Amazon S3 Security Flashcards
What are the 4 types of keys to encrypt objects in S3?
Server-side, customer managed keys
Server-side, AWS managed keys
Server-side, KMS managed keys
Client-side, customer managed keys
Which S3 object encryption type can be audited with CloudTrail?
SSE-KMS, logs each time the key is used
What does client-side encryption mean?
The client encrypts the data themself before sending it to S3, and decrypts once it is out of S3. This means AWS never sees the data unencrypted.
The client must manage the keys themself.
What is the default option for S3 object encryption at rest?
SSE-S3, or server side encryption with Amazon S3 managed keys
What is used for S3 encryption in-flight?
SSL/TLS with HTTPS
Is it possible to force encryption for new objects put into an S3 bucket?
Yes - you can refuse any API call to PUT an object that doesn’t have encryption headers
What does CORS stand for?
Cross Origin Resource Sharing
What is a cross origin request?
When a web page from one domain (origin) makes a request for resources from a different domain, e.g. example.com requests resources from anothersite.com
Why are CORS headers important?
Cross origin requests are typically denied for security reasons unless explicitly allowed through CORS headers. If a user wants to share resources across domains, they need to change the CORS headers accordingly.
What is one way to prevent a user from accidentally deleting significant swathes of data without verifying their identity?
MFA delete
For what two actions can MFA be forced through MFA delete?
Permanent deletion of an object version
Suspend versioning on the bucket
What level of account permissions can enable or disable MFA delete?
Only the root account
How would you store the logs of access to your S3 buckets?
Store the logs in a separate S3 bucket in the same region. DO NOT store the logs in the same bucket as the one you are logging access to otherwise it will cause an infinite loop (the bucket is accessed in order to put the logs in, which gets logged, etc.)
What is a pre-signed URL? Which service does this apply to?
A URL that you can generate using the S3 console, SLI or SDK that expires after a certain period of time and gives users access permissions equivalent to those of the user that granted the URL.
For S3.
What is Glacier Vault Lock?
Write the object once, can be read many times but cannot ever be changed or deleted.
What are the 2 retention modes for S3 object lock?
Compliance and governance
What S3 object lock retention mode allows admins but not any other user to change/delete things?
Governance
What S3 object lock retention mode allows not even the root user to change/delete things?
Compliance
What is S3 legal hold?
An object is protected indefinitely, independent from previous retention periods or modes it was on before.
What is a retention period for S3?
How long the object is protected for, can be extended
What is an S3 access point? Why is it useful?
Simplifies giving segments of users access to specific parts (prefixes) of an S3 bucket by breaking down the access segments of the bucket.
E.g. make a preset access point which has all finance data within and then make a policy which allows/denies people to that access point
What is S3 Object Lambda?
Allows the user to modify an object with a lambda function before it is retrieved by a caller.
We need an S3 access point for the lambda function and S3 Object Lambda access point.
Could be used, for example, to redact objects before the are sent out
