S3Guard: Operational Issues

There are various issues and limitations that you must consider when working with S3Guard.

Now that S3 is consistent, there is no need for S3Guard. Disabling S3Guard and using S3 Raw avoids these issues.

S3Guard Security Aspects

The DynamoDB table needs to be writeable by all users/services using S3Guard. If a single DynamoDB table is used to store metadata about multiple buckets, then clients with access to the table will be able to read the metadata about objects in any bucket to which their read access is restricted using AWS permissions.

The standard S3 Bucket and Object Access permissions do not provide any restriction on accessing the S3Guard index data. As this is only the Hadoop file status data of object name, type, size and timestamp, the actual object data and any tags attached to the object are still protected by AWS permissions. However, directory and filenames will be visible.

Limitations of S3Guard

If external applications, including the AWS CLI, change the S3 store, DynamoDB and S3 will become inconsistent. Although the DynamoDB table can be updated with the S3 state, disabling S3Guard avoids this situation.