Amazon S3 Inventory - Amazon Simple Storage Service

Amazon S3 Inventory

Important

Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. The automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in AWS CloudTrail logs, S3 Inventory, S3 Storage Lens, the Amazon S3 console, and as an additional Amazon S3 API response header in the AWS Command Line Interface and AWS SDKs. For more information, see Default encryption FAQ.

You can use Amazon S3 Inventory to help manage your storage. For example, you can use it to audit and report on the replication and encryption status of your objects for business, compliance, and regulatory needs. You can also simplify and speed up business workflows and big data jobs by using Amazon S3 Inventory, which provides a scheduled alternative to the Amazon S3 synchronous List API operations. Amazon S3 Inventory does not use the List API operations to audit your objects and does not affect the request rate of your bucket.

Amazon S3 Inventory provides comma-separated values (CSV), Apache optimized row columnar (ORC) or Apache Parquet output files that list your objects and their corresponding metadata on a daily or weekly basis for an S3 bucket or objects with a shared prefix (that is, objects that have names that begin with a common string). If you set up a weekly inventory, a report is generated every Sunday (UTC time zone) after the initial report. For information about Amazon S3 Inventory pricing, see Amazon S3 pricing.

You can configure multiple inventory lists for a bucket. When you're configuring an inventory list, you can specify the following:

  • What object metadata to include in the inventory

  • Whether to list all object versions or only current versions

  • Where to store the inventory list file output

  • Whether to generate the inventory on a daily or weekly basis

  • Whether to encrypt the inventory list file

You can query Amazon S3 Inventory with standard SQL queries by using Amazon Athena, Amazon Redshift Spectrum, and other tools, such as Presto, Apache Hive, and Apache Spark. For more information about using Athena to query your inventory files, see Querying Amazon S3 Inventory with Amazon Athena.

Source and destination buckets

The bucket that the inventory lists objects for is called the source bucket. The bucket where the inventory list file is stored is called the destination bucket.

Source bucket

The inventory lists the objects that are stored in the source bucket. You can get an inventory list for an entire bucket, or you can filter the list by object key name prefix.

The source bucket:

  • Contains the objects that are listed in the inventory

  • Contains the configuration for the inventory

Destination bucket

Amazon S3 Inventory list files are written to the destination bucket. To group all the inventory list files in a common location in the destination bucket, you can specify a destination prefix in the inventory configuration.

The destination bucket:

  • Contains the inventory file lists.

  • Contains the manifest files that list all the inventory list files that are stored in the destination bucket. For more information, see Inventory manifest.

  • Must have a bucket policy to give Amazon S3 permission to verify ownership of the bucket and permission to write files to the bucket.

  • Must be in the same AWS Region as the source bucket.

  • Can be the same as the source bucket.

  • Can be owned by a different AWS account than the account that owns the source bucket.

Amazon S3 Inventory list

An inventory list file contains a list of the objects in the source bucket and metadata for each object. An inventory list file is stored in the destination bucket with one of the following formats:

  • As a CSV file compressed with GZIP

  • As an Apache optimized row columnar (ORC) file compressed with ZLIB

  • As an Apache Parquet file compressed with Snappy

Note

Objects in Amazon S3 Inventory reports aren't guaranteed to be sorted in any order.

An inventory list file contains a list of the objects in the source bucket and metadata for each listed object:

  • Bucket name – The name of the bucket that the inventory is for.

  • Key name – The object key name (or key) that uniquely identifies the object in the bucket. When you're using the CSV file format, the key name is URL-encoded and must be decoded before you can use it.

  • Version ID – The object version ID. When you enable versioning on a bucket, Amazon S3 assigns a version number to objects that are added to the bucket. For more information, see Using versioning in S3 buckets. (This field is not included if the list is configured only for the current version of the objects.)

  • IsLatest – Set to True if the object is the current version of the object. (This field is not included if the list is configured only for the current version of the objects.)

  • Delete marker – Set to True if the object is a delete marker. For more information, see Using versioning in S3 buckets. (This field is automatically added to your report if you've configured the report to include all versions of your objects).

  • Size – The object size in bytes, not including the size of incomplete multipart uploads, object metadata, and delete markers.

  • Last modified date – The object creation date or the last modified date, whichever is the latest.

  • ETag – The entity tag (ETag) is a hash of the object. The ETag reflects changes only to the contents of an object, not to its metadata. The ETag can be an MD5 digest of the object data. Whether it is depends on how the object was created and how it is encrypted.

  • Storage class – The storage class that's used for storing the object. Set to STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, or SNOW. For more information, see Using Amazon S3 storage classes.

  • Multipart upload flag – Set to True if the object was uploaded as a multipart upload. For more information, see Uploading and copying objects using multipart upload.

  • Replication status – Set to PENDING, COMPLETED, FAILED, or REPLICA. For more information, see Getting replication status information.

  • Encryption status – The server-side encryption status, depending on what kind of encryption key is used—an Amazon S3 managed (SSE-S3) key, an AWS Key Management Service (AWS KMS) key (SSE-KMS), or a customer-provided key (SSE-C). Set to SSE-S3, SSE-C, SSE-KMS, or NOT-SSE. A status of NOT-SSE means that the object is not encrypted with server-side encryption. For more information, see Protecting data with encryption.

  • S3 Object Lock retain until date – The date until which the locked object cannot be deleted. For more information, see Using S3 Object Lock.

  • S3 Object Lock retention mode – Set to Governance or Compliance for objects that are locked. For more information, see Using S3 Object Lock.

  • S3 Object Lock legal hold status – Set to On if a legal hold has been applied to an object. Otherwise, it is set to Off. For more information, see Using S3 Object Lock.

  • S3 Intelligent-Tiering access tier – Access tier (frequent or infrequent) of the object if it is stored in the S3 Intelligent-Tiering storage class. Set to FREQUENT, INFREQUENT, ARCHIVE_INSTANT_ACCESS, ARCHIVE, or DEEP_ARCHIVE. For more information, see Storage class for automatically optimizing data with changing or unknown access patterns.

  • S3 Bucket Key status – Set to ENABLED or DISABLED. Indicates whether the object uses an S3 Bucket Key for SSE-KMS. For more information, see Using Amazon S3 Bucket Keys.

  • Checksum algorithm – Indicates the algorithm that's used to create the checksum for the object.

  • Object access control list – An access control list (ACL) for each object that defines which AWS accounts or groups are granted access to this object and the type of access that is granted. The Object ACL field is defined in JSON format. An S3 Inventory report includes ACLs that are associated with objects in your source bucket, even when ACLs are disabled for the bucket. For more information, see Working with the Object ACL field and Access control list (ACL) overview.

    Note

    The Object ACL field is defined in JSON format. An inventory report displays the value for the Object ACL field as a base64-encoded string.

    For example, suppose that you have the following Object ACL field in JSON format:

    { "version": "2022-11-10", "status": "AVAILABLE", "grants": [{ "canonicalId": "example-canonical-user-ID", "type": "CanonicalUser", "permission": "READ" }] }

    The Object ACL field is encoded and shown as the following base64-encoded string:

    eyJ2ZXJzaW9uIjoiMjAyMi0xMS0xMCIsInN0YXR1cyI6IkFWQUlMQUJMRSIsImdyYW50cyI6W3siY2Fub25pY2FsSWQiOiJleGFtcGxlLWNhbm9uaWNhbC11c2VyLUlEIiwidHlwZSI6IkNhbm9uaWNhbFVzZXIiLCJwZXJtaXNzaW9uIjoiUkVBRCJ9XX0=

    To get the decoded value in JSON for the Object ACL field, you can query this field in Amazon Athena. For query examples, see Querying Amazon S3 Inventory with Amazon Athena.

  • Object owner – The owner of the object.

Note

When an object reaches the end of its lifetime based on its lifecycle configuration, Amazon S3 queues the object for removal and removes it asynchronously. Therefore, there might be a delay between the expiration date and the date when Amazon S3 removes an object. The inventory report includes the objects that have expired but haven't been removed yet. For more information about expiration actions in S3 Lifecycle, see Expiring objects.

We recommend that you create a lifecycle policy that deletes old inventory lists. For more information, see Managing your storage lifecycle.

The s3:PutInventoryConfiguration permission allows a user to both select all the metadata fields that are listed earlier for each object when configuring an inventory list and to specify the destination bucket to store the inventory. A user with read access to objects in the destination bucket can access all object metadata fields that are available in the inventory list. To restrict access to an inventory report, see Grant permissions for S3 Inventory and S3 analytics.

Inventory consistency

All of your objects might not appear in each inventory list. The inventory list provides eventual consistency for PUT requests (of both new objects and overwrites) and for DELETE requests. Each inventory list for a bucket is a snapshot of bucket items. These lists are eventually consistent (that is, a list might not include recently added or deleted objects).

To validate the state of an object before you take action on the object, we recommend that you perform a HeadObject REST API request to retrieve metadata for the object, or to check the object's properties in the Amazon S3 console. You can also check object metadata with the AWS CLI or the AWS SDKS. For more information, see HeadObject in the Amazon Simple Storage Service API Reference.

For more information about working with Amazon S3 Inventory, see the following topics.