AWS - S3 Flashcards
What is the blast radius of an S3 bucket?
A Region. S3 is regionally resilient.
S3 bucket naming restrictions?
- Name has to be globally unique (across all regions and all AWS accounts)
- Names are between 3 and 63 lowercase characters with no underscores
- Have to start with a character or number
- Can’t be formatted like an IP address (1.1.1.1)
Max number of buckets per account?
Soft limit of 100 buckets per account. You can make support requests to get this increased up to the hard limit of 1000.
Max individual object size in a bucket?
Objects can be from 0 to 5TB each
How does S3 versioning work?
- Configured at the bucket level.
- Once enabled, you can never disable.
- However, you can suspend it, then unsuspend (back to Enabled)
- Objects have an ID. When versioning is off, ID always equals null.
- AWS keeps track of the Latest Version / Current Version.
- When you delete, AWS just hides the object and adds a Delete marker.
- You can delete the Delete Marker to un-delete the object.
- You are charged storage for all versions.
Can you hard-delete an object in a bucket that has versioning turned on?
You can hard-delete a specific object version by specifying the object ID. If you delete the latest, the previous becomes the current version.
How does the S3 Multi-Part Upload feature work?
- Breaks an object up into chunks and uploads chunks in parallel.
- Data has to be >= 100MB to use multipart upload
- Max of 10,000 upload parts
- 5MB to 5GB per part
- Each individual part can be re-uploaded independently
How does S3 Accelerated Transfer work?
- You turn it on per bucket
- When turned on, your public internet-connected device gets connected to the nearest Edge Location for the upload
- AWS then transfers the file from this edge location through the AWS global network to the AWS destination region (rather than over the public internet).
What’s the alternative?
- By default, ISPs route traffic between points based on what is relatively fast but also economical for them.
Restrictions for turning on Accelerated Transfer on a bucket?
- The bucket name cannot contain periods in its name.
- The bucket name has to be DNS compatible.
What is S3 SEC-C?
Server-Side Encryption with Customer-Provided Keys
- You send the raw data + a key to S3.
- S3 encrypts it and stores the encrypted data plus a hash of the data.
- S3 discards the key - doesn’t store them.
- To decrypt, you send the key again
What is SEC-S3?
SSE-S3: Server-Side Encryption with Amazon S3-Managed Keys
- (uses AES256)
- S3 generates a key for just this one object.
- After encrypting the object, the S3 Root Key is used to encrypt that one unique key, then discards the unencrypted copy
- The encrypted data and encrypted key are stored.
Pros and Cons of S3 SEC-S3?
Pros:
- Lowest overhead method.
Cons:
- May not meet regulatory compliance for you.
- You can’t separate permissions / No Role Separation. A full S3 Admin would have access to decrypt the data.
What is S3 SSE-KMS?
Server-Side Encryption with KMS Keys stored in AWS KMS
- AWS generates and uses a default key in KMS to encrypt the DEK.
- However, you can create your own KMS key.
- And you can use CloudTrail to see any activity.
What is S3 Client-Side Encryption?
- Data is encrypted within the client before any transfer happens
- Guarantees that there is no possibly way AWS could ever see or interact with the un-encrypted data
- You have more responsibility: you are responsible for encrypting properly; you also have to take care of the decryption
What is S3 Server-Side Encryption and what are the 3 options?
- S3 does the encryption prior to storing for you
Options:
1. SSE-C
2. SSE-S3
3. SSE-KMS
