AWS S3 Flashcards
What are the storage classes available in AWS?
S3 standard
S3 standard Infrequent Access
S3 One Zone Infrequent Access
S3 Intelligent tiering
S3 Glacier Instant Retrevial
S3 Glacier Flexible Retrieval (formerly Glacier)
Glacier Deep Archive
What type of storage is S3?
Object storage
What is the availability of S3?
4 x 9s
What is the durability of S3?
11 X 9s
How many availability zones is S3 data replicated to?
3 AZ
What is the min size of data you can put in S3?
1 byte
What is the max size of data you can place in S3?
5 TB
Is encryption at the object level or the bucket level?
Encryption is enabled and applied at the bucket
If one tenant has a bucket called ‘dog’ can you have a bucket called ‘dog’?
No buckets has to be unique with in a region.
What are the two types of encryption available to S3?
Server side and Client side.
What is the encryption used on server side encryption for S3?
AES-256
Who holds the master key for S3 encryption?
AWS- in KMS
Are all objects encrypted using the same master key? (are the keys changed over time)
Yes, but it depend on the encryption used. Server-Side Encryption Options in S3:
1. SSE-S3 (Server-Side Encryption with Amazon S3-Managed Keys)
Encryption keys are managed by AWS.
Objects are encrypted with a unique key per object, and then that key is encrypted with a master key that’s rotated regularly.
You don’t manage the master key.
✅ All done automatically by AWS.
- SSE-KMS (Server-Side Encryption with AWS Key Management Service)
Uses AWS KMS customer master keys (CMKs).
You can choose to:
Use the same CMK for all objects, or
Use different CMKs per object (if you configure that).
Each object still gets a unique data encryption key (DEK), which is encrypted with the CMK.
✅ You control the CMK (rotation, policies, etc.)
- SSE-C (Server-Side Encryption with Customer-Provided Keys)
You provide the encryption key per request.
AWS doesn’t store the key — only uses it temporarily to encrypt/decrypt.
Not common in most setups due to management overhead.
The master keys is used in the process to encrypt a object, is this the only key?
No there is a per object key.
Is the per object key encrypted?
Yes it is encrypted by the master key.
Is the object data encrypted at rest?
Yes
Where is the per object encryption stored?
In a hidden S3 bucket.
Is there other options available to encrypt a object?
Client side encryption using the SDK.
If you put data in a single region is that data/objects replicated to other regions?
No data stays with in a region.
Can you copy data and objects to other regions?
???
Would you make a html page available to people on the internet?
Use static web hosting.
How can you delete a object after a week (period of time)
Use life cycle policies.
Can life cycle policies be applied to just one object with in a bucket?
Yes using the prefix parameter.
How would you apply life cycle policies to a entire bucket?
Use the ‘Apply to Entire Bucket’ parameter.
If you do not need S3 data available on demand, how can you lower the cost of storage?
Use AWS Glacier.
How can you move data into glacier storage?
Use life cycle policies.
How can we ensure that when a object is updated or deleted that we keep the old data?
Use S3 versioning.
Can versioning and life cycle policies be used at the same time?
Yes, versioning and lifecycle policies in AWS S3 can absolutely be used at the same time — and in fact, they often are used together to manage object storage more efficiently.
✅ Versioning
When enabled, every version of an object is retained.
Even if a file is deleted or overwritten, previous versions remain.
✅ Lifecycle Policies
Let you automate actions like transitioning objects to cheaper storage (e.g., Glacier) or expiring/deleting them.
Lifecycle policies can target specific versions, such as:
Noncurrent versions (older versions of objects)
Current versions (if you want to expire/delete objects after a time)
Can versioning be removed easily?
❌ Can S3 Versioning Be Removed?
No — once versioning is enabled on an S3 bucket, it cannot be completely removed.
However, you can:
✅ Suspend Versioning
This stops creating new versions of objects.
Existing versions remain intact.
Any new uploads overwrite the existing object and do not create new versions.
What is the minimum number of copies in availability zones of the S3 object are kept with in a region?
3
What is WORM architecture?
Write one read many times.
Is S3 a WORM architecture?
Yes.
What is eventual consistency?
When a object is update in S3 by many users across the availability zones, the object that is wrote last will be the one that all other copies become.
When you write a object to S3 will all availability zones have a consistent copied of the object?
Yes new objects are synced across all availability zones before you get a ask back to say the write was OK.
Is there any region that dose not support read after write?
US-No, all regios support read after write.
Do you get a sync write across all availability zones during a update?
Yes — when you write or update an object in S3, you get a synchronous write across multiple Availability Zones (AZs) before the operation is acknowledged as successful.
When you delete a object are all objects dated before you get a ack to say the operations was successful?
Yes, when you delete an object in S3, the deletion is completed across all relevant Availability Zones (AZs) before you receive an HTTP 204 (No Content) success response.
What is Read After Write in S3?
Data is available to read in all availability zones after a ack is returned.
Is data replicated across regions?
No data is not replicated across regions.
What stops you data having bitrot (bitrot is where you data at rest get corrupt)?
AWS is checking objects on a regular basis to make sure there check sum is correct.
When bitrot is detected what will AWS do about it?
AWS will restore the corrupt date using the redundant copies.
Will all incoming object request be sent to the same availability zone?
No requests are load balanced across all availability zones.
None
None
None
None
None
None
For S3 what is the max UTF-8 name size of a bucket?
Min Length 3 characters
Max Length 63 characters
Encoding UTF-8
Character Set Lowercase letters (a-z), numbers (0-9), dots (.), and hyphens (-)
Must Start/End With Letter or number
No Uppercase letters, underscores, special characters (e.g., @, !, #), or IP-style names like 192.168.5.4
S3 will partition based on key prefix (name), why is it important to not have the object name sequence?
Sequence naming of objects mean that the objects are clustered to gather and not spread out over the entire S3 cluster.
Do you need to manage the server side encryption?
No it is automatically taken care by AWS.
What are the acces control methods available for AWS S3?
- IAM Policies Used to grant permissions to IAM users, groups, or roles at the AWS account level. IAM policies define what actions (e.g., s3:GetObject) a principal can perform on specific resources (arn:aws:s3:::my-bucket/*).
- S3 Bucket Policies A type of resource-based policy attached directly to a bucket. Used to define access permissions for specific AWS accounts or conditions (e.g., IP address, VPC). Example use: Allow public read-only access to objects.
- S3 Access Control Lists (ACLs) A legacy method for granting access at the object or bucket level. Grants permissions to AWS accounts or predefined groups (like “Everyone”). Limited functionality and not recommended for new designs.
- Presigned URLs A way to grant temporary access to objects for users without AWS credentials. Generated by a user with permissions and includes an expiration. Used for secure uploads/downloads.
- AWS Identity and Access Management (IAM) Roles Used to delegate access to users or services. For example, an EC2 instance with a role can access S3 without embedding credentials.
- AWS Organizations SCPs (Service Control Policies) Used to set permission guardrails for all accounts in an AWS Organization. SCPs limit maximum available permissions, including S3 access.
- S3 Object Ownership & ACLs (Bucket Owner Enforced) A newer access model where ACLs are disabled and bucket owners automatically own all uploaded objects. Improves security and consistency.
- VPC Endpoint Policies Controls access to S3 from a VPC using an S3 Gateway or Interface Endpoint. Can restrict which buckets or actions are allowed when accessing S3 from a VPC.
- AWS Resource Access Manager (RAM) Enables you to share S3 resources (like S3 Access Points) across AWS accounts in an Organization, using fine-grained control.
- S3 Access Points Provide custom access policies for specific use cases, users, or applications. Each Access Point has its own policy, name, and can restrict access by VPC or path.
- AWS KMS (Key Policies for SSE-KMS) If S3 uses SSE-KMS encryption, access to the S3 object also depends on the KMS key policy. You must grant decrypt access via KMS.
- CloudFront Signed URLs / Cookies If S3 is used behind CloudFront, you can use signed URLs or cookies for content delivery with time-limited access, similar to presigned URLs but at the CDN layer.
How could you store some extra data like the object date, use name with the object?
Use metadata.
How can you get visibility in to the incoming S3 requests for you objects?
1) Access Logs: when turned on will save each request and response. Access logs can be saved to a S3 bucket.Log contents include:
* Request time
* Requester (IAM user or role)
* Operation (GET, PUT, DELETE, etc.)
* Bucket and object key
* Response status
* Error code (if any)
* User agent
2) Use cloud trail
* Who made the request (IAM identity)
* Source IP
* Event time
* API used (e.g., GetObject, PutObject)
* Bucket and object details
When are S3 logs kept?
You define a bucket for the logs?
Are S3 logs automatically deleted?
No you have to take care of this your self, you can set up a life cycle policy to delete the objects.
Why is glacier called write once read never?
This is because when you write it is take some time to retrieve that data when needed?
With glacier how long dose it take to retrieve data to S3?
2 - 6hrs
What is the cost of glacier storage?
1c per GB.
What is the cost of S3 storage?
8.5c per GB.
What is the cost of RRS?
6.8c per GB.
If a object in S3 has a life cycle policy to delete the object after 30days and the object moves to glacier with will glacier do after the 30days?
Glacier will observe the S3 policy and delete the object after 30days.
When a object is retrieved from glacier when is it put (a)S3 (b)RRS
(b) RRS
What AWS functionality is used to move S3 data from one storage class to anither
Life cycle policies
Can I remove versioning from bucket once applied?
No but you can disable it.
What is the max upload in s single put?
5GB
I need to upload a single file that is 500GB in size, what is my best option for uploading the file?
Ensure you are using multipart upload
When files are larger than 100MB what is the recommended option for upload?
Multi-part upload
For PUT (new objects), can I read it and will it be consistent?
Yes, for S3 you have read after write consistency.
For HEAD and GET
Eventual
For PUT and DELETES, what is the consistency model?
Eventual
Updates to a single key are?
Atomic, only one person can update the object at a time.
Where is my object stored?
In a min of 3 AZ in a single region.
Is encryption automatically enabled?
No
I need to transition objects to Glacier from s3, do I have to manually copy?
No, you can set up a life cycle policy and have objects transitioned to Glacier. You get an option for previous or new objects.
When I am uploading objects to s3, I would like to have the objects move direct to Glacier, do I have to set up a life cycle policy to move objects to Glacier?
No there is an option in the upload API to select the storage class.
I need to log access to my S3 bucket, can I use CloudWatch for this?
A better option is to enable the server access logs by pointing as a bucket where the logs will be stored.
I am storing data on S3 and I want it to be secure, what should I consider?
- Security for transport in and out of S3: HTTPS - Encryption at REST: SSE - Access, who has access to the data: IAM
I am using the API to send an object to S3, I want this object to be encrypted using SSE, what is the header I send?
x-amz-server-side-encryption
What is the consistency model for S3?
- PUTS for new objects are strong consistent (you can read after write)
- PUT (Updates) and Deletes are eventually consistent.
-
I have an object in S3 called Keith, I update it with a PUT and then call GET, am I guaranteed to get the object latest version?
No, updates on the existing object are eventually consistent.
What are the access methods available to restrict or grant permissions on objects and buckets in s3?
- IAM
- ACL
- Bucket and User policies
-
In S3 I have to ensure objects are not deleted for 4 years due to regulatory requirements, how can I achieve this?
S3 has a lock on object feature then enable s you to lock the objects put in a bucket for a period of time.
I provide files to my customers but I do not want to pay for the cost when my customer access the files. what is my best option for solving this?
Use requester pays feature of S3..
When I have version control enabled on S3 bucket and I delete an object, what will happen?
The object will not be deleted but will assume a version ID
I need to create a pre-shared key to enable users to upload data to S3, what do I need to be able to do to ensure the user I give the key to can upload the data?
Ensure I have upload permissions in the bucket
There is a server on-prem that wants ot to connect to S3 using the most efficient way possible, minimizing latency and not using the internet,, the on-prem is using direct connect?
Create a public endpoint to connect to S3.
When working with S3, can I use IAM policies to give web users access to the bucket?
No, IAM policies are used only in the context of IAM users and Roles. To give internet users access to a bucket or object in the bucket, you have to use a bucket policy, this will enable you to give access to Internet-based users.
I want to ensure that only a certain IP can access a bucket, how can I do this?
Set up a bucket policy to allow access the bucket but with a condition of “IpAddress”
I what to access an S3 bucket form another account, the account iD is 12345678, how cna I do this?
Create a bucket policy, in the bucket policy set the principal to the account name that needs to access the bucket.
“Principal” : “arn::aws:;iam::12345678:*”
What is the difference between arn::aws::s3::keith-bucket and arn :: aws ::s3:: keith -bucket/*?
The first on refers to the bucket, the second one refers to the content of the bucket.
When you create a bucket or an object, by default what ACL’s are granted?
The owner is granted full permissions.
For S3 ACL’s what are the access domains?
Root user gets full permissions (list objects, write objects, read bucket permissions, write bucket permissions.
Access to other accounts
Public access
S3 log
What is x-amz-acl?
it is the header when you upload an object to set the ACL to Private, public-0read, bucket-owner-read, bucket-owner-full-control
Do ACL give you control over the object in a bucket?
Yes but only for predefined groups, accounts and public.
What is a pre-signed URL?
A presigned URL can be used to give someone times limited access to download or upload a file to a bucket.
I have a web application that enables users to download a ZIP file after they pay a fee, I wnat to ensure that only this user can download the file and for a time limited period like 24hrs, what option do I have?
I can have my application create a signed URL that the user can use to download a file, the signed URL is time limited for the required 24hrs.
I have a requirement to provide a user with a secure upload for a file they have, what are by S3 options?
Create a signed URL, this way the user cna only upload the required file, the user will not have full access to the bucket or other files in the bucket. The signed URL expires after 24hrs.
Can I use signed URLs with S3?
No a signed URL is a CloudFront function, S3 used signed URLs to secure and time limit the of upload and download of files
Where can I use s3 storage?
- Static content (S3 Standard)
- Static website (S3 Standard)
- The origin for CloudFront (S3 Standard)
- Archive (Glacier)
- Backup
- Storage GW
If I have a bucket called Keith and a directory called Cathy and an object in the Cathy directory what will the S3 key look like.
It will be s3://keith/Cathy/object name. The reason for this is S3 has a flat file structure, no directories just a key that is mead up by joining the object/prefix/buckenetname together.
If I add ?torrent on the end of an amazones3 bucket URL, what am I doing?
I am requesting the file using torretc.
Can I use ipv6 with s3?
Yes but not for torrent or for static website hosting.
I wnat to use static web site hosting with IPv6 how cna I configure this with s3?
You cant as s3 static web site does not support IPv6
What are S3 events?
They are a set of events theat occur in S3 thet can call external service like,
- SNS
- SQS
Lambda functions
What sort of events can be generated by S3?
- PUT
- POST
- COPY
Multi-part upload complete
All objects created
Object lost
Permanently deleted
All object delete events
Restore from glacier
How can I calculate the cost of putting 10TB of object data in S3?
S3 is free to ingest data.
Do I pay for data out to the internet for of s3?
Yes (approx 0.09 pm GB)
Do I pay for data out to the DirectCoonnet for s3?
Yes
With S3 what do I pay for?
- Storage GB per month, this depends on the tier of storage
- Transfer of day out
- Transfer of data between regions
- Transfer of data over Direct connect or VPN
- API calls like pouts/gets, etc.
I have a requirement to replicate data from one bucket in us-east-1 to eu-west-1, what is my bets option?
You can use s3 replication to replicate the data.
I have 20TB of CVS files and I need to query the data, the files are stored in s3, how can I query the data?
Atena
I need to get a list of every object in by 20TB S3 bucket, what is my best option, call API or something else?
Use the S3 bucket inventory process, this will run and create an OCR Apache optimized row columnar set of files, you can use atena to query this data.
How can I monitor the S3 as part of my global monitoring solution?
You cna use cloudwatch to monitor bucket metrics.
What are the public access settings?
They enable you to stop people making the bucket public by accident.
What is first-byte latency and how does it apply to s3 storage tiers?
S3 standard, IA, Zone IA, Intelligent tier first byte latency is millisecond. Glacier and Glacier Deep Archive is much larger latency to first byte.
What is the durability of all the storage classes?
11x9%
For all s3 storage classed how my zones are data stored in?
3, except for Zone IA thet is 1.
What storage tier should you use for hot backup?
S3-IA.
For Glacier deep archive, what is the minimum number of days an object must be kept for?
180-day minimum
For Glacier deep archive, is the retreval time the same or shorter then Glacier?
It is longer
How long will it take to get an object form Glacier Archive Storage?
Several hours
For both Glacier and Glacier deep archive, what is the min storage charge?
40KB
I am a hospital and I currently store 100TB of x-ray images on s3, I want to improve on my cost of storage, how can I do this? Xrays are looked at frequently for the first 90 days and then maybe once a year and after a year just if the patient comes back.
Set up a lifecycle policy to move to Standard IA after 90 days. Set up LCP to move to the glacier after a year.
What is the minimum time I can store an object for in Standard IA
90dyas, deleting before this period and you are charged.
What is the minimum storage charge for an object in Standard IA?
128KB
What is the minimum storage charge for an object in Zone IA?
128KB
What is the availability of Standard IA?
99.5%
What is the availability of ZoneIA?
99%
What is the availability of Standard ?
99.99%
I am storing data that is reproducible for analysis, what storage class are bets to store it on for cost?
Zone IA, if the data fails or the zone is not available, you
can recreate the dat and process at another time, for this reason, Zone, IA is a good choice.
For Glacier, how fast can I retrieve my storage and is there a cost?
You can retrieve storage form min to hrs and the cost is low to high.
What is intilligent-tiering?
This is a tier of storage that will monitor your objects and if they are not used will move the objects to the Standard IA tier, if the object becomes used again, it will be moved back to Standard tier.
I need to delete my objects after 60days, how can I do this?
Lifecycle policies.
Is object versioning on the bucket or object level?
it is applied at the bucket level.
When I have object versioning enabled and I upload a new object with the same key, what happens?
Both versions of the file will exist and each has a unique ID
Where bucket version is enabled and I retrieve an object, what will happen?
You will get the most current version as you did not give a version ID.
Where is have bucket versioning enabled, can I have two different versions of an object in different tiers of storage?
Yes.
I have bucket version-enabled, I delete an object, what happens?
You get a delete marker.
I have an object that is deleted and I wnat to retrieve it, how cna I do this?
You delete the delete marker and the bucket will reappear.
I have a bucket with the object version-enabled, I wnat to get a previous version, how cna I do this?
Specify a version ID.
When I delete an object in a bucket with versioning enables what will happen?
You get a delete marker and the object is still present, you can delete the delete marker to get the object back or you can request the object or any of its version by ID.
Is it possible to delete a version of an object that is in a bucket with version control enabled?
Yes, just specify the version iD of the object.
I wnat to set up cross-region replication, what do I need to do?
Enable version control.
I have a requirement from my organization that legal document is retained for 3years after which they must be deleted, how can I do this?
This can be done by using objects locking and setting the period for 3years
If object locking is enabled can you use regional replication?
No
When you create a bucket who has access?
By default the resource owner (an account created) has access but no one else.
What types of access control exists for s3?
- You have IAM, this is where the bucket oners account is trusted by the bucket, with this you can use AWS IAM to gran users, roles or other accounts access t the bucket.
- You also have bucket policies, this is where you can give users, accounts or even anonymous user access to the bucket, bucket policies can even use a condition like tags on buckets or the caller IP.
- Access control lists (ACLs): can be used to grant users in another account. You cna also gran anonymous user access.
When I generate a pre-signed URL and a user used the pre-signed URL to access the object, how ide is the pre-signed URL accessing the object under?
Under the ID of the user who created the pre-signed URL.
If I do not have access to an s3 bucket and I generate a pre-signed URL, will the users of the pre-signed URL have access tot he objects?
No, the creator of the pre-signed URL must have access to the object as it is this user access key from STS that is been used to access the object.
I have just enabled cross-region replication, I go to my another bucket in the other region and non of the objects are present, why?
Because cross-region replication is not retrospective.
I have objects that are encrypted by client-side encryption, can I cross-region replication?
No, you can only use unencrypted objects or server-side encrypted objects.
Can I use cross-region replication to another account?
Yes.
We are storing our data on Amazon Simple Storage Service (S3). Our orgs security policy mandates that data is encrypted at rest. What options do I have?
- Server-side encryption (AWS managed keys)
- Server-side encryption (Client managed keys)
- Client-side encryption
Is it possible to have different encryptions keys for different versions of the same object?
Yes as each object is encrypted using different keys. The reason for this is each key is encrypted using the selected key and this can be different from object to object.
When uploading an object to s3, how cna I get the s3 to encrypt using SSE?
You should send the encryption key and x-amz-server-side-encryption-customer-key-AES-256, x-amz-server-side-encryption in each API call.
I have set up two buckets in us-east-1 and I wnat to replicate from one bucket to another, can I use cross-region replication?
No, the dest bucket has to be in a different region, it can be even in a different region in a sperate account.
I am going to use cross-region replication between two buckets, I am using customer-managed keys, what is my configuration?
You cna use customer-managed keys, you can only use unencrypted dor AWSmanaged keys.
When I create a cross-region replication, what is required by the s3 service for both the source and dest buckets?
S3 needs permissions and this is done in a role with two actions, one action allowing s3 access the source, one action allowing s3 access the dest.
I need the ability to provide my global customer with access to static content in my s3 bucket in us-east-1, I am concerned about latency for a customer in Asia, should I replication using regional replication to another bucket for the asian customer or is there other options?
You could use s3 as an origin endpoint and use CloudFront to distribute your static files to global regions reducing the latency for your customers.
I require backup for my on-prem files, these files are accessed once every 6mts as part of our disaster recovery, access to the data quickly is not needed, what s3 storage tier should I use?
- Not s3 standard because it is the high price of the tiers and also is a hot tier.
- Not s3 standard IA as this is hot storage, you could use it but you are paying a premium for it being hot.
- No S3 Zone IA as it is hot also.
- Glacier is a good option as it offers the ability to retrieve the data when needed and offers a lower price, as we are OK with retrieving data in hours Glacier is a good choice.
I require backup for my on-prem files, these files are accessed once every 12mts as part of our disaster recovery, access to the data quickly needs to be in min, what s3 storage tier should I use?
Glacier as it offers the ability to retrieve data in the minutes and because it is only accessed once a year the cost of retrieval is less than a year of storage and retrieval cost of other storage tiers.
I am backing up files and the software requires immediate access to the dat when needed, what s3 storage tier should I use?
zone in offers 11x9 but it is in a single zone (risk), Standard IA offers 11x9 and is lower prices then s3 standard.
What are the options I have to encrypt object data in s3?
Server-side encryption with AWS keys
Server-side encryption with customer-provided keys
Customer encrypted data (where customer encrypts the data before it is sent to AWS S3)
I wnat to use customer provided key and I am calling the API what do I need to pass in the API call?
You need to pass the x-amz-server-side-encryption-customer-key
What is the difference between SSE-s3 (S3 managed keys) and SSE-KMS (KMS managed keys)?
With SSE-S3, keys are managed by S3, S3 encrypts the object with a key and stores it with the object.
With SSE-KMS, S3 asks KMS for a key and KMS return bot plane and encrypted keys under the CMK, the plane test key is used to encrypt the object and is then discarded, the encrypted keys are stored with her object.
I wnat to ensure that only uploads to a bucket will be encrypted and use AES256, how cna I do this?
Bucket policy, you can create a policy with two statements, one for checking the header x-amz-server-side–encryption for AES256 and one for checking x-amz-server-side-encryption true.
I have to upload 1TB of data to s3, I have a VPN and a DirectConect as a primary, I also am using endpoints in my VPC to connect with s3, how can I get the shortest time to upload the data when using the CLI?
use multipart upload as it enables parallel upload of sperate chunks of the data.
I have a bucket in east-us-1 and I get uploads all the time from Asia, I want to improve the upload time, how cna I do this?
You can enable transfer acceleration on the bucket, this enables you to get new CloudFront endpoints that will be used to upload to and the CloudFront will send the data over the AWS network. TransferAccelerator dose does not require you to set up CloudFront, but you get to take advantage of it.
I have a customer in Asia that is migrating its on-prem application to the us-east-1 region on AWS, we have a short window to transfer the 1TB of the file to s3 us-east-1, how cna I ensure the transfer happen as quickly as possible?
You cna use multi-part upload and transfer accelerator.
I need a shared file system, how cna I set this up on s3?
You can, s3 is an object store, you could use EFS or FSx depending on the requirement for SMB(FSx) or NFS(EFS)
I want to have s3 SSE encrypt my data when I make an API call, what is the header I need to set in the API call?
x-amz-server-sideencryption
If I have a file in s3 and version is turned off, what will the version id be?
Null as the version id only starts when the versioning is turned on
I have an s3 bucket with version disabled,
- I upload file 1
- I turn on version
- I upload file 2 and 3
- I upload file 2 again
What will be the state of the versions on the files?
- File 1: null as it was created before a version was enabled
- File 2: has two versions as it was uploaded and changed after a version was enabled
- File 3: has one version as it was uploaded once after a version was turned on
What is the maximum size of a single put?
5GB
If I am uploading a file to s3 what si the best practices?
Use multi-part upload, where each p[arts is 100MB.
What is the latency of the S3 standard?
Miliseconds
What is the minimum storage length of the S3 standard?
None
What is S3 standard infrequent accessed storage?
Infrequently accessed data that requires rapid access
Minimum storage duration: 30 days
Do youay a fee to retrieve S3 standard?
No
Explain AWS Multifactor Auth for S3?
AWS Multi-Factor Authentication (MFA) for S3 adds an extra layer of protection for sensitive S3 operations. It’s not about using MFA to sign in to AWS (which is also essential), but specifically to protect specific S3 actions, like deleting objects in versioned buckets.
MFA-Delete protects against:
Deleting an object version
Permanently deleting the delete marker in a versioned bucket
🔁 Use Case
You have a critical S3 bucket with versioning enabled, and you want to prevent accidental or malicious deletions, even by someone with access credentials. Enabling MFA-Delete means that even if someone has full S3 permissions, they still need physical access to the MFA device to delete data.
Can you have an S3 bucket in separate regions and wnat to make the data available in my local region, how would I do this?
You can set up cross-region replication between the two buckets.
When to use, S3 Glacier Deep Archive?
Use case: Long-term archival, rarely accessed data (e.g., compliance)
Durability: 11 9s
Availability: 99.99%
Features: Cheapest class, retrieval time in hours
When to use, Glacier Flexible Retrieval (formerly Glacier)?
Use case: Archive data that can tolerate minutes or hours of retrieval time
Durability: 11 9s
Availability: 99.99%
Features: Lower cost, retrieval options (Expedited, Standard, Bulk)
When to use, S3 Glacier Instant Retrieval?
Use case: Archive data with milliseconds access
Durability: 11 9s
Availability: 99.9%
Features: Cheapest archive class with fast access
Can objects be encrypted when making an AWS S3 static website publicly available?
No, objects cannot be encrypted using KMS.
When using AWS S3 as a static website, can users other than the bucket owner own the objects in the bucket?
Yes, users other than the bucket owner can own objects in an S3 bucket, but there are important considerations depending on how the objects are uploaded and the bucket settings.
Here’s how it works in the context of using S3 as a static website:
✅ 1. Default Behavior: Object Ownership Depends on Uploader
By default, the AWS account that uploads an object owns it, even if it’s uploading to someone else’s bucket. This means a user uploading a file to your bucket (e.g., via a form or API) will own that object unless this is changed.
🔒 2. Bucket Owner Enforced (Recommended Setting)
To ensure the bucket owner always owns all objects, AWS provides a setting called:
Object Ownership: Bucket owner enforced
When this is enabled:
ACLs (Access Control Lists) are disabled
The bucket owner automatically owns all new objects, regardless of who uploads them.
This is ideal for static websites where you want consistent access control.
⚠️ Without This Setting
If you don’t enforce bucket ownership:
Uploaded objects may be owned by other AWS accounts or IAM users.
The bucket owner may not have full control over those objects unless:
The uploader grants permission via ACLs (e.g., bucket-owner-full-control)
Or you write logic to enforce this manually.
An Amazon Simple Storage Service (Amazon S3) bucket has been configured to host a static website. While using the S3 static website endpoint, the testing team has complained that they are receiving access denied error for this website.
What are the key points to consider while configuring an S3 bucket as a static website? (Select two)
- Objects can’t be encrypted by AWS Key Management Service (AWS KMS)
- Amazon S3 static website endpoint needs to support both publicly and privately accessible content
3.The AWS account that owns the bucket must also own the object
- Objects in the bucket must be publicly accessible. S3 bucket policy must allow access to the s3:GetObject and
- Amazon S3 Block Public Access must be disabled at the bucket level even though it is already disabled at the account level
Objects can’t be encrypted by AWS Key Management Service (AWS KMS)
The AWS account that owns the bucket must also own the object
