Chp 12: Amazon S3 Introduction Flashcards
What is the purpose of Amazon S3 bucket
Amazon S3 is an object (file) storage service that stores data as objects within buckets. An object is a file and any metadata that describes the file. A bucket is a container for objects.
What is the naming convention for s3 buckets?
S3 buckets must have a globally unique name
S3 buckets are defined at what level?
region
Are there directories within buckets?
no
what is the content of the s3 bucket body?
object values
Do objects have a key
yes
Is versioning an option for s3 buckets
yes it is
how is versioning enabled
at the bucket lvl
what happens when versioning is suspended?
previous versions are NOT deleted
What are the methods of encryption in S3
- SSE-S3
- SSE- KMS
- SSE-C
- Client side encryption
What is SSE-S3?
- encrypts s3 object using keys handled and managed by aws
- obj is encrypted server side
- aes 256 encryption type
- header must be set
what is SSE-KMS
- leverage aws key mgmt
- advantages: user control and audit trail
- object is encrypted server side
- must set header
what is SSE-c
- when you want to manage your own encryption keys
- s3 does not store the encryption key you provide
- https must be used
- encryption key must be provided in http headers, for every http request made
what is client-side encryption
- client library such as the amazon s3 encryption client
- client must encrypt data themselves before sending to s3
- client must decrypt data themselves when retrieving from s3
- customer fully manages the keys + encryption cycle
what is mandated for sse-c?
https
encryption in flight is known as?
SSL/TLS
User based s3 security
iam policies
resource based s3 security
- bucket policies
- object ACL
- bucket ACL
When can an IAM principal access an S3 object?
- the user iam permissions allow it
- the resource policy allows it
- AND there’s no explicitly deny statements
when to use s3 bucket policies
- grant public access to the bucket
- force obj to be encrypted at upload
- grant access to another account
s3 bucket policies are in what format
json
block public access to buckets and object granted through
- new acls
- any acls
- new public bucket or access point policies
- can be set at at the account lvl
s3 networking supports…
vpc endpoints
s3 access logs can be stored where
in other s3 buckets
s3 api calls can be stored where
aws cloudtrails
s3 user sercurity
- mfa delete
- pre-signed urls
if you get a 403 error with a s3 website, what is most likely the problem?
make sure the bucket policy allows public reads
what does cors stand for
cross origin resource sharing
what do we need to do if a client does a cor request on our s3 bucket?
we need to enable the cor header