart upload process
Multipart upload is a three-step process that uses Amazon S3 actions to upload files to your bucket in Lightsail:
1. You initiate the multipart upload using the [CreateMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html) action.
1. You upload the file parts using the [UploadPart](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html) action.
1. You complete the multipart upload using the [CompleteMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html) action.
**Note**
You can stop a multipart upload after you've initiated it by using the [AbortMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html) action.
When the multipart upload request completes, Amazon Simple Storage Service constructs the object from the uploaded parts. Then you can access the object in the same way that you would access any other object in your bucket.
You can list all of your in-progress multipart uploads or get a list of the parts that you have uploaded for a specific multipart upload. Each of these operations is explained in this section.
**Multipart upload initiation**
When you send a request to initiate a multipart upload, Amazon Simple Storage Service returns a response with an upload ID. This is a unique identifier for your multipart upload. You must include the upload ID whenever you upload parts, list the parts, complete an upload, or stop an upload. If you want to provide any metadata describing the object being uploaded, you must specify the metadata in the request to initiate multipart upload.
**Parts upload**
When uploading a part, in addition to the upload ID, you must specify a part number. You can choose any part number between 1 and 10,000. A part number uniquely identifies a part and its position in the object you are uploading. The part number that you choose doesn’t need to be in a consecutive sequence (for example, it can be 1, 5, and 14). If you upload a new part using the same part number as a previously uploaded part, the previously uploaded part is overwritten.
Whenever you upload a part, Amazon Simple Storage Service returns an ETag header in its response. For each part upload, you must record the part number and the ETag value. You must include these values in the subsequent request to complete the multipart upload.
**Note**
All uploaded parts of a multipart upload are stored on your bucket. They consume your bucket's storage space until you complete the upload, stop the upload, or the upload times-out. For more information, see [Multipart upload retention](#multipart-upload-retention) later in this guide.
**Multipart upload completion**
When you complete a multipart upload, Amazon Simple Storage Service creates an object by concatenating the parts in ascending order based on the part number. If any object metadata was provided in the initiate multipart upload request, Amazon Simple Storage Service associates that metadata with the object. After a successful complete request, the parts no longer exist.
Your complete multipart upload request must include the upload ID and a list of both part numbers and corresponding ETag values. The Amazon Simple Storage Service response includes an ETag that uniquely identifies the combined object data. This ETag is not necessarily an MD5 hash of the object data.
You can optionally stop the multipart upload. After stopping a multipart upload, you cannot upload any part using that upload ID again. All storage from any part of the canceled multipart upload is then freed. If any part uploads were in-progress, they can still succeed or fail even after you stop. To free all storage consumed by all parts, you must stop a multipart upload only after all part uploads have completed.
**Multipart upload listings**
You can list the parts of a specific multipart upload or all in-progress multipart uploads. The list parts operation returns the parts information that you have uploaded for a specific multipart upload. For each list parts request, Amazon Simple Storage Service returns the parts information for the specified multipart upload, up to a maximum of 1,000 parts. If there are more than 1,000 parts in the multipart upload, you must send a series of list part requests to retrieve all the parts. Note that the returned list of parts doesn't include parts that are still in the process of uploading. Using the list multipart uploads operation, you can obtain a list of multipart uploads in progress.
An in-progress multipart upload is an upload that you have initiated, but have not yet completed or stopped. Each request returns at most 1,000 multipart uploads. If there are more than 1,000 multipart uploads in progress, you must send additional requests to retrieve the remaining multipart uploads. Only use the returned listing for verification. Do not use the result of this listing when sending a complete multipart upload request. Instead, maintain your own list of the part numbers you specified when uploading parts and the corresponding ETag values that Amazon Simple Storage Service returns.
## Concurrent multipart upload operations
In a distributed development environment, it is possible for your application to initiate several updates on the same object at the same time. Your application might initiate several multipart uploads using the same object key. For each of these uploads, your application can then upload parts and send a complete upload request to Amazon Simple Storage Service to create the object. When the buckets have versioning enabled, completing a multipart upload always creates a new version. For buckets that don't have versioning enabled, other request might take precedence, such as requests that are received after a multipart upload is initiated and before it's complete.
**Note**
It is possible for other requests to take precedence, such as requests that are received after you initiate a multipart upload and before it is complete. For example, another operation might delete a key after you initiate a multipart upload with that key, and before the multipart upload is complete. If this occurs, the complete multipart upload response might indicate a successful object creation without you ever seeing the object.
## Multipart upload retention
All uploaded parts of a multipart upload are stored on your bucket. They consume your bucket's storage space until you complete the upload, stop the upload, or the upload times out. A multipart upload times out, and the multipart upload is deleted, after 24 hours from when it was created. When you stop a multipart upload, or it times out, all uploaded parts are deleted and the storage space they used to consume on your bucket is freed.
## Amazon Simple Storage Service multipart upload limits
The following table provides multipart upload core specifications.
+ Maximum object size: 50 TB
+ Maximum number of parts per upload: 10,000
+ Part numbers: 1-10,000 (inclusive)
+ Part size: 5 MB (minimum) - 5 GB (maximum). There is no size limit on the last part of your multipart upload.
+ Maximum number of parts returned for a list parts request: 1,000
+ Maximum number of multipart uploads returned in a list multipart uploads request: 1,000
## Split the file to upload
Use the `split` command on the Linux or Unix operating system to split a file into multiple parts that you then upload to your bucket. There are similar free-ware applications that you can use on the Windows operating system to split a file. After you split the file into multiple parts, continue to the [Initiate a multipart upload](#initiate-multipart-upload) section of this guide.
## Initiate a multipart upload using the AWS CLI
Complete the following procedure to initiate a multipart upload using the AWS Command Line Interface (AWS CLI). You do this by using the `create-multipart-upload` command. For more information, see [create-multipart-upload](https://docs.aws.amazon.com/cli/latest/reference/s3api/create-multipart-upload.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to create a multipart upload for your bucket.
```
aws s3api create-multipart-upload --bucket BucketName --key ObjectKey --acl bucket-owner-full-control
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket for which you want to create a multipart upload.
+ *ObjectKey* - The object key to use for the file that you will upload.
Example:
```
aws s3api create-multipart-upload --bucket amzn-s3-demo-bucket --key sailbot.mp4 --acl bucket-owner-full-control
```
You should see a result similar to the following example. The response includes an `UploadID`, which you must specify in subsequent commands to upload parts, and to complete the multipart upload for this object.
![\[Result of the create-multipart-upload command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-create-multipart-upload-result.png)
After you have the `UploadID` for your multipart upload, continue to the following [Upload a part using the AWS CLI](#upload-a-part) section of this guide and start uploading parts.
## Upload a part using the AWS CLI
Complete the following procedure to upload a part of a multipart upload using the AWS Command Line Interface (AWS CLI). You do this by using the `upload-part` command. For more information, see [upload-part](https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to upload a part to your bucket.
```
aws s3api upload-part --bucket BucketName --key ObjectKey --part-number Number --body FilePart --upload-id "UploadID" --acl bucket-owner-full-control
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket for which you want to create a multipart upload.
+ *ObjectKey* - The object key to use for the file that you will upload.
+ *Number* - The part number of the part you are uploading. A part number uniquely identifies a part and its position in the object you are uploading. Make sure to incrementally increase the `--part-number` parameter with each part that you upload. To do so, number them in the order in which Amazon Simple Storage Service should assemble the object when you complete the multipart upload.
+ *FilePart* - The part file to upload from your computer.
+ *UploadID* - The upload ID of the multipart upload that you created earlier in this guide.
Example:
```
aws s3api upload-part --bucket amzn-s3-demo-bucket --key sailbot.mp4 --part-number 1 --body sailbot.mp4.001 --upload-id "R4QU.mO.exampleiHWiLOeNw7JtXX7OotRhTLsXXCzF21CZdYlfj5lfjtiMnpzVw2WPj.exampleBTmL_N_.42.DlHYOTsITFsX.tO3XOUTTAHiCxY5VR8jWRGdkVkUG" --acl bucket-owner-full-control
```
You should see a result similar to the following example. Repeat the `upload-part` command for each part you upload. The response for each of your upload part requests will include an `ETag` value for the part that you uploaded. Record the `ETag` values for each of the parts that you upload. You will need all of the `ETag` values to complete the multipart upload, which is covered later in this guide.
![\[Result of the upload-part command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-upload-part-result.png)
## List parts of a multipart upload using the AWS CLI
Complete the following procedure to list parts of a multipart upload using the AWS Command Line Interface (AWS CLI). You do this by using the `list-parts` command. For more information, see [list-parts](https://docs.aws.amazon.com/cli/latest/reference/s3api/list-parts.html) in the *AWS CLI Command Reference*.
Complete this procedure to get the `ETag` values for all of the uploaded parts in a multipart upload. You will need these values to complete the multipart upload later in this guide. However, if you recorded all of the `ETag` values from the response of your part uploads, then you can skip this procedure and continue to the [Create a multipart upload .json](#create-multipart-upload-json-file) file section of this guide.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to list the parts of a multipart upload on your bucket.
```
aws s3api list-parts --bucket BucketName --key ObjectKey --upload-id "UploadID"
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket for which you want to list the parts of a multipart upload.
+ *ObjectKey* - The object key of the multipart upload.
+ *UploadID* - The upload ID of the multipart upload that you created earlier in this guide.
Example:
```
aws s3api list-parts --bucket amzn-s3-demo-bucket --key sailbot.mp4 --upload-id "R4QU.mO.exampleiHWiLOeNw7JtXX7OotRhTLsXXCzF21CZdYlfj5lfjtiMnpzVw2WPj.exampleBTmL_N_.42.DlHYOTsITFsX.tO3XOUTTAHiCxY5VR8jWRGdkVkUG"
```
You should see a result similar to the following example. The response lists all of the part numbers and `ETag` values for the parts that you uploaded in the multipart upload. Copy these values to your clipboard, and continue to the [Create a multipart upload .json](#create-multipart-upload-json-file) section of this guide.
![\[Result of the list-parts command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-list-parts-result.png)
## Create a multipart upload .json file
Complete the following procedure to create a multipart upload .json file that defines all of the parts you uploaded and their `ETag` values. This is required later in this guide to complete the multipart upload.
1. Open a text editor, and paste the response from the `list-parts` command that you requested in the previous section of this guide.
The result should look like the following example.
![\[Multipart upload JSON file number 1\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-multipart-upload-json-file-1.png)
1. Reformat the text file as shown in the following example:
![\[Multipart upload JSON file number 2\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-multipart-upload-json-file-2.png)
1. Save the text file to your computer as `mpstructure.json`, and continue to the [Complete a multipart upload using the AWS CLI](#complete-multipart-upload) section of this guide.
## Complete a multipart upload using the AWS CLI
Complete the following procedure to complete a multipart upload using the AWS Command Line Interface (AWS CLI). You do this by using the `complete-multipart-upload` command. For more information, see [complete-multipart-upload](https://docs.aws.amazon.com/cli/latest/reference/s3api/complete-multipart-upload.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to upload a part to your bucket.
```
aws s3api complete-multipart-upload --multipart-upload file://JSONFileName --bucket BucketName --key ObjectKey --upload-id "UploadID" --acl bucket-owner-full-control
```
In the command, replace the following example text with your own:
+ *JSONFileName* - The name of the .json file that you created earlier in this guide (for example, `mpstructure.json`).
+ *BucketName* - The name of the bucket for which you want to complete a multipart upload.
+ *ObjectKey* - The object key of the multipart upload.
+ *UploadID* - The upload ID of the multipart upload that you created earlier in this guide.
```
aws s3api complete-multipart-upload --multipart-upload file://mpstructure.json --bucket amzn-s3-demo-bucket --key sailbot.mp4 --upload-id "R4QU.mO.exampleiHWiLOeNw7JtXX7OotRhTLsXXCzF21CZdYlfj5lfjtiMnpzVw2WPj.exampleBTmL_N_.42.DlHYOTsITFsX.tO3XOUTTAHiCxY5VR8jWRGdkVkUG" --acl bucket-owner-full-control
```
You should see a response similar to the following example. This confirms that the multipart upload is completed. The object is now assembled and available in the bucket.
![\[Result of the complete-multipart-upload command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-complete-multipart-upload-result.png)
## List multipart uploads for a bucket using the AWS CLI
Complete the following procedure to list all multipart uploads for a bucket using the AWS Command Line Interface (AWS CLI). You do this by using the `list-multipart-uploads` command. For more information, see [list-multipart-uploads](https://docs.aws.amazon.com/cli/latest/reference/s3api/list-multipart-uploads.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to upload a part to your bucket.
```
aws s3api list-multipart-uploads --bucket BucketName
```
In the command, replace *BucketName* with the name of the bucket for which you want to list all multipart uploads.
Example:
```
aws s3api list-multipart-uploads --bucket amzn-s3-demo-bucket
```
You should see a response similar to the following example.
![\[Result of the list-multipart-uploads command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-list-multipart-uploads-result.png)
## Stop a multipart upload using the AWS CLI
Complete the following procedure to stop a multipart upload using the AWS Command Line Interface (AWS CLI). You do this if you started a multipart upload but no longer want to continue it. You do this by using the `abort-multipart-upload` command. For more information, see [abort-multipart-upload](https://docs.aws.amazon.com/cli/latest/reference/s3api/abort-multipart-upload.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to upload a part to your bucket.
```
aws s3api abort-multipart-upload --bucket BucketName --key ObjectKey --upload-id "UploadID" --acl bucket-owner-full-control
```
In the command, replace the following example text with your own:
+ *BucketName* - The name of the bucket for which you want to stop a multipart upload.
+ *ObjectKey* - The object key of the multipart upload.
+ *UploadID* - The upload ID of the multipart upload that you want to stop.
Example:
```
aws s3api abort-multipart-upload --bucket amzn-s3-demo-bucket --key sailbot.mp4 --upload-id "R4QU.mO.exampleiHWiLOeNw7JtXX7OotRhTLsXXCzF21CZdYlfj5lfjtiMnpzVw2WPj.exampleBTmL_N_.42.DlHYOTsITFsX.tO3XOUTTAHiCxY5VR8jWRGdkVkUG" --acl bucket-owner-full-control
```
This command does not return a response. You can run a `list-multipart-uploads` command to confirm that the multipart upload was stopped.
# Follow bucket naming requirements for Lightsail object storage
When you create a bucket in the Amazon Lightsail object storage service, you must give it a name. The name of the bucket is part of the URL that your customers will use when accessing objects that are stored in the bucket. For example, if you name your bucket `amzn-s3-demo-bucket` in the `us-east-1` AWS Region, the URL for your bucket is `amzn-s3-demo-bucket.s3.us-east-1.amazonaws.com`. You cannot change the name of your bucket after you create it. Keep in mind that your customers are able to see the bucket name that you specify. For more information about the Lightsail object storage service, see [Object storage](buckets-in-amazon-lightsail.md). For more information about creating buckets, see [Create a bucket](amazon-lightsail-creating-buckets.md).
Bucket names must be DNS-compliant. Because of this, the following rules apply for naming buckets in Lightsail:
+ Bucket names must be between 3 and 54 characters long.
+ Bucket names can consist only of lowercase letters, numbers, and hyphens (-).
+ Bucket names must begin and end with a letter or number.
+ Hyphens (-) can separate words, but cannot be specified consecutively. For example, `doc-example-bucket` is allowed but `doc--example--bucket` isn't.
+ Bucket names must be unique within the `aws` (Standard Regions) partition, including buckets in Amazon Simple Storage Service (Amazon S3).
+ Bucket names must not start with the prefix `amzn-s3-demo-`.
+ Bucket names must not start with the prefix `sthree-`.
+ Bucket names must not start with the prefix `sthree-configurator`.
+ Bucket names must not end with the suffix `-s3alias`.
## Example bucket names
The following example bucket names are valid and follow the recommended naming guidelines:
+ `docexamplebucket1`
+ `log-delivery-march-2020`
+ `my-hosted-content`
The following example bucket names are not allowed:
+ `doc.example.bucket` (contains periods)
+ `doc--example--bucket` (contains two consecutive hyphens)
+ `doc-example-bucket-` (ends with a hyphen)
# Key names for Lightsail object storage buckets
Files that you upload to your bucket are stored as objects in the Amazon Lightsail object storage service. An object key (or key name) uniquely identifies an object stored in a bucket. This guide explains the concept of key names and key name prefixes that make up the folder structure of buckets viewed through the Lightsail console. For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Key names
The Lightsail object storage service data model uses a flat structure instead of a hierarchical structure like you would see in a file system. There is no hierarchy of folders and subfolders. However, you can infer logical hierarchy using key name prefixes and delimiters. The Lightsail console uses the key name prefixes to display your objects in a folder structure.
Suppose that your bucket has four objects with the following object keys:
+ `Development/Projects.xls`
+ `Finance/statement1.pdf`
+ `Private/taxdocument.pdf`
+ `to-dos.doc`
The Lightsail console uses the key name prefixes (`Development/`, `Finance/`, and `Private/`) and the delimiter (`/`) to present a folder structure. The `to-dos.doc` key name does not have a prefix, so its object appears directly at the root level of your bucket. If you browse to the `Development/` folder in the Lightsail console, you see the `Projects.xls` object. In the `Finance/` folder, you see the `statement1.pdf` object, and in the `Private/` folder, you see the `taxdocument.pdf` object.
The Lightsail console allows for folder creation by creating a zero-byte object with the key name prefix and delimiter value as the key name. These folder objects don't appear in the console. However, they behave like any other objects. You can view and manipulate them using the Amazon S3 API, AWS Command Line Interface (AWS CLI), or AWS SDKs.
## Object key naming guidelines
You can use any UTF-8 character in an object key name. However, using certain characters in key names can cause problems with some applications and protocols. The following guidelines help you maximize compliance with DNS, web-safe characters, XML parsers, and other APIs.
### Safe characters
The following character sets are generally safe for use in key names.
+ Alphanumeric characters
+ 0-9
+ a-z
+ A-Z
+ Special characters
+ Forward slash (`/`)
+ Exclamation point (`!`)
+ Hyphen (`-`)
+ Underscore (`_`)
+ Period (`.`)
+ Asterisk (`*`)
+ Single quote (`'`)
+ Open parenthesis (`(`)
+ Close parenthesis (`)`)
The following are examples of valid object key names:
+ `4my-organization`
+ `my.great_photos-2014/jan/myvacation.jpg`
+ `videos/2014/birthday/video1.wmv`
**Important**
If an object key name ends with a single period (.), or two periods (..), you can’t download the object using the Lightsail console. To download an object with a key name ending with one or two periods, you must use the Amazon S3 API, AWS CLI, and AWS SDKs. For more information, see [Download bucket objects](amazon-lightsail-downloading-bucket-objects.md).
### Characters that might require special handling
The following characters in a key name might require additional code handling and likely need to be URL encoded or referenced as HEX. Some of these are non-printable characters that your browser might not handle, which also requires special handling:
+ Ampersand ("`&`")
+ Dollar ("`$`")
+ ASCII character ranges 00–1F hex (0–31 decimal) and 7F (127 decimal)
+ 'At' symbol ("`@`")
+ Equals ("`=`")
+ Semicolon ("`;`")
+ Colon ("`:`")
+ Plus ("`+`")
+ Space – Significant sequences of spaces might be lost in some uses (especially multiple spaces)
+ Comma ("`,`")
+ Question mark ("`?`")
### Characters to avoid
Avoid the following characters in a key name because of significant special handling for consistency across all applications.
+ Backslash ("`\`")
+ Left curly brace ("`{`")
+ Non-printable ASCII characters (128–255 decimal characters)
+ Caret ("`^`")
+ Right curly brace ("`}`")
+ Percent character ("`%`")
+ Grave accent / back tick ("```")
+ Right square bracket ("`]`")
+ Quotation marks
+ 'Greater than' symbol ("`>`")
+ Left square bracket ("`[`")
+ Tilde ("`~`")
+ 'Less than' symbol ("`<`")
+ 'Pound' character ("`#`")
+ Vertical bar / pipe ("`|`")
## XML related object key constraints
As specified by the [XML standard on end-of-line handling](https://www.w3.org/TR/REC-xml/#sec-line-ends), all XML text is normalized so that single carriage returns (ASCII code 13) and carriage returns immediately followed by a line feed (ASCII code 10) are replaced by a single line feed character. To ensure the correct parsing of object keys in XML requests, carriage returns and [other special characters must be replaced with their equivalent XML entity code](https://www.w3.org/TR/xml/#syntax) when they are inserted within XML tags. The following is a list of such special characters and their equivalent entity codes:
+ `'` as `'`
+ `”` as `"`
+ `&` as `&`
+ `<` as `<`
+ `<` as `>`
+ `\r` as `
` or `
`
+ `\n` as `
` or `
`
The following example illustrates the use of an XML entity code as a substitution for a carriage return. This `DeleteObjects` request deletes an object with the key parameter `/some/prefix/objectwith\rcarriagereturn` (where the \$1r is the carriage return).
```
```
# Secure Lightsail object storage buckets
Amazon Lightsail object storage provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.
**Contents**
+ [Preventative security best practices](#bucket-security-best-practices-preventative-practices)
+ [Implement least privilege access](#bucket-security-best-practices-least-privilege-access)
+ [Verify that your Lightsail buckets are not publicly accessible](#bucket-security-best-practices-verify-bucket-permissions)
+ [Enable block public access in Amazon S3](#bucket-security-best-practices-block-public-access)
+ [Attach instances to buckets to grant full programmatic access](#bucket-security-best-practices-attach-instances)
+ [Rotate bucket access keys](#bucket-security-best-practices-rotate-bucket-access-keys)
+ [Use cross-account access to give other AWS accounts access to objects in your bucket](#bucket-security-best-practices-cross-account-access)
+ [Encryption of data](#bucket-security-best-practices-data-encryption)
+ [Enable versioning](#bucket-security-best-practices-enable-versioning)
+ [Monitoring and auditing best practices](#bucket-security-best-practices-monitoring-auditing)
+ [Enable access logging and perform periodic security and access audits](#bucket-security-best-practices-enable-access-logging)
+ [Identify, tag, and audit your Lightsail buckets](#bucket-security-best-practices-identify-tag)
+ [Implement monitoring using AWS monitoring tools](#bucket-security-best-practices-monitoring-tools)
+ [Use AWS CloudTrail](#bucket-security-best-practices-cloudtrail)
+ [Monitor AWS security advisories](#bucket-security-best-practices-security-advisories)
## Preventative security best practices
The following best practices can help prevent security incidents with Lightsail buckets.
### Implement least privilege access
When granting permissions, you decide who is getting what permissions to which Lightsail resources. You enable specific actions that you want to allow on those resources. Therefore, you should grant only the permissions that are required to perform a task. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.
For more information about creating an IAM policy to manage buckets, see [IAM policy to manage buckets](amazon-lightsail-bucket-management-policies.md). For more information about the Amazon S3 actions supported by Lightsail buckets, see [Actions for object storage](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Amazon_S3.html) in the *Amazon Lightsail API reference*.
### Verify that your Lightsail buckets are not publicly accessible
Buckets and objects are private by default. Keep your bucket private by having the bucket access permission set to **All objects are private**. For the majority of use-cases, you don't need to make your bucket or individual objects public. For more information, see [Configure access permissions for individual objects in a bucket](amazon-lightsail-configuring-individual-object-access.md).
![\[Bucket access permissions in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bucket-access-permission-all-objects-private.png)
However, if you are using your bucket to host media for your website or application, under certain scenarios, you might need to make your bucket or individual objects public. You can configure one of the following options to make your bucket or individual objects public:
+ If only some of the objects in a bucket need to be public (read-only) to anyone on the internet, then change the bucket access permission to **Individual objects can be made public and read-only**, and change only the objects that need to be public to **Public (read-only)**. This option keeps the bucket private, but gives you the option to make individual objects public. Don't make an individual object public if it contains sensitive or confidential information that you don't want to be publicly accessible. If you make individual objects public, you should periodically validate the public accessibility of each individual object.
![\[Bucket access permissions in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bucket-access-permission-individual-objects-public.png)
+ If all objects in the bucket need to be public (read-only) to anyone on the internet, then change the bucket access permission to **All objects are public and read-only**. Don't use this option if any of your objects in the bucket contain sensitive or confidential information.
![\[Bucket access permissions in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bucket-access-permission-all-objects-public.png)
+ If you previously changed a bucket to be public, or changed individual objects to be public, you can quickly change the bucket and all its objects to be private by changing the bucket access permission to **All objects are private**.
![\[Bucket access permissions in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bucket-access-permission-all-objects-private.png)
### Enable block public access in Amazon S3
Lightsail object storage resources take into account both Lightsail bucket access permissions and Amazon S3 account-level block public access configurations when allowing or denying public access. With Amazon S3 account-level block public access, account administrators and bucket owners can centrally limit public access to their Amazon S3 and Lightsail buckets. Block public access can make all Amazon S3 and Lightsail buckets private regardless of how the resources are created, and regardless of the individual bucket and object permissions that might have been configured. For more information, see [Block public access for buckets](amazon-lightsail-block-public-access-for-buckets.md).
### Attach instances to buckets to grant full programmatic access
Attaching an instance to a Lightsail object storage bucket is the most secure way to provide access to the bucket. The **Resource access** functionality, which is how you attach an instance to a bucket, grants the instance full programmatic access to the bucket. With this method, you don't have to store bucket credentials directly in the instance or application, and you don't have to periodically rotate the credentials. For example, some WordPress plugins can access a bucket that the instance has access to. For more information, see [Configure resource access for a bucket](amazon-lightsail-configuring-bucket-resource-access.md) and [Tutorial: Connect a bucket to your WordPress instance](amazon-lightsail-connecting-buckets-to-wordpress.md).
![\[Bucket resource access in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bucket-resource-access-attached.png)
However, if the application is not on a Lightsail instance, then you can create and configure bucket access keys. Bucket access keys are long term credentials that are not automatically rotated. For more information, see [Create Lightsail object storage bucket access keys](amazon-lightsail-creating-bucket-access-keys.md).
![\[Bucket access keys in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bucket-access-keys.png)
### Rotate bucket access keys
You can have a maximum of two access keys per bucket. Although you can have two different access keys at the same time, we recommend that you only create one access key at a time for your bucket outside of key rotation times. This approach ensures that you can create a new bucket access key at any time without the possibility of it being in use. For example, creating the second access key for rotation is helpful if your existing secret access key is copied, lost, or becomes compromised, and you need to rotate your existing access key.
If you use an access key with your bucket, you should periodically rotate your keys and take inventory of the existing keys. Confirm the date an access key was last used, and the AWS Region in which it was used, correspond with your expectations of how the key should be used. The date an access key was last used is displayed in the Lightsail console in the **Access keys** section of the **Permissions** tab of a bucket's management page. Delete access keys that are not being used.
To rotate an access key, you should create a new access key, configure it on your software and test it, and then delete the previously used access key. After you delete an access key, it's gone forever and can't be restored. You can only replace it with a new access key. For more information, see [Create Lightsail object storage bucket access keys](amazon-lightsail-creating-bucket-access-keys.md) and [Delete access keys for a Lightsail object storage bucket](amazon-lightsail-deleting-bucket-access-keys.md).
### Use cross-account access to give other AWS accounts access to objects in your bucket
You can use cross-account access to make objects in a bucket accessible to a specific individual who has an AWS account without making the bucket and its objects public. If you've configured cross account access, make sure that the account IDs listed are the correct accounts that you want to give access to objects in your bucket. For more information, see [Configure cross-account access for a bucket](amazon-lightsail-configuring-bucket-cross-account-access.md).
![\[Bucket cross-account access in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bucket-cross-account-access.png)
### Encryption of data
Lightsail performs server-side encryption with Amazon managed keys and encryption of data in transit by enforcing HTTPS (TLS). Server-side encryption helps reduce risk to your data by encrypting the data with a key that is stored in a separate service. In addition, encryption of data in transit helps prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks.
### Enable versioning
Versioning is a means of keeping multiple variants of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Lightsail bucket. With versioning, you can easily recover from both unintended user actions and application failures. For more information, see [Enable and suspend bucket object versioning](amazon-lightsail-managing-bucket-object-versioning.md).
## Monitoring and auditing best practices
The following best practices can help detect potential security weaknesses and incidents for Lightsail buckets.
### Enable access logging and perform periodic security and access audits
Access logging provides detailed records for the requests that are made to a bucket. This information can include the request type (`GET`, `PUT`), the resources that are specified in the request, and the time and date that the request was processed. Enable access logging for a bucket, and periodically perform a security and access audit to identify the entities that are accessing your bucket. By default, Lightsail doesn't collect access logs for your buckets. You must manually enable access logging. For more information, see [Bucket access logs](amazon-lightsail-enabling-bucket-access-logs.md) and [Enable bucket access logging](amazon-lightsail-enabling-bucket-access-logs.md).
### Identify, tag, and audit your Lightsail buckets
Identification of your IT assets is a crucial aspect of governance and security. You need to have visibility of all your Lightsail buckets to assess their security posture and take action on potential areas of weakness.
Use tagging to identify security-sensitive or audit-sensitive resources, then use those tags when you need to search for these resources. For more information, see [Tags](amazon-lightsail-tags.md).
### Implement monitoring using AWS monitoring tools
Monitoring is an important part of maintaining the reliability, security, availability, and performance of Lightsail buckets and other resources. You can monitor and create notification alarms for the **Bucket size** (`BucketSizeBytes`) and `Number of objects` (**NumberOfObjects**) bucket metrics in Lightsail. For example, you might want to be notified when the size of your bucket increases or decreases to a specific size, or when the number of objects in your bucket goes up to or down to a specific number. For more information, see [Create bucket metric alarms](amazon-lightsail-adding-bucket-metric-alarms.md).
### Use AWS CloudTrail
AWS CloudTrail provides a record of actions taken by a user, a role, or an AWS service in Lightsail. You can use information collected by CloudTrail to determine the request that was made to Lightsail, the IP address from which the request was made, who made the request, when it was made, and additional details. For example, you can identify CloudTrail entries for actions that impact data access, in particular `CreateBucketAccessKey`, `GetBucketAccessKeys`, `DeleteBucketAccessKey`, `SetResourceAccessForBucket`, and `UpdateBucket`. When you set up your AWS account, CloudTrail is enabled by default. You can view recent events in the CloudTrail console. To create an ongoing record of activity and events for your Lightsail buckets, you can create a trail in the CloudTrail console. For more information, see [Logging Data Events for Trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide*.
### Monitor AWS security advisories
Actively monitor the primary email address registered to AWS account. AWS will contact you, using this email address, about emerging security issues that might affect you.
AWS operational issues with broad impact are posted on the [AWS Service Health Dashboard](https://status.aws.amazon.com/). Operational issues are also posted to individual accounts via the Personal Health Dashboard. For more information, see the [AWS Health Documentation](https://docs.aws.amazon.com/health/).
# Control access to Lightsail buckets and objects
By default, all Amazon Lightsail object storage resources—buckets and objects—are private. This means that only the bucket owner, the Lightsail account that created it, can access the bucket and its objects. The bucket owner can optionally grant access to others. You can grant access to a bucket and its objects in the following ways:
+ **Read-only access** – The following options control read-only access to a bucket and its objects through the bucket's URL (for example, `https://amzn-s3-demo-bucket.us-east-1.amazonaws.com/media/sailbot.jpg`).
+ **Bucket access permissions** – Use bucket access permissions to grant access to all objects in a bucket for anyone on the internet. For more information, see [Bucket access permissions](#bucket-access-permissions) later in this guide.
+ **Individual object access permissions** – Use individual object access permissions to grant access to an individual object in a bucket for anyone on the internet. For more information, see [Individual object access permissions](#individual-bucket-object-access-permissions) later in this guide.
+ **Cross-account access** – Use cross-account access to grant access to all objects in a bucket for other AWS accounts. For more information, see [Cross-account access](#cross-account-access) later in this guide.
+ **Read and write access** – The following options control full read and write access to a bucket and its objects. Use these options with the AWS Command Line Interface (AWS CLI), AWS APIs, and AWS SDKs.
+ **Access keys** – Use access keys to grant access to applications or plugins. For more information, see [Access keys](#bucket-access-keys) later in this guide.
+ **Resource access** – Use resource access to grant access to a Lightsail instance. For more information, see [Resource access](#bucket-resource-access) later in this guide.
+ **Amazon Simple Storage Service block public access** – Use the Amazon Simple Storage Service (Amazon S3) account-level block public access feature to centrally limit public access to buckets in Amazon S3 and in Lightsail. Block public access can make all Amazon S3 and Lightsail buckets private regardless of the individual bucket and object permissions that might have been configured. For more information, see [Amazon S3 block public access](#s3-block-public-access) later in this guide.
For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md). For more information about security best practices, see [Security Best Practices for object storage](amazon-lightsail-bucket-security-best-practices.md).
## Bucket access permissions
Use bucket access permissions to control public (unauthenticated) read-only access to objects in a bucket. You can choose one of the following options when configuring bucket access permissions:
+ **All objects are private** – All objects in the bucket are readable only by you or anyone you give access to. This option does not allow for individual objects to be made public (read-only).
+ **Individual objects can be made public (read-only)** – Objects in the bucket are readable only by you or anyone you give access to, unless you specify an individual object as public (read-only). This option allows for individual objects to be made public (read-only). For more information, see [Individual object access permissions](#individual-bucket-object-access-permissions) later in this guide.
+ **All objects are public (read-only)** – All objects in the bucket are readable by anyone on the internet. All objects in the bucket become readable by anyone on the internet through the URL of the bucket (for example, `https://amzn-s3-demo-bucket.us-east-1.amazonaws.com/media/sailbot.jpg`) when you choose this option.
For more information about configuring bucket access permissions, see [Configure bucket access permissions](amazon-lightsail-configuring-bucket-permissions.md).
## Individual object access permissions
Use individual object access permissions to control public (unauthenticated) read-only access to individual objects in a bucket. Individual object access permissions can be configured only when the [Bucket access permissions](#bucket-access-permissions) of a bucket allow for individual objects to be made public (read-only). You can choose one of the following options when configuring access permissions for an individual object:
+ **Private** – The object is readable only by you or anyone you give access to.
+ **Public (read-only)** – The object is readable by anyone on the internet. The individual object becomes readable by anyone on the internet through the URL of the bucket (for example, `https://amzn-s3-demo-bucket.us-east-1.amazonaws.com/media/sailbot.jpg`).
For more information about configuring individual object access permissions, see [Configure access permissions for individual objects in a bucket](amazon-lightsail-configuring-individual-object-access.md).
## Cross-account access
Use cross-account access to grant authenticated read-only access to all objects in a bucket for other AWS accounts and their users. Cross-account access is ideal if you want to share objects with another AWS account. When you grant cross-account access to another AWS account, users in that account have read-only access to objects in a bucket through the URL of the bucket (for example, `https://amzn-s3-demo-bucket.us-east-1.amazonaws.com/media/sailbot.jpg`). You can give access to a maximum of 10 AWS accounts.
For more information about configuring cross-account access, see [Configure cross-account access for a bucket](amazon-lightsail-configuring-bucket-cross-account-access.md).
## Access keys
Use access keys to create a set of credentials that grant full read and write access to a bucket and its objects. Access keys consist of an access key ID and a secret access key as a set. You can have a maximum of two access keys per bucket. You can configure access keys on your application so that it can access your bucket and its objects using the AWS APIs, and AWS SDKs. You can also configure access keys on the AWS CLI.
For more information about creating access keys, see [Create access keys for a bucket](amazon-lightsail-creating-bucket-access-keys.md).
## Resource access
Use resource access to grant full read and write access to a bucket and its objects for Lightsail instances. With resource access, you don't have to manage credentials like access keys. To grant access to an instance, attach the instance to a bucket in the same AWS Region. To deny access, detach the instance from the bucket. Resource access is ideal if you're configuring an application on your instance to programmatically upload and access files on your bucket. One such use-case is to configure a WordPress instance to store media files on a bucket. For more information, see [Tutorial: Connect a bucket to your WordPress instance](amazon-lightsail-connecting-buckets-to-wordpress.md) and [Tutorial: Use a bucket with a content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md).
For more information about configuring resource access, see [Configure resource access for a bucket](amazon-lightsail-configuring-bucket-resource-access.md).
## Amazon S3 block public access
Use the Amazon S3 block public access feature to centrally limit public access to buckets in Amazon S3 and in Lightsail. Block public access can make all Amazon S3 and Lightsail buckets private regardless of the individual bucket and object permissions that might have been configured. You can use the Amazon S3 console, AWS CLI, AWS SDKs, and REST API to configure block public access settings for all buckets in your account, including those in the Lightsail object storage service. For more information, see [Block public access for buckets](amazon-lightsail-block-public-access-for-buckets.md).
# Upload files to an Lightsail object storage bucket
When you upload a file to your bucket in the Amazon Lightsail object storage service, it is stored as an object. Objects consist of the file data and metadata that describe the object. You can have any number of objects in a bucket.
You can upload any file type—images, backups, data, movies—into a bucket. The maximum file size that you can upload by using the Lightsail console is 2 GB. To upload a larger file, use the Lightsail API, AWS Command Line Interface (AWS CLI), or AWS SDKs.
Lightsail offers the following options depending on the size of the file you want to upload:
+ **Upload an object up to 2 GB in size using the Lightsail Console** — With the Lightsail console, you can upload a single object up to 2 GB in size. For more information, see [Upload files to a bucket using the Lightsail console](#uploading-files-to-a-bucket-lightsail-console) later in this guide.
+ **Upload an object up to 5 GB in size with a single operation using the AWS SDKs, REST API, or AWS CLI** — With a single PUT operation, you can upload a single object up to 5 GB in size. For more information, see [Upload files to a bucket using the AWS CLI](#uploading-files-to-a-bucket-aws-cli) later in this guide.
+ **Upload an object in parts using the AWS SDKs, REST API, or AWS CLI** — Using the multipart upload API, you can upload a single large object, of 5 MB to 50 TB in size. The multipart upload API is designed to improve the upload experience for larger objects. You can upload an object in parts. These object parts can be uploaded independently, in any order, and in parallel. For more information, see [Upload files to a bucket using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md).
For more information about buckets, see [Object storage](buckets-in-amazon-lightsail.md).
## Object key names and versioning
When you upload a file using the Lightsail console, the file name is used as the object key name. An object key (or key name) uniquely identifies an object stored in a bucket. The folder that the file is uploaded into, if any, is used as the key name prefix. For example, if you upload a file named `sailbot.jpg` to a folder in your bucket named `images`, the full object key name and prefix will be `images/sailbot.jpg`. However, the object is displayed in the console as `sailbot.jpg` in the `images` folder. For more information about object key names, see [Key names for object storage buckets](understanding-bucket-object-key-names-in-amazon-lightsail.md).
When you upload a directory using the Lightsail console, all of the files and subfolders in the directory are uploaded to the bucket. Lightsail then assigns an object key name that is a combination of each of the uploaded file names and the folder name. For example, if you upload a folder named `images` that contains two files, `sample1.jpg` and `sample2.jpg`, Lightsail uploads the files and then assigns the corresponding key names, `images/sample1.jpg` and `images/sample2.jpg`. The objects are displayed in the console as `sample1.jpg` and `sample2.jpg` in the `images` folder.
If you upload a file with a key name that already exists, and your bucket *does not have versioning enabled*, the new uploaded object replaces the previous object. However, if your bucket *has versioning enabled*, Lightsail creates a new version of the object instead of replacing the existing object. For more information, see [Enable and suspend bucket object versioning](amazon-lightsail-managing-bucket-object-versioning.md).
## Upload files to a bucket using the Lightsail console
Complete the following procedure to upload files and directories using the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Storage**.
1. Choose the name of the bucket that you want to upload files and folders into.
1. In the **Objects** tab, perform one of the following actions:
+ Drag and drop files and folders to the **Objects** page.
+ Choose **Upload**, and choose **File** to upload an individual file, or **Directory** to upload a folder and all of its contents.
**Note**
You can also create a folder in by choosing **Create new folder**. You can then browse into the new folder and upload files to it.
An **Upload successful** message is displayed when the upload completes.
## Upload files to a bucket using the AWS CLI
Complete the following procedure to upload files and folders to a bucket using the AWS Command Line Interface (AWS CLI). You do this by using the `put-object` command. For more information, see [put-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html) in the *AWS CLI Command Reference*.
**Note**
You must install the AWS CLI and configure it for Lightsail and Amazon S3 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a Command Prompt or Terminal window.
1. Enter the following command to upload a file to your bucket.
```
aws s3api put-object --bucket BucketName --key ObjectKey --body LocalDirectory --acl bucket-owner-full-control
```
In the command, replace the following example text with your own:
+ *BucketName* with the name of the bucket to which you want to upload the file.
+ *ObjectKey* with the full object key of the object in your bucket.
+ *LocalDirectory* with the local directory folder path on your computer of the file to upload.
Example:
+ On a Linux or Unix computer:
```
aws s3api put-object --bucket amzn-s3-demo-bucket --key images/sailbot.jpg --body home/user/Pictures/sailbot.jpg --acl bucket-owner-full-control
```
+ On a Windows computer:
```
aws s3api put-object --bucket amzn-s3-demo-bucket --key images/sailbot.jpg --body "C:\Users\user\Pictures\sailbot.jpg" --acl bucket-owner-full-control
```
You should see a result similar to the following example:
![\[Result of the AWS CLI put-object command\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-s3api-put-object-result.png)
## Configure the AWS CLI for IPv6-only requests
Amazon S3 supports bucket access over IPv6. You make requests with Amazon S3 API calls over IPv6 by using dual-stack endpoints. This section provides examples of how to make requests to a dual-stack endpoint, over IPv6. For more information, see [Using Amazon S3 dual-stack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) in the *Amazon S3 User Guide*. For instructions on setting up the AWS CLI, see [Configuring the AWS Command Line Interface to work with Amazon Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
**Important**
The client and the network accessing the bucket must be enabled to use IPv6. For more information, see [IPv6 reachability](amazon-lightsail-ipv6-reachability.md).
There are two ways to make S3 requests from an IPv6-only instance. You can configure the AWS CLI to direct all Amazon S3 requests to the dual-stack endpoint for the specified AWS Region. Or, if you want to use a dual-stack endpoint for specified AWS CLI commands only (not all commands), you can add the S3 dual-stack endpoint to every command.
Configure the AWS CLI
Set the configuration value `use_dualstack_endpoint` to `true` in a profile in your AWS Config file to direct all Amazon S3 requests made by the Amazon S3 and s3api AWS CLI commands to the dual-stack endpoint for the specified Region. You specify the Region in the AWS CLI config file, or in a command using the --region option.
Enter the following commands to configure the AWS CLI.
```
aws configure set default.s3.use_dualstack_endpoint true
```
```
aws configure set default.s3.addressing_style virtual
```
Add the dual-stack endpoint to a specific command
You can use the dual-stack endpoint per command by setting the `--endpoint-url` parameter to `https://s3.dualstack.aws-region.amazonaws.com` or `http://s3.dualstack.aws-region.amazonaws.com` for any s3 or s3api command. In the example below, replace *bucketname* and *aws-region* with the name of your bucket and your AWS Region.
```
aws s3api list-objects --bucket bucketname --endpoint-url https://s3.dualstack.aws-region.amazonaws.com
```
## Managing buckets and objects in Lightsail
These are the general steps to manage your Lightsail object storage bucket:
1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md).
1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md).
1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md).
1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md).
After learning about bucket access permissions, see the following guides to grant access to your bucket:
+ [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md)
+ [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md)
+ [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md)
+ [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md)
+ [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md)
+ [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md)
1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides.
+ [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md)
+ [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md)
+ [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md)
+ [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md)
1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](amazon-lightsail-bucket-management-policies.md).
1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md).
1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides.
+ [Uploading files to a bucket in Amazon Lightsail](#amazon-lightsail-uploading-files-to-a-bucket)
+ [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md)
+ [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md)
+ [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md)
+ [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md)
+ [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md)
+ [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md)
+ [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md)
1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md).
1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md).
1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md).
1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md).
1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md).
1. Learn how to connect your bucket to other resources. For more information, see the following tutorials.
+ [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md)
+ [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md)
1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md).
# Cross-origin resource sharing (CORS) in Lightsail
Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Lightsail object storage and selectively allow cross-origin access to your bucket resources. For more information about CORS, see [What is CORS?](https://aws.amazon.com/what-is/cross-origin-resource-sharing/).
This section shows you how to configure CORS for your Lightsail buckets using the AWS Command Line Interface (AWS CLI). To configure your bucket to allow cross-origin requests, you add a CORS configuration to the bucket using a JSON document that defines rules identifying the origins you will allow to access your bucket, the operations (HTTP methods) supported for each origin, and other operation-specific information.
**Topics**
+ [CORS use cases](#cors-use-cases)
+ [How Lightsail evaluates CORS configurations](cors-how-evaluation-works.md)
+ [Configure CORS using the AWS CLI](cors-configuration-cli.md)
+ [Troubleshooting CORS](cors-troubleshooting.md)
## CORS use cases
The following example scenario details how you might need to configure CORS with Lightsail buckets.
**Scenario: Web font hosting**
Suppose you want to host web fonts from your Lightsail bucket. Browsers require a CORS check (also called a preflight check) for loading web fonts. You would configure the bucket hosting the web font to allow any origin to make these requests.
# How Lightsail evaluates CORS configurations
When Lightsail object storage receives a preflight request from a browser, it evaluates the CORS configuration for the bucket and uses the first CORS rule that matches the incoming browser request to enable a cross-origin request. For a rule to match, the following conditions must be met:
+ The `Origin` header in the request must match an origin in the `AllowedOrigins` element.
+ The HTTP method specified in the `Access-Control-Request-Method` header must match a method in the `AllowedMethods` element.
+ The headers listed in the `Access-Control-Request-Headers` header must match headers in the `AllowedHeaders` element.
**Note**
Bucket permissions continue to apply when you enable CORS on your bucket. CORS configuration only determines whether the browser allows the cross-origin request to proceed. For more information, see [Control access to Lightsail buckets and objects](amazon-lightsail-understanding-bucket-permissions.md).
## Elements of a CORS configuration
A CORS configuration is a JSON document that contains an array of CORS rules. Each rule defines which origins are allowed to access the bucket, which HTTP methods are permitted, and other configuration options.
The following elements can be included in a CORS rule:
**allowedOrigins**
Specifies the origins that are allowed to access the bucket. You can use wildcards (\$1) to allow all origins, or specify specific domains like `https://example.com`.
**allowedMethods**
Specifies the HTTP methods that are allowed for the specified origins. Valid values include GET, PUT, POST, DELETE, and HEAD.
**allowedHeaders**
Specifies which headers are allowed in a preflight OPTIONS request through the Access-Control-Request-Headers header.
**exposeHeaders**
Specifies which headers in the response can be accessed by the client application.
**id**
A unique identifier for the CORS rule.
**maxAgeSeconds**
Specifies the amount of time in seconds that the browser can cache the response for a preflight request.
For more information about these parameters, see [BucketCorsRule](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_BucketCorsRule.html) in the *Amazon Lightsail API Reference*.
# Configure CORS using the AWS CLI
You can configure CORS for your Lightsail bucket using the AWS CLI with the `--cors` parameter. This parameter accepts a JSON file that contains your CORS configuration. For more information about the elements of a CORS configuration, see [Elements of a CORS configuration](cors-how-evaluation-works.md#cors-configuration-elements).
**Topics**
+ [Apply a CORS configuration](#cors-configuration-apply)
+ [Example CORS configurations](#cors-configuration-examples)
+ [Remove CORS configurations](#cors-remove-configuration)
## Apply a CORS configuration
The following procedure shows how a CORS configuration can be applied to a bucket by specifying a JSON file. For more example configurations, see [Example CORS configurations](#cors-configuration-examples).
**To configure CORS for a bucket using the AWS CLI**
1. Create a JSON file containing your CORS configuration. For example, create a file named `cors-config.json` with the following content:
```
{
"CORSRules": [
{
"AllowedOrigins": ["https://example.com"],
"AllowedMethods": ["GET", "PUT", "POST"],
"AllowedHeaders": ["*"],
"MaxAgeSeconds": 3000
}
]
}
```
1. Use the AWS CLI to apply the CORS configuration to your bucket:
```
aws lightsail update-bucket --bucket-name amzn-s3-demo-bucket --cors file://cors-config.json
```
1. Verify the CORS configuration was applied successfully:
```
aws lightsail get-buckets --bucket-name amzn-s3-demo-bucket --include-cors
```
**Note**
Replace *amzn-s3-demo-bucket* with the name of your Lightsail bucket.
## Example CORS configurations
The following examples show common CORS configurations for different use cases.
**Example 1: Allow all origins and methods**
This configuration allows all origins to access your bucket using any HTTP method:
```
{
"CORSRules": [
{
"AllowedOrigins": ["*"],
"AllowedMethods": ["GET", "PUT", "POST", "DELETE", "HEAD"],
"AllowedHeaders": ["*"],
"MaxAgeSeconds": 3000
}
]
}
```
**Example 2: Restrict to specific domain**
This configuration allows only requests from `https://mywebsite.com`:
```
{
"CORSRules": [
{
"AllowedOrigins": ["https://mywebsite.com"],
"AllowedMethods": ["GET", "PUT"],
"AllowedHeaders": ["Authorization", "Content-Type"],
"ExposeHeaders": ["ETag"],
"MaxAgeSeconds": 3600
}
]
}
```
**Example 3: Multiple rules for different origins**
This configuration defines different rules for different origins:
```
{
"CORSRules": [
{
"AllowedOrigins": ["https://mywebsite.com"],
"AllowedMethods": ["GET", "PUT", "POST"],
"AllowedHeaders": ["*"],
"MaxAgeSeconds": 3600
},
{
"AllowedOrigins": ["https://cdn.mywebsite.com"],
"AllowedMethods": ["GET"],
"AllowedHeaders": ["Authorization"],
"MaxAgeSeconds": 86400
}
]
}
```
## Remove CORS configurations
To remove the CORS configuration from your bucket, use the following AWS CLI command:
```
aws lightsail update-bucket --bucket-name amzn-s3-demo-bucket --cors '{"rules":[]}'
```
**Note**
Replace *amzn-s3-demo-bucket* with the name of your Lightsail bucket.
After removing the CORS configuration, cross-origin requests to your bucket will be blocked by browsers.
# Troubleshooting CORS
If you're experiencing issues with CORS, check the following:
+ **Verify CORS configuration** – Ensure your CORS configuration is properly formatted JSON and includes the necessary rules for your use case.
+ **Check origin matching** – The origin in your request must exactly match an entry in the `AllowedOrigins` list. Protocol (http/https), subdomain, and port must match exactly.
+ **Verify HTTP methods** – Ensure the HTTP method you're using is listed in the `AllowedMethods` for the matching rule.
+ **Check browser developer tools** – Use your browser's developer tools to inspect the preflight OPTIONS request and response to identify any CORS-related errors.
+ **Validate bucket permissions** – Ensure your bucket has the appropriate permissions configured in addition to CORS. CORS only controls browser-based cross-origin access, not bucket-level permissions.
If you need to remove the CORS configuration from your bucket while you troubleshoot, see [Remove CORS configurations](cors-configuration-cli.md#cors-remove-configuration).