Amazon S3 Secutity

Question 1

4 methods used to encrypt objects in S3 buckets?

Answer 1

1. SSE-S3
2. SSE-KMS
3. SSE-C
4. Client Side

Question 2

How does “Server-Side Encryption with Amazon S3-Managed Keys” work?

Answer 2

SSE-S3 is enabled by default.

Encrypts S3 objects using keys handled. Managed and owned by AWS

Question 3

How does “Server-Side Encryption with KMS Keys stored in AWS KMS” work?

Answer 3

SSE-KMS leverages AWS Key Management Service(AWSKMS) to manage encryption keys

Question 4

How does Server-Side Encryption with Customer-Provided Keys work?

Answer 4

SSE-C is for when you want to manage your own encryption keys

Question 5

What is DSSE-KMS ?

Answer 5

double encryption based on KMS

Question 6

Features:
- Encryption using keys handled, managed, and owned by AWS
- Object is encrypted server-side
- Encryption type is AES-256
- Must set header “x-amz-server-side-encryption”: “AES256”
- Enabled by default for new buckets & new objects

Answer 6

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

Question 7

Features:
- Encryption using keys handled and managed by AWS KMS (Key Management Service)
- KMS advantages: user control + audit key usage using CloudTrail
- Object is encrypted server side
- Must set header “x-amz-server-side-encryption”: “aws:kms”

Answer 7

Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)

Question 8

Features:
- Server-Side Encryption using keys fully managed by the customer outside of AWS
- Amazon S3 does NOT store the encryption key you provide
- HTTPS must be used
- Encryption key must provided in HTTP headers, for every HTTP request made

Answer 8

Server-Side Encryption with Customer-Provided Keys (SSE-C)

Question 9

What are these?
- If you use SSE-KMS, you may be impacted by the KMS limits
- When you upload, it calls the GenerateDataKey KMS API
- When you download, it calls the Decrypt KMS API
- Count towards the KMS quota per second (5500, 10000, 30000 req/s based on region)
- You can request a quota increase using the Service Quotas Console

Answer 9

SSE-KMS Limitations

Question 10

Features:
- Use client libraries such as Amazon S3 Client-Side Encryption Library
- Clients must encrypt data themselves before sending to Amazon S3
- Clients must decrypt data themselves when retrieving from Amazon S3
- Customer fully manages the keys and encryption cycle

Answer 10

Client-Side Encryption

Question 11

What is SSL/TLS

Answer 11

Encryption in flight

Question 12

Which two endpoints does Amazon S3 exposes?

Answer 12

1. HTTP Endpoint – non encrypted
2. HTTPS Endpoint – encryption in flight

Question 13

Which protocol is recommended?

Answer 13

HTTPS

Question 14

Which encryption service has a mandatory protocol of HTTPS?

Answer 14

SSE-C

Question 16

What kind of encryption is automatically applied to new objects stored in S3 bucket?

Answer 16

SSE-S3

Question 17

How can you refuse any API call to PUT an S3 object without encryption headers (SSE-KMS or SSE-C)

Answer 17

You can “force encryption” using a bucket policy

Question 18

What is Web Browser based mechanism to allow requests to other origins while visiting the main origin

Answer 18

Cross-Origin Resource Sharing (CORS)

Question 19

What should be done if a client makes a cross-origin request on our S3 bucket?

Answer 19

Enable the correct CORS headers

Question 20

What does MFA (Multi-Factor Authentication) do?

Answer 20

force users to generate a code on a device (usually a mobile phone or hardware) before doing important operations on S3

Question 21

What two things will require MFA?

Answer 21

1. Permanently delete an object version
2. Suspend Versioning on the bucket

Question 22

What two things won’t require MFA?

Answer 22

1. Enable Versioning
2. List deleted versions

Question 23

What must be enable to use MFA Delete?

Answer 23

Versioning must be enabled on the bucket

Question 24

Who can enable/disable MFA Delete?

Answer 24

Only the bucket owner (root account)

Question 25

Where can you log any request made to S3?

Answer 25

S3 bucket

Question 26

The target logging bucket must be?

Answer 26

In the same AWS region

Question 27

How can pre-signed URLs be generated?

Answer 27

S3 Console, AWS CLI or SDK

Question 28

Users given a …… inherit the…….. of the user that generated the URL for GET / PUT.

Answer 28

pre-signed URL, permissions

Question 29

What do Access Points simplify?

Answer 29

Security management for S3 Buckets

Question 30

Two parts of an Access Point?

Answer 30

1. its own DNS name (Internet Origin or VPC Origin)
2. an access point policy (similar to bucket policy) – manage security at scale

Question 31

We can define the access point to be……. only from within the…….

Answer 31

accessible, VPC

Question 32

How can you access the Access Point(Gateway or Interface Endpoint)

Answer 32

Create a VPC Endpoint

Question 33

The VPC Endpoint Policy must …… to the target….. and……….

Answer 33

allow access, bucket, Access Point

Question 34

How can you change the object before it is
retrieved by the caller application?

Answer 34

AWS Lambda Function

Question 35

• Use Cases:
• Redacting personally identifiable
  information for analytics or non-
  production environments.
• Converting across data formats, such
  as converting XML to JSON.
• Resizing and watermarking images on
  the fly using caller-specific details, such
  as the user who requested the object.

Answer 35

Only one S3 bucket is needed, on
top of which we create S3 Access
Point and S3 Object Lambda Access
Points.