S3

Question 1

S3 object properties

Answer 1

• key - full path to file
  
  • s3://my-bucket/test/my_file.txt
    
    • key = test/my-file.txt
      
      • prefix = test
      • object name = my-file.txt
• value - content of body
  
  • max is 5TB
  • cannot upload more than 5GB at a time
• metadata - key value pairs - system or user data
• tags - unicode key / value pair - security and lifecycle
  -Amazon S3 provides strong read-after-write consistency for PUTs and DELETEs of objects in your Amazon S3 bucket in all AWS Regions. This applies to both writes to new objects as well as PUTs that overwrite existing objects and DELETEs.

Question 2

bucket

Answer 2

• directory (must have globally unique name)
  
  • defined at region level
  • no uppercase, no underscore, not an ip, etc.
• Bucket configurations have an eventual consistency model. If you delete a bucket and immediately list all buckets, the deleted bucket might still appear in the lis

Question 3

bucket versioning

Answer 3

• has to be enabled at the bucket level
• same key overwrite will increment the ‘version’ 1,2,3..
• deleted keys will only receive the ‘delete marker’ when versioning enabled

Question 4

S3 encryption - SSE-S3

Answer 4

• keys handled and management by AWS
  
  • server side encryption
  • AES-256
  • must set header ‘x-amz-server-side-encryption’: ‘AES256’
  • object + S3 managed data key = encrypted file in bucket

Question 5

S3 encryption - SSE-KMS

Answer 5

• AWS key management service
  
  • user control over who has which keys + audit trail
  • server side encryption
  • ‘x-amz-server-side-encryption’: ‘aws:kms’
  • object + KMS customer master key = encrypted file in bucket
  • uses GenerateDataKey and Decrypt API to encrypt files larger than 4kb
  • counts against your KMS limits!!!
    
    • instead use S3 bucket key to encrypt objects with KMS - this reduces API calls

Question 6

S3 encryption - SSE-C

Answer 6

• when you want to manage your own encryption keys
  
  • s3 does not store the encryption key you provide
  • must send key via HTTPS
  • object + client side data key in header = encrypted data in bucket

Question 7

S3 security

Answer 7

• User based
  
  • IAM policies
• Resource based
  
  • bucket policies - cross account access to S3 bucket
• IAM principal (user) can access S3 object IF
  
  • user IAM permissions allow it OR the resource policy allows it AND there’s no explicit deny
• Networking
  
  • supports VPC endpoints (for instances in VPC without public internet access)
  • S3 access logs can be stored in another bucket
  • api calls can be logged in aws cloudtrail
  • mfa delete

Question 8

Amazon Athena

Answer 8

Let’s you query s3 with sql. use Athena to analyze CloudTrail logs older than 90 days stored in the S3 bucket

Question 9

When to use multi part upload

Answer 9

object > 100MB