S3
Last updated: Apr 24, 2026
Rationale
AWS S3 (Cloud Object Storage) is the service we use for storing files in the cloud.
The main reasons why we chose it over other alternatives are:
- It is SaaS oriented, meaning that in order to start storing data, we only need to create a bucket. We do not have to worry about storage space, infrastructure scalability, data availability, data persistence, among many other infrastructure-related concerns.
- It complies with several certifications from ISO and CSA. Many of these certifications are focused on ensuring that the entity follows best practices regarding secure cloud-based environments and information security.
- Resources can be written as code using Terraform.
- It can be fronted by Amazon CloudFront with Origin Access Control, which cryptographically restricts object access to a specific distribution. Combined with Cloudflare at the edge, this is our pattern for serving static sites publicly — see Public hosting.
- It supports presigned URLs that can be used to create signed download links accessible only by the holder of the generated key, with configurable expiration. This feature greatly reduces the chance of data leaks.
- It supports versioning, allowing us to keep a complete history of all stored objects.
- It supports storage lifecycle, allowing us to declare policies for expiring files and moving them to different storage classes.
- It can be programmatically accessed using the AWS CLI and language-specific libraries like Python's Boto3, allowing us to connect our applications to it.
- It can be used by Terraform as a backend to store its state.
- It supports AES256 server-side encryption with bucket-level defaults.
- It supports bucket policies, which we use to enforce TLS-only access and to restrict object reads to the CloudFront distributions that front them, avoiding CDN bypassing.
- It supports Storage Lens, an analytics module for visualizing insights and trends and optimizing usage.
Alternatives
Below are the alternatives we evaluated before choosing AWS S3, ordered from most to least interesting based on our specific needs.
Google Cloud Storage
Google Cloud Storage is the object storage service on Google Cloud.
- It did not exist at the time we migrated to the cloud.
- It would require supporting another cloud provider, fragmenting knowledge and tooling across platforms.
- It does not provide first-class integration with AWS-native primitives we rely on for public hosting (CloudFront OAC, IAM roles, Lambda event sources).
Google Cloud Storage was last reviewed on Apr 23, 2026.
Azure Blob Storage
Azure Blob Storage is the object storage service on Microsoft Azure.
- It did not exist at the time we migrated to the cloud.
- It would require supporting another cloud provider, fragmenting knowledge and tooling across platforms.
- It does not integrate with the AWS ecosystem where the rest of our infrastructure lives.
Azure Blob Storage was last reviewed on Apr 23, 2026.
Usage
We use AWS S3 for:
- Serving static assets for public sites (see Public hosting).
- Creating signed download URLs in the platform.
- Storing platform resources, evidence, reports, and analytics.
- Storing Sorts training data.
- Storing Skims data.
- Storing GitLab CI cache.
- Storing Terraform state.
We do not use AWS S3 for storing multimedia for our sites, like images and videos. We use Cloudinary instead.