S3 Flashcards

1
Q

What is Amazon S3?

What level are buckets defined at?

What is the naming convention for an S3 bucket?

A

Infinitely scalable storage that allows people to store objects (files) in buckets (directories)

The regional level

Must have a globally unique name
No uppercase
No underscore
3-63 characters long
Not an IP
Must start with a lowercase letter or number
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a key?

How is a key composed?

A
A key is the full path after the bucket name.
Ex s#://my-bucket/my_folder/my_file.txt
my-bucket is the bucket name
my_folder is the prefix 
my_file is the object name
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are object values?

What is the max object size?

What must you use if uploading a file larger than 5GB?

What is metadata?

What are tags?

What is a Version ID?

A

The content of by object body

5,000 gb (5tb)

Use multi-part upload

A list of text/value pairs that can be used to add additional info on the object

Unicode key / value pair, up to 10, useful for security lifecycle

Allows you at version your object if enabled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What level is versioning enabled in s3

What happens if you overwrite the same key with versioning enabled?

Why is versioning a best practice?

What will happen to any file that is not versioned prior to enabling versioning?

What happens to pervious versions if versioning is suspended?

A

At the bucket level

The the version of the file will be incremented

Because it protects against unintended deletes (you have the ability to restore a version.)
Easy roll back to previous version.

It will have version null?

Nothing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What happens when you delete a versioned file?

How can you see a deleted file?

How can you undelete a versioned file?

What happens if you delete a version?

A

A delete marker is added?

Go the the list versions section in your bucket.

Deleting the delete marker?

It will permanently delete that version of the file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the 4 methods of encrypting objects in S3?

A

SSE-S3 - Encrypts S3 objects using keys handled & managed by AWS
SSE-KMS - Leverage AWS Key management service to manage encryption keys
SSE-C - When you want to manage your own encryption keys
Client side encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is SSE-S3?

Where is the object encrypted?

What type of encryption is used?

What must you set on the request when sending files to be encrypted with SSE-S3?

A

Encrypts S3 objects using keys handled & managed by AWS

Server side

AES-256 encryption.

The x-amz-server-side-encryption header as AES-256

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is SSE-KMS?

What are the advantages of this method?

Where is the object encrypted?

What must you set on the request when sending files to be encrypted with SSE-S3?

A

SSE-KMS - Leverage AWS Key management service to manage encryption keys

Give you control over who has access to what keys and also provides an audit trail

Obj

AES-256 encryption.

The x-amz-server-side-encryption header as aws:kms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is SSE-C

If AWS does not store the encryption keys for SSE-C, how can the data be encrypted server side?

Which HTTP protocol is required in this case?

A

Server side encryption using keys fully managed by the client outside of AWS.

For SSE-C, the client must send the encryption keys in the header of every request. Because this sensitive key is being sent in the request, HTTPS is required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is client side encryption?

What tools can be used for encryption in this scenario?

A

When the client encrypts the files before sending them to S3.

In this scenario, the client is responsible for key management and encryption/decryption. S3 has no knowledge of the keys.

Amazon S3 Encryption Client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What do user based IAM policies do?

What is a bucket policy?

What is an Object Access Control List?

What is a bucket control list?

Which rule takes priority allow or deny?

A

They specify which API calls should be allowed for a specific USER from an IAM console

They’re bucket wide rules from the S3 console that allow cross account access

You set the access rules at the object level

You set the access level at the bucket level

Deny! So if you have a user on both allow and deny, they will be denied.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does an S3 bucket policy consist of?

A

Sid - ID,
Effect - (Allow or Deny)
Principal - Which account or user is being granted access
Action - Permission. Ex get object
Resource - Buckets and objects that this policy applies to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are some uses for S3 bucket policies?

How can you block public access and cross account access to a bucket?

A

Granting public access to the bucket
Forcing objects to be encrypted at upload
Granting access to another account (Cross account)

Through public bucket or access point policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What type of security does S3 offer at the network level?

What type of Logging and Audit support does S3 offer?

What additional security can be required in versioned buckets to delete objects?

How can you give a user access to an object for a limited amount of time?

A

It supports VPC Endpoints

Access logs can be stored an a bucket and API call can be logged in AWS cloud tail.

MFA

Through a pre-signed URL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

At what levels can you block public access to your objects?

A

At the bucket level or at the account level. This can also be done at the object level via an ACL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the 3 things you must configure for a public static website?

What should you check if you get a 403 when trying to access your static website.

A

An after enabling a static website on your bucket, you must configure an index.html, an error.html and a public access policy.

Make sure the bucket policy allows public reads.

17
Q

What is cors and how do you define a cors policy on an S3 bucket?

A

Cors defines which origins are allowed to fetch a resource from your host. By default only same origin is allowed.

To allow requests from a different host, you must define a cors policy to allow that origin on your S3 bucket

18
Q

What does strong consistency mean in terms of S3?

A

It means that after any write operation, the reads or lists of that object will be reflected immediately. There is no cost or performance impact for this.