Skip to main content
Skip to main content
Still in beta — questions, comments or suggestions? aramb@aramb.dev
Cloud Fundamentals

Create a Private S3 Bucket, Upload a File, and Understand IAM + Visibility

Your first safe AWS lab: create a private S3 bucket, upload a file, read an IAM policy, and understand CloudTrail vs CloudWatch visibility.

20 min
Introductory
AWS Free TierFREE TIER

All services used in this lesson are covered by the AWS Free Tier.

AWS Services Used

S35 GB free for 12 monthsCloudTrailEvent History always free

Before you start

Amazon S3 stores data as objects inside buckets. To store data, you first create a bucket, choose a bucket name, and choose a Region. When you upload a file, it becomes an object with file data plus metadata.

Note

This is intentionally a safe lab. We keep everything private. New S3 buckets block public access by default, and Object Ownership is set to Bucket owner enforced, which disables ACLs. We are learning storage, privacy defaults, and access boundaries first.

What you are building

  • One private S3 bucket
  • One uploaded test file
  • One simple IAM policy example for that bucket
  • One visibility checklist so you know what AWS shows you right away vs what requires extra setup
S3 Private Bucket Lab
0 / 8 steps
01Choose a Region

Buckets are created in a specific Region and stay there.

02Create a general purpose bucket

Buckets are the container for objects — you need one before uploading anything.

03Leave Block Public Access on

This keeps the bucket private by default and prevents accidental public exposure.

04Leave Object Ownership at Bucket owner enforced

This disables ACLs and simplifies ownership — all objects are owned by the bucket owner.

05Upload one test file

Uploading a file creates your first S3 object — the file data plus metadata.

06Verify the bucket is still private

Confirms that safe defaults held and nothing accidentally became public.

07Read the narrow IAM policy for this bucket

Seeing least-privilege in action: only list, get, and put — no delete.

08Review the visibility and observability notes

Knowing what CloudTrail and CloudWatch do (and don't) show for S3 avoids false alarms.

Micro-activity: Policy reading

Look at the sample IAM policy from Step 7 and answer:

Practice
1 / 5

Which action in the policy lets you see the bucket contents list?

Summary

You created an S3 bucket, kept it private using S3 safe defaults, and uploaded your first object. New buckets default to blocked public access and bucket-owner-enforced object ownership, which is exactly what you want.

You also learned an important observability distinction: CloudTrail Event history is on by default for 90 days of management events, but S3 uploads and downloads are object-level data events, which require additional CloudTrail configuration to log.

CloudWatch visibility for S3 exists, but request-level metrics are opt-in and billed, so they are better treated as an optional add-on for later lessons.

Quiz

Knowledge Check
1 / 10

What is the safest default choice for a first S3 learning bucket?