Amazon S3 Security

Question 1

What are the 4 methods to encrypt objects in S3?

Answer 1

Server-side, customer managed keys
Server-side, AWS managed keys
Server-side, KMS managed keys
Client-side, customer managed keys

Question 2

Which S3 object encryption type can be audited with CloudTrail?

Answer 2

SSE-KMS, logs each time the key is used

Question 3

What does client-side encryption mean?

Answer 3

The client encrypts the data themself before sending it to S3, and decrypts once it is out of S3. This means AWS never sees the data unencrypted.
The client must manage the keys themself.

Question 4

What is the default option for S3 object encryption at rest?

Answer 4

SSE-S3, or server side encryption with Amazon S3 managed keys

Question 5

What is used for S3 encryption in-flight?

Answer 5

SSL/TLS with HTTPS

Question 6

Is it possible to force encryption for new objects put into an S3 bucket?

Answer 6

Yes - you can refuse any API call to PUT an object that doesn’t have encryption headers

Question 7

What does CORS stand for?

Answer 7

Cross Origin Resource Sharing

Question 8

What is a cross origin request?

Answer 8

When a web page from one domain (origin) makes a request for resources from a different domain, e.g. example.com requests resources from anothersite.com

Question 9

Why are CORS headers important?

Answer 9

Cross origin requests are typically denied for security reasons unless explicitly allowed through CORS headers. If a user wants to share resources across domains, they need to change the CORS headers accordingly.

Question 10

What is one way to prevent a user from accidentally deleting significant swathes of data without verifying their identity?

Answer 10

MFA delete

Question 11

What two actions can be enabled to force MFA with MFA delete?

Answer 11

Permanent deletion of an object version
Suspend versioning on the bucket

Question 12

What level of account permissions can enable or disable MFA delete?

Answer 12

Only the root account

Question 13

How would you store the logs of access to your S3 buckets?

Answer 13

Store the logs in a separate S3 bucket in the same region. DO NOT store the logs in the same bucket as the one you are logging access to otherwise it will cause an infinite loop (the bucket is accessed in order to put the logs in, which gets logged, etc.)

Question 14

What is a pre-signed URL? Which service does this apply to?

Answer 14

A URL that you can generate using the S3 console, SLI or SDK that expires after a certain period of time and gives users access permissions equivalent to those of the user that granted the URL.
For S3.

Question 15

What is Glacier Vault Lock?

Answer 15

Write the object once, can be read many times but cannot ever be changed or deleted.

Question 16

What are the 2 retention modes for S3 object lock?

Answer 16

Compliance and governance

Question 17

What S3 object lock retention mode allows admins but not any other user to change/delete things?

Answer 17

Governance

Question 18

What S3 object lock retention mode allows not even the root user to change/delete things?

Answer 18

Compliance

Question 19

What is S3 legal hold?

Answer 19

An object is protected indefinitely, independent from previous retention periods or modes it was on before.

Question 20

What is a retention period for S3?

Answer 20

How long the object is protected for, can be extended

Question 21

What is an S3 access point? Why is it useful?

Answer 21

Simplifies giving segments of users access to specific parts (prefixes) of an S3 bucket by breaking down the access segments of the bucket.
E.g. make a preset access point which has all finance data within and then make a policy which allows/denies people to that access point

Question 22

What is S3 Object Lambda?

Answer 22

Allows the user to modify an object with a lambda function before it is retrieved by a caller.
We need an S3 access point for the lambda function and S3 Object Lambda access point.
Could be used, for example, to redact objects before the are sent out