S3

Question 1

What is the max object size that can be uploaded?

Answer 1

5TB (5000GB)

Question 2

How can you upload an object larger than 5GB?

Answer 2

Must use ‘multi-part upload’ for greater than 5GB

Question 3

Under what conditions can an IAM principal access an S3 object?

Answer 3

• The user IAM permissions ALLOW it OR the resource policy ALLOWS it
• AND there is no explicit DENY

Question 4

How could you allow an EC2 instance to access an S3 bucket?

Answer 4

Create an IAM Role, assign the correct permissions, and assign the role to the EC2 instance.

Question 5

How would you allow another user to access a bucket you have created?

Answer 5

Create a bucket policy for the S3 bucket that allows cross-account.

Question 6

What are the two types of S3 replication?

Answer 6

CRR (cross region replication) and SRR (same region replication)

Question 7

What are the requirements for replication?

Answer 7

• Must enable Versioning in source and destination buckets
• Must give proper IAM permissions to S3

Question 8

What are the use cases for S3 replication (for both types)?

Answer 8

CRR - compliance, lower latency access, replication across accounts
SRR - log aggregation, live replication between production and test accounts

Question 9

What is a limitation of replication?

Answer 9

Only new objects are replicated

Question 10

What is S3 Batch Replication?

Answer 10

S3 Batch Replication - replicates existing objects and objects that failed replication

Question 11

What are delete markers, and how do they (optionally) tie in to replication?

Answer 11

With versioning turned on, a delete marker is a marker placed on an object that has been deleted - this allows a roll-back of the delete using the delete marker version.

For replication, delete markers (if enabled) are replicated from source to target. Deletions with a version ID (i.e., a permanent delete) are not replicated (to avoid malicious deletes).

Question 12

List the S3 Storage Classes

Answer 12

• Standard - General Purpose
• Standard-Infrequent Access (IA)
• One Zone-Infrequent Access
• Glacier Instant Retrieval
• Glacier Flexible Retrieval
• Glacier Deep Archive
• Intelligent Tiering

Question 13

What is meant by Durability?

Answer 13

• How many times an object is going to be lost by S3
• Same Durability for all storage classes
  99.999999999% (11 9s) durability.

Question 14

What is meant by Availability?

Answer 14

• How available a service is (i.e., uptime vs downtime)
• Varies depending on storage class
  S3 standard is 99.99% available (53 minute downtime per year)

Question 15

Describe S3 Standard - General Purpose, and give a use case.

Answer 15

• 99.99% availability
• Used for frequently accessed data
• Low latency and high throughput
• Sustain 2 concurrent facility failures

Big data analytics, mobile & gaming applications, content distribution

Question 16

Describe S3 Standard & One Zone - Infrequent Access, and give a use case.

Answer 16

• Used for less frequently accessed data, but rapid access when needed
• Lower cost than Standard

Standard-IA:
99.9% available
Disaster recovery, backups

One Zone-IA
Single AZ - data lost when AZ is destroyed
99.5% available
Storing secondary backup copies of on-premise data, or data you can recreate

Question 17

Describe S3 Glacier Storage Classes in general

Answer 17

Low cost object storage meant for archiving/backup
Pricing: Price for storage + object retrieval cost

Question 18

Describe S3 Glacier Storage Class - Instant Retrieval

Answer 18

Millisecond retrieval, great for data accessed once a quarter
Minimum storage duration of 90 days

Question 19

Describe S3 Glacier Storage Class - Flexible Retrieval

Answer 19

Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours) - bulk is free
Minimum storage duration of 90 days

Question 20

Describe S3 Glacier Storage Class - Deep Archive

Answer 20

Standard (12 hours), Bulk (48 hours)
Minimum storage duration of 180 days

Question 21

Describe S3 Intelligent Tiering

Answer 21

• Small monthly monitoring and auto-tiering fee
• Moves objects automatically between access tiers based on usage
• No retrieval charges in Intelligent Tiering

Question 22

What lifecycle rule would you use to move an object to another storage class after a certain period of time?

Answer 22

Transition Action

Question 23

What lifecycle rule would you use to delete an object to another storage class after a certain period of time?

Answer 23

Expiration action

Question 24

How can you assign rules to objects?

Answer 24

Can be specified for a certain prefix, or for object tags.

Question 25

How can you work out what rules to apply to different objects? What is a limitation of this?

Answer 25

Storage Class Analysis
- Provides recommendations for Standard and Standard IA tier storage
- Daily report
- Allow for 24-48 hours to start seeing analysis

Does not cover One-Zone IA or Glacier

Question 26

What are the request rate limits for S3 files?

Answer 26

3500 writes and 5500 reads per second per prefix in a bucket.

Question 27

How does S3 Transfer Acceleration work?

Answer 27

Increase transfer speed by transferring file to an AWS edge location which will forward the data to the S3 bucket in the target region
- Minimize transfer over public internet and maximize transfer over private AWS network
- Compatible with multi-part upload

Question 28

How can you speed up the download of a file, or retrieve partial data from the file?

Answer 28

S3 Byte-Range Fetches
- Parallelize GETs by requesting specific byte ranges (i.e., break the file down into byte-sized pieces)
- Better resilience in case of failures

Question 29

What are S3 Byte-Range Fetches?

Answer 29

A method of speeding up the download of a file, or retrieving partial data from the file
- Parallelize GETs by requesting specific byte ranges (i.e., break the file down into byte-sized pieces)
- Better resilience in case of failures

Question 30

What is S3 Select & Glacier Select?

Answer 30

• Retrieve less data using SQL by performing server-side filtering
• Can filter by rows & columns (simple SQL statements)

Question 31

What is an advantage of S3 Select & Glacier Select?

Answer 31

Less network transfer, less CPU cost client-side

Question 32

How can you automate the transition of S3 objects between their different tiers?

Answer 32

S3 Lifecycle Rules

Question 33

What are the four methods of S3 encryption?

Answer 33

Server-Side Encryption (SSE) with:
- S3 Managed Keys (SSE-S3) (Default)
- KMS Keys stored in AWS KMS (SSE-KMS)
- Customer-Provided Keys (SSE-C)
Client-Side Encryption

Question 34

What is SSE-S3?

Answer 34

Default S3 Encryption - Encryption of S3 objects using keys handled, managed and owned by AWS (encrypts the object using an S3 owned key)

Question 35

What is SSE-KMS?

Answer 35

Leverage AWS Key Management Service (AWS KMS) to manage encryption keys

Question 36

What is SSE-C?

Answer 36

Use customer provided keys, and manage your own encryption keys

Question 37

What is the encryption type for SSE-S3, and how would you include it in a request?

Answer 37

AES-256
Set header “x-amz-server-side-encryption”:”AES256”

Question 38

What are the advantages of SSE-KMS?

Answer 38

• User control over keys
• Audit key usage using CloudTrail (any key usage of a KMS key is tracked in CloudTrail)

Question 39

How would you include SSE-KMS in a request?

Answer 39

Set header “x-amz-server-side-encryption”:”aws:kms”

Question 40

What are the limitations of SSE-KMS?

Answer 40

• May be impacted by KMS limits: upload and download via KMS API (via GenerateDataKey and Decrypt)
• These count towards KMS quota per second
• Can request quota increase using the Service Quotas Console

Question 41

How would you include SSE-C in a request?

Answer 41

Encryption key must be provided in HTTP headers for every request made

Question 42

How does AWS managed SSE-C keys?

Answer 42

It doesn’t - S3 does not store these encryption keys

Question 43

What protocol does SSE-C require to be used and why?

Answer 43

HTTPS - Encryption key is passed into request via headers

Question 44

What is Encryption in Transit otherwise known as?

Answer 44

SSL/TLS

Question 45

How can you force encryption to be via SSE-KMS or SSE-C, and why doesn’t default encryption take place?

Answer 45

Use a bucket policy to enforce the condition that there is an encryption header for SSE-KMS or SSE-C
- Bucket policies are evaluated before default encryption

Question 46

What is CORS?

Answer 46

Cross Origin Resource Sharing - a web browser security that allows you to enable object retrieval from a different origin

Question 47

How is the O is CORS composed?

Answer 47

Origin = scheme (protocol) + host (domain) + port
e.g., https://www.example.com (with an implied port of 443 as HTTPS)
The same origin would be https://www.example.com/app1
Different origin would be https://other.example.com

Question 48

How do you enable a cross-origin request to an S3 bucket?

Answer 48

Use CORS headers (e.g., Access-Control-Allow-Origin)

Question 49

What does MFA delete do?

Answer 49

MFA will be required for potentially destructive actions:
- Permanently delete an object version
- Suspend Versioning on the bucket
MFA will not be required to:
- Enable versioning
- List deleted versions

Question 50

What are the requirements for enabling MFA delete?

Answer 50

• Must be bucket owner (root account)
• Bucket must be using versioning

Question 51

What should you avoid when setting up a logging bucket for S3 access logs?

Answer 51

Don’t set the logging bucket to be the same as the monitored bucket
- Will create a logging loop, causing the bucket to grow exponentially

Question 52

What is S3 Access Logging?

Answer 52

Option to enable logging of all access (put, get etc.) for a specific bucket, to a specific bucket (in the same region)

Question 53

How could you allow a user temporary access to a file in an S3 bucket?

Answer 53

Generate a pre-signed URL from S3 console, CLI or SDK
- Can set expiration time on the URL
- URL inherits permissions of user that generated it.

Question 54

What is an S3 Access Point?

Answer 54

• An access point is an endpoint in the bucket which points to one or more bucket prefixes.
• A policy can be attached to this access point which allows access for a specific group.

Question 55

What is S3 Object Lambda?

Answer 55

A lambda function attached to an S3 Access Point which can alter the retrieved object.
An S3 Object Lambda Access Point is then attached to the lambda, allowing an application to access the altered object.

Question 56

What is a use case for S3 Object Lambda?

Answer 56

• Redact personally identifiable information for analytics or non-production environments.
• Converting data across data formats (e.g., XML to JSON)