S3 Flashcards
What is Amazon S3?
What level are buckets defined at?
What is the naming convention for an S3 bucket?
Infinitely scalable storage that allows people to store objects (files) in buckets (directories)
The regional level
Must have a globally unique name No uppercase No underscore 3-63 characters long Not an IP Must start with a lowercase letter or number
What is a key?
How is a key composed?
A key is the full path after the bucket name. Ex s#://my-bucket/my_folder/my_file.txt my-bucket is the bucket name my_folder is the prefix my_file is the object name
What are object values?
What is the max object size?
What must you use if uploading a file larger than 5GB?
What is metadata?
What are tags?
What is a Version ID?
The content of by object body
5,000 gb (5tb)
Use multi-part upload
A list of text/value pairs that can be used to add additional info on the object
Unicode key / value pair, up to 10, useful for security lifecycle
Allows you at version your object if enabled
What level is versioning enabled in s3
What happens if you overwrite the same key with versioning enabled?
Why is versioning a best practice?
What will happen to any file that is not versioned prior to enabling versioning?
What happens to pervious versions if versioning is suspended?
At the bucket level
The the version of the file will be incremented
Because it protects against unintended deletes (you have the ability to restore a version.)
Easy roll back to previous version.
It will have version null?
Nothing.
What happens when you delete a versioned file?
How can you see a deleted file?
How can you undelete a versioned file?
What happens if you delete a version?
A delete marker is added?
Go the the list versions section in your bucket.
Deleting the delete marker?
It will permanently delete that version of the file.
What are the 4 methods of encrypting objects in S3?
SSE-S3 - Encrypts S3 objects using keys handled & managed by AWS
SSE-KMS - Leverage AWS Key management service to manage encryption keys
SSE-C - When you want to manage your own encryption keys
Client side encryption
What is SSE-S3?
Where is the object encrypted?
What type of encryption is used?
What must you set on the request when sending files to be encrypted with SSE-S3?
Encrypts S3 objects using keys handled & managed by AWS
Server side
AES-256 encryption.
The x-amz-server-side-encryption header as AES-256
What is SSE-KMS?
What are the advantages of this method?
Where is the object encrypted?
What must you set on the request when sending files to be encrypted with SSE-S3?
SSE-KMS - Leverage AWS Key management service to manage encryption keys
Give you control over who has access to what keys and also provides an audit trail
Obj
AES-256 encryption.
The x-amz-server-side-encryption header as aws:kms
What is SSE-C
If AWS does not store the encryption keys for SSE-C, how can the data be encrypted server side?
Which HTTP protocol is required in this case?
Server side encryption using keys fully managed by the client outside of AWS.
For SSE-C, the client must send the encryption keys in the header of every request. Because this sensitive key is being sent in the request, HTTPS is required.
What is client side encryption?
What tools can be used for encryption in this scenario?
When the client encrypts the files before sending them to S3.
In this scenario, the client is responsible for key management and encryption/decryption. S3 has no knowledge of the keys.
Amazon S3 Encryption Client.
What do user based IAM policies do?
What is a bucket policy?
What is an Object Access Control List?
What is a bucket control list?
Which rule takes priority allow or deny?
They specify which API calls should be allowed for a specific USER from an IAM console
They’re bucket wide rules from the S3 console that allow cross account access
You set the access rules at the object level
You set the access level at the bucket level
Deny! So if you have a user on both allow and deny, they will be denied.
What does an S3 bucket policy consist of?
Sid - ID,
Effect - (Allow or Deny)
Principal - Which account or user is being granted access
Action - Permission. Ex get object
Resource - Buckets and objects that this policy applies to
What are some uses for S3 bucket policies?
How can you block public access and cross account access to a bucket?
Granting public access to the bucket
Forcing objects to be encrypted at upload
Granting access to another account (Cross account)
Through public bucket or access point policies.
What type of security does S3 offer at the network level?
What type of Logging and Audit support does S3 offer?
What additional security can be required in versioned buckets to delete objects?
How can you give a user access to an object for a limited amount of time?
It supports VPC Endpoints
Access logs can be stored an a bucket and API call can be logged in AWS cloud tail.
MFA
Through a pre-signed URL
At what levels can you block public access to your objects?
At the bucket level or at the account level. This can also be done at the object level via an ACL.