Chp 12: Amazon S3 Introduction Flashcards

1
Q

What is the purpose of Amazon S3 bucket

A

Amazon S3 is an object (file) storage service that stores data as objects within buckets. An object is a file and any metadata that describes the file. A bucket is a container for objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the naming convention for s3 buckets?

A

S3 buckets must have a globally unique name

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

S3 buckets are defined at what level?

A

region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Are there directories within buckets?

A

no

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

what is the content of the s3 bucket body?

A

object values

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Do objects have a key

A

yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Is versioning an option for s3 buckets

A

yes it is

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

how is versioning enabled

A

at the bucket lvl

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what happens when versioning is suspended?

A

previous versions are NOT deleted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the methods of encryption in S3

A
  1. SSE-S3
  2. SSE- KMS
  3. SSE-C
  4. Client side encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is SSE-S3?

A
  • encrypts s3 object using keys handled and managed by aws
  • obj is encrypted server side
  • aes 256 encryption type
  • header must be set
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

what is SSE-KMS

A
  • leverage aws key mgmt
  • advantages: user control and audit trail
  • object is encrypted server side
  • must set header
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

what is SSE-c

A
  • when you want to manage your own encryption keys
  • s3 does not store the encryption key you provide
  • https must be used
  • encryption key must be provided in http headers, for every http request made
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

what is client-side encryption

A
  • client library such as the amazon s3 encryption client
  • client must encrypt data themselves before sending to s3
  • client must decrypt data themselves when retrieving from s3
  • customer fully manages the keys + encryption cycle
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

what is mandated for sse-c?

A

https

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

encryption in flight is known as?

A

SSL/TLS

17
Q

User based s3 security

A

iam policies

18
Q

resource based s3 security

A
  • bucket policies
  • object ACL
  • bucket ACL
19
Q

When can an IAM principal access an S3 object?

A
  • the user iam permissions allow it
  • the resource policy allows it
  • AND there’s no explicitly deny statements
20
Q

when to use s3 bucket policies

A
  • grant public access to the bucket
  • force obj to be encrypted at upload
  • grant access to another account
21
Q

s3 bucket policies are in what format

A

json

22
Q

block public access to buckets and object granted through

A
  • new acls
  • any acls
  • new public bucket or access point policies
  • can be set at at the account lvl
23
Q

s3 networking supports…

A

vpc endpoints

24
Q

s3 access logs can be stored where

A

in other s3 buckets

25
Q

s3 api calls can be stored where

A

aws cloudtrails

26
Q

s3 user sercurity

A
  • mfa delete

- pre-signed urls

27
Q

if you get a 403 error with a s3 website, what is most likely the problem?

A

make sure the bucket policy allows public reads

28
Q

what does cors stand for

A

cross origin resource sharing

29
Q

what do we need to do if a client does a cor request on our s3 bucket?

A

we need to enable the cor header