S3 Flashcards
True or False: S3 is public by default and anyone can access any bucket.
False. S3 is private by default and only root user has access.
What is an S3 bucket policy?
An S3 bucket policy is a form of resource policy that can be attached to a bucket to control access to the bucket.
What is the principal key in a resource policy?
The key that tells us who is impacted by the policy.
What is an Access Control List?
Legacy form of bucket policy. Inflexible and simple permissions.
What is S3 Static Website Hosting?
Allows access to S3 objects via HTTP.
What is an index document?
An index document in static website hosting points to a specific object in a bucket.
What is an error document?
An error document is what is shown when there is a server wide error eg 404.
When might you want to use S3 static website hosting?
For offloading large amounts of data and for out of band pages.
What does versioning let you do?
Versioning allows you to create multiple versions of the same object within a bucket. Operations that modify an object would create a new object.
What metadata on an object atores the version number?
The id. Id is set to null without versioning, and highest id returns current version.
Why does versioning increase costs?
Space is taken up by all versions of an object.
What operations does MFA Delete apply to?
Changing bucket versioning state and deleting versions.
What is Multipart Upload?
Allows an object to be split up to up to 10,000 pieces when uploading to S3.
What is S3 Transfer Acceleration?
A system that uses AWS Edge networks in order for an object to be uploaded to a bucket.
What is KMS?
KMS = Key Management Service. It is regional, public, and allows for creation storage and management of encryption keys.
What level of security does KMS provide?
FIPS 140-2
What is a Customer Master Key?
A Customer Master Key (CMK) is the main thing KMS manages. It is backed by the physical encryption material and can encrypt up to 4 KB of data.
Are customer master keys generated by KMS or imported?
Both
What are Data Encryption Keys?
DEKs are generated by a CMK and used to encrypt more than 4 KB of data.
True or False: DEK is not stored by KMS
True. DEK is provided to you then discarded. You, or a service, does the data encryption.
CMKs are isolated to a __________ and never leave
region
Do CMKs support rotation?
Yes, they are rotated every 3 years for AWS managed and 1 year for Customer managed
What algorithm does S3 use for encryption?
AES 256
How do you encrypt a bucket in S3?
You don’t. Only objects can be cnrypted.
Who manages the 1. keys and 2. encryption in SSE-C?
- Customer
2. S3
Who manages the 1. keys and 2. encryption in SSE-S3?
- S3
2. S3
What encryption method on S3 is the default?
a. SSE-C
b. SSE-S3
c. SSE-KMS
SSE-S3
How does SSE-KMS differ from SSE-S3?
KMS manages the keys used for encryption.
What is the default storage class in S3?
Standard.
In S3 standard, are you charged a data retrieval fee?
No
In S3 standard, how many AZs are objects replicated across?
3+
In S3 Standard-IA, whar is the minimum duration charge?
30 days
What kind of documents might you use S3 Standard IA for?
Important documents that dont require frequent access
What kind of documents would you use S3 One Zone IA for?
Noncritical and replaceable documents that dont require frequent access.
What kind of retrieval latency is experienced with the Glacier storage class?
Minutes to hours
What kind of retrieval latency is experienced with Glacer Deep Archive?
Hours or days
True or False: It is a good idea to use Glacier Deep Archive for primary backups
False!!!!
What does S3 intelligent tiering do?
Monitors objects and moves them to different storage classes based on access.
What advantages does S3 intelligent tiering offer?
May help reduce costs if object access is unpredictable
Reduces admin overhead
What is S3 Lifecycle configuration?
A set of rules defined on a bucket or set of objects that can either move between storage classes or delete the objects.
What two types of replication exist in S3?
Cross Region replication and same region replication
Why would you want to use cross region replication?
Global resilience and latency reduction
Why would you want to use same region replication?
Log aggregation, prod/test sync
True or false: you dont need versioning on to use replication
False
What storage classes cannot be used with replication?
Glacier and Glacier Deep Archive
What is a presigned URL?
Giving a url to s3 objects with embedded user permissions
True or False: You can only generate presigned urls for objects you have access to
False
Why are S3 Select and S3 Glacier select important?
Allow you to pre filter an object in S3, reduces workload an app has to do
What are S3 Events?
Notifications that are generated when something occurs in S3 bucket. Notif can be passed to SNS, SQS, etc
S3 logging is a thing
S3 logging is a thing
