Storage

How S3 Achieves 11 Nines (99.999999999%) - The Inner Workings of Object Storage Durability

This article explains the internal architecture behind S3's claimed 99.999999999% durability through three mechanisms: data distribution, integrity verification, and automatic repair, with concrete numbers illustrating what 11 nines actually means.

約 6 分で読めます

What Does 11 Nines Actually Mean in Concrete Terms

99.999999999% is a number that is hard to grasp intuitively. To put it in perspective: if you store 10 million objects in S3, you would statistically lose one object every 10,000 years. Alternatively, if all 8 billion people on Earth each stored one object in S3, fewer than one object would be lost over 100 years. It is important to note that this figure represents "durability," not "availability." Availability is the percentage of time the service is accessible, and S3 Standard's availability is 99.99% (roughly 52 minutes of downtime per year). Durability is the probability that data will not be lost, guaranteeing that once an object is stored, it will not physically disappear. In other words, there may be brief moments when S3 is temporarily inaccessible, but the data itself is virtually never lost. Without understanding this distinction, some people mistakenly assume their data has been deleted during an S3 outage.

Data Distribution - Redundancy Across at Least Three AZs

The first pillar of S3's durability is the physical distribution of data. When you upload an object to S3 Standard, AWS replicates the data across a minimum of three Availability Zones (AZs) within the same region. By the time a 200 OK is returned for a PUT request, data has been written to at least two AZs. Replication to the third AZ happens asynchronously but typically completes within seconds. Each AZ consists of independent data center clusters separated by tens of kilometers or more, with fully independent power systems, cooling systems, and network connections. This means that even if one AZ is completely destroyed by a natural disaster or major outage, the data remains in the other two AZs, so the object is not lost. The probability of two AZs being simultaneously and completely destroyed is extremely low, and this forms the physical foundation of 11 nines durability. S3 One Zone-IA is an exception: it stores data in a single AZ only, so while durability remains at 99.999999999%, it is vulnerable to the complete physical destruction of that AZ.

Integrity Verification - Monitoring Every Bit at All Times

Distributing data across multiple AZs alone is not enough to achieve 11 nines. Countermeasures against "silent data corruption," where data degrades quietly due to disk aging, cosmic ray-induced bit flips, or firmware bugs, are essential. S3 calculates an MD5 checksum when storing an object and retains it as metadata. Since 2021, users can also specify additional checksum algorithms (CRC32, CRC32C, SHA-1, SHA-256). S3 periodically recalculates checksums for all objects in the background and compares them against the stored values. This process, called "scrubbing," detects bit-level corruption early. At re:Invent 2023, AWS disclosed that S3 performs billions of checksum verifications per day. Any detected corruption is automatically repaired from healthy copies stored in other AZs. This cycle of detection and repair prevents data degradation before it becomes a problem.

Automatic Repair - Recovery Without Human Intervention

S3's automatic repair mechanism operates in stages against disk failures, server failures, and AZ-level failures. When an individual disk fails, S3 detects it immediately and re-replicates the data fragments from that disk to other healthy disks. AWS data centers experience large numbers of disk failures every day, and this automatic repair runs 24/7 without human intervention. The same process applies to server-level failures. What matters is the speed of repair. Between the time a failure occurs and re-replication completes, redundancy is temporarily reduced. To minimize this "vulnerability window," S3 runs repair processing as a top-priority background task. AWS does not publish specific repair times, but the design is optimized to prevent prolonged periods of reduced redundancy. Additionally, S3 uses erasure coding, splitting data into multiple fragments for storage. Even if some fragments are lost, the original data can be fully reconstructed from the remaining fragments. This approach achieves higher durability than simple triple replication while using less storage capacity.

Scenarios Where Data Can Still Be Lost Despite 11 Nines

S3's durability is extremely high, but the risk of data loss is not zero. The 11 nines guarantee covers data loss caused by physical failures on the AWS side. User-side operational errors are not covered. The most common cause of data loss is accidental DELETE operations. If you delete an object without versioning enabled, it is immediately and permanently deleted. Even with versioning enabled, a DELETE specifying a version ID is a permanent deletion. To address this, S3 Object Lock (WORM: Write Once Read Many) can make it physically impossible to delete or overwrite objects during a specified period. Enabling MFA Delete requires MFA authentication for delete operations. Another often-overlooked risk is the loss of encryption keys. Objects encrypted with SSE-C (customer-provided keys) become unreadable if the key is lost. The data still exists on S3, but it cannot be decrypted. Using SSE-KMS and setting a waiting period (7-30 days) for KMS key deletion mitigates this risk. To systematically learn about data protection design, specialized books (Amazon) are a great reference.

Related Services

Amazon S3A scalable object storage serviceAmazon S3 GlacierAn extremely low-cost storage service for archiving long-term data

Related Articles

Amazon S3 Storage Design - Choosing Storage Classes and Lifecycle PoliciesAutomatically optimize costs with six storage classes and lifecycle rules. This article covers the design of versioning, replication, and Object Lock.Object Storage Strategy - Optimizing Data Management with Amazon S3A systematic guide to object storage design strategy, covering S3 storage class selection, lifecycle policies, versioning, and replication.Optimizing Storage Costs with S3 Intelligent-Tiering - Automatic Tiering Based on Access PatternsLearn how automatic storage tiering works based on access patterns, when to use Intelligent-Tiering vs. lifecycle policies, and how to leverage archive tiers for maximum savings.

More on This Topic

Protecting On-Premises VMware VMs with AWS Backup Gateway - A Hybrid Backup StrategyDeploy a gateway into your vSphere environment and centrally manage on-premises VMware VM backups with AWS Backup plans. Also covers cross-region copy for disaster recovery.Centralized Backup Management - Data Protection Strategy with AWS BackupLearn about centralized backup management with AWS Backup. Covers unified management of backups across multiple AWS services including EC2, RDS, DynamoDB, EFS, and S3, and how to build a data protection strategy that meets compliance requirements.Amazon EBS Volume Design and Operations - Selection Criteria for gp3 and io2 with Snapshot StrategiesClarify the selection criteria for gp3 and io2 volume types, and learn practical IOPS/throughput design guidelines along with snapshot-based backup strategies.Amazon EBS Encryption and Snapshot Sharing - Cross-Account and Cross-Region DesignA comprehensive guide covering default encryption setup, cross-account snapshot sharing, and cross-region copy for DR design.How EBS Snapshots Are Incremental Yet Allow Full Restores - Inside Block-Level Differential ManagementDiscover how EBS snapshots can restore a complete volume from any snapshot despite being incremental backups, through block-level differential management, S3 storage structure, and fast snapshot restore internals.Building Shared File Storage with Amazon EFS - Mounting from Lambda, ECS, and EC2 with Design GuidelinesClarify the criteria for selecting performance modes and throughput modes, and learn how to optimize costs through lifecycle management with automatic tiering to the IA storage class.Choosing a Managed File System with Amazon FSx - When to Use Lustre, Windows, ONTAP, and OpenZFSCompare the four FSx file system types - Lustre, Windows, ONTAP, and OpenZFS - and learn guidelines for S3 integration and performance design.Amazon S3 Glacier Archive Strategy - Storage Class Selection and Retrieval OptionsClarify the selection criteria for Instant Retrieval, Flexible Retrieval, and Deep Archive. This guide covers automatic tiering with lifecycle policies and compliance support with Vault Lock.

Similar Articles and Services

Why S3 Request Pricing Differs Between GET and PUT - The Economics of Storage I/OThis article explains why S3 GET requests cost one-tenth of PUT requests by examining the internal costs of writes, erasure coding, and consistency guarantees, along with practical techniques for optimizing request charges.Object Storage Strategy - Optimizing Data Management with Amazon S3A systematic guide to object storage design strategy, covering S3 storage class selection, lifecycle policies, versioning, and replication.AWS Availability Zone Design - How Physical Separation and Fault Isolation Create a Reliability AdvantageExamine the design philosophy behind AWS AZs as physically independent data center clusters, compare them with Azure and GCP availability zones, and analyze the differences in fault isolation maturity through real-world incident examples.Amazon S3An object storage service with unlimited capacity that provides 99.999999999% durability as standard, supporting a wide range of use cases from website hosting to data lakesAmazon S3 Storage Design - Choosing Storage Classes and Lifecycle PoliciesAutomatically optimize costs with six storage classes and lifecycle rules. This article covers the design of versioning, replication, and Object Lock.