S3

Question 1

How resilient is s3?

Answer 1

It is stored in single region and in multiple AZ therefore it is regional resilient.

Question 2

What are logical units for S3?

Answer 2

Bucket - container for objects
- can contain unlimited number of objects
- soft limit 100 buckets
- hard limit 1000 buckets
- bucket name is unique globally and 3-63 chars, lowercase, no underscore, start with az01, cant be in ip address format

Object - a single unit that contains file
- can contain 0 - 5tb size of objects
- have version id, metadata, access control, sub resources (acl)

Question 3

What is object versioning and how it works?

Answer 3

Each object inserted in s3 has their own versionId.
- New objects do not rewrite old objects, but sort of pushed on top of the stack.
- When deleting object delete marker is inserted (nothing is deleted), to actually delete object it is required to reference by versionId.

Once versioning is enabled it cannot be disabled.

Bucket versioning have 3 states:
- suspended state - create/replace objects with null state
- disabled state - create/replace objects with null state
- enabled state - for each object new version is generated

When getting object with no version specified - latest object is retrieved.

Question 4

When not to use S3?

Answer 4

When filesystem is required:
- mounting a disk
- block storage (s3 is object storage and cannot append file, etc)

Question 5

What s3 bucket policy is used for?

Answer 5

It is resource policy and determines:
- which identities can access which object
- which actions these identities can execute

Question 6

What is ACL?

Answer 6

Access Control List is legacy mechanics to change access for bucket and objects inside.

Allows to set - write, read, read_acp (allow read acl for object), write_acp (allows write acl for object), full control

Question 7

Why there is Block Public Access banner?

Answer 7

It is failsafe for misconfiguration to give access to anonymous identities access to s3 bucket.

Question 8

What is s3 static hosting?

Answer 8

Provides public access to a bucket using http.
- Specify index.html and error.html files.
- Automatically creates dns name to access the bucket

Question 9

How to speed up upload to s3?

Answer 9

Use multipart upload to s3:
- it opens multiple tcp streams
- it finds closest edge location to upload a file
- it splits files in chunks to upload in parallel
- it retries upload if one of the chunks fail to upload
- min file size is 100mb
- part size can be from 5mb to 5gb and 10k files

Question 10

What are types of s3 encryption?

Answer 10

• SSE-C - customer provided keys. When uploading file user provided encryption keys.
• SSE-S3 - s3 managed keys (AES 256) when uploading file, s3 uses S3 KMS keys to enc/dec.
• SSE-KMS - s3 speaks with KMS to retrieve enc/dec key

Question 11

How SSE-C works?

Answer 11

SSE-C - Customer provided keys.

• When uploading/downloading file customer provides enc key.
• When uploading hash of the key is taken and appended to file.
• When downloading hash of the key is compared with appended key hash.

Question 12

How SSE-S3 works?

Answer 12

SSE-S3 S3 Managed keys (AES 256)

• S3 manages its own enc keys in KMS
• User has no control over the keys used
• Each object is encrypted with a different key
• Each key is encrypted with the root key and stored in s3

Question 13

How SSE-KMS works?

Answer 13

SSE-KMS

• Uses customers specified KMS key
• Each object is encrypted with different key
• Each key is encrypted with the root key and stored in s3
• User can do role separation - enc, dec, admin
• User can do root key rotation

Question 14

What are the storage classes and how they differ?

Answer 14

Pricing: GB/m + transfer per GB + request count

https://aws.amazon.com/s3/storage-classes/

• s3 standard (default) - 3 az, retrieval in ms
• s3 standard IA (infrequent access) - 3 az, min contract 30 days, min file size 128kb, retrieval in ms
• s3 one zone IA - 1 az, contract 30 days, min file size 128kb, retrieval in ms
• s3 glacier instant retrieval - 3 az, contract 90 days, min file size 128kb, retrieval in ms
• s3 glacier flexible retrieval - 3 az, contract 90 days, min file size 40kb, retrieval in minutes to hours
• s3 glacier deep archive - 3 az, contract 180 days, min file size 40kb, retrieval in hours
• s3 intelligent tiering - pricing for monitoring, moves between tiers

Question 15

What is s3 lifecycle configuration and how it works?

Answer 15

• Consists of set of rules.
• Rules consist of actions.
• Apply on buckets or group of objects

Transition actions - moves objects between tiers
- transition only happens in downwards direction
- objects must be in their tier for 30 days before action applies
- can delete objects once ttl expires

Question 16

What is s3 replication and how it works?

Answer 16

Allows copy objects between buckets. Replicates objects in one way.

VERSIONING needs to be enabled.

• CRR - cross region replication
• SRR - same region replication

Question 17

How presigned urls work?

Answer 17

Creates an url with is signed by a secret. And url allows to upload or download file.

• Anti pattern to use roles since credentials are short lived
• It is possible to create signed url for non-existing objects

Question 18

What are s3 events and how they work?

Answer 18

s3 events publishes events to different targets regarding what happens with objects.

targets - sns, sqs, lambda, eventbridge
events - put, post, delete, replicate, etc.

Question 19

What is object locks?

Answer 19

Prevents objects from deletion.

Requires versioning enabled.

Has two modes:
1. retention period - objects cant be changed for specific amount of time
2. Legal lock - objects cant be changed until legal lock removed

Question 20

What is WORM for a bucket?

Answer 20

Write Once Read Many

no deletes, no rewrites. Part of s3 object lock feature.

Question 21

How s3 access logs work?

Answer 21

Periodically collects access log records, consolidates and uploads to s3 target bucket.

• Happens in few hours
• Can grant access via bucket policy or ACL