Bucket

Progress checklist

• Exports set
• Bucket created
• Versioning enabled
• Encryption confirmed (SSE-S3 or SSE-KMS)
• lambda/ prefix seeded (lambda/hello.txt)

Overview

S3FILES S3FILES
Amazon S3 Files — a service that exposes an S3 bucket as a shared NFS file system. Supports EC2, EKS, ECS (Fargate), and Lambda. Uses the CLI namespace `aws s3files` and mount type `-t s3files`. Read APIs are `list-*` and `get-*` (for example `list-file-systems`, `get-file-system`), not `describe-*`. requires VERSIONING VERSIONING
S3 Versioning — keeps multiple versions of each object in a bucket. S3 Files requires versioning to be enabled on the linked bucket for synchronisation to work. to synchronise changes between the file system and the bucket. It also supports only SSE SSE
Server-Side Encryption — encryption of data at rest in S3. S3 Files supports SSE-S3 (AWS-managed keys) and SSE-KMS (customer-managed keys). SSE-C is not supported. — specifically SSE-S3 or SSE-KMS. Set both before creating the file system.

1. Set environment variables. Required

   Use these exports throughout the Lambda walkthrough. Replace values to match your environment.

   export AWS_REGION=ap-southeast-6
   export BUCKET=my-s3-files-bucket        # ← replace with your real bucket name
   export BUCKET_ARN=arn:aws:s3:::${BUCKET}
   export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
   echo "Account: $ACCOUNT_ID  Region: $AWS_REGION  Bucket: $BUCKET"

   Caution

   S3 bucket names are globally unique across all AWS accounts. If my-s3-files-bucket is already taken, create-bucket in the next step will fail with BucketAlreadyExists. Choose a name that is unique — for example prefix it with your account ID: $ACCOUNT_ID-s3files-bucket.

2. Create the bucket. Required

   aws s3api create-bucket \
     --bucket $BUCKET \
     --region $AWS_REGION \
     --create-bucket-configuration LocationConstraint=$AWS_REGION

   Note

   If your region is us-east-1, omit --create-bucket-configuration — that region does not accept a LocationConstraint.

3. Enable versioning. Required

   S3 Files will fail to create a file system if versioning is not enabled.

   aws s3api put-bucket-versioning \
     --bucket $BUCKET \
     --versioning-configuration Status=Enabled

   Verify:

   aws s3api get-bucket-versioning --bucket $BUCKET

   Expected output:

   {
     "Status": "Enabled"
   }

4. Confirm encryption. Required

   New buckets default to SSE-S3 (AES-256). Verify:

   aws s3api get-bucket-encryption --bucket $BUCKET

   The rule type must be aws:kms (SSE-KMS) or AES256 (SSE-S3). If the command returns a ServerSideEncryptionConfigurationNotFoundError, apply SSE-S3 explicitly:

   aws s3api put-bucket-encryption \
     --bucket $BUCKET \
     --server-side-encryption-configuration '{
       "Rules": [{
         "ApplyServerSideEncryptionByDefault": {
           "SSEAlgorithm": "AES256"
         }
       }]
     }'

   Caution

   SSE-C (customer-provided keys) and DSSE-KMS are not supported by S3 Files. Using an unsupported encryption type will cause file system creation to fail.

5. Seed the lambda/ prefix. Required

   The Lambda access point is configured with root directory Path=/lambda. The function can only see objects under that prefix. Seed a fixture file so the mount is not empty on first invocation.

   printf 'Hello from S3 Files Lambda walkthrough\n' \
     | aws s3 cp - "s3://$BUCKET/lambda/hello.txt" --region "$AWS_REGION"

   Confirm the upload:

   aws s3 ls "s3://$BUCKET/lambda/" --region "$AWS_REGION"

   You should see lambda/hello.txt.

   Note

   Lambda mounts an access point whose root directory is Path=/lambda, so function reads and writes land under the lambda/ key prefix in the bucket. Objects outside lambda/ are not visible through the mount.

Next step

Continue to File System to create the file system IAM role and the S3 Files file system.