S3

Question 1

True or False: Buckets must have globally unique names

Answer 1

True

Question 2

True or False: Buckets are created globally

Answer 2

False. Buckets are created by region. The console may make it seem as though it is global

Question 3

What is the key in an s3 object?

Answer 3

The key is the full path, starting after the bucket name

Question 4

What must you use if your object is more than 5GB?

Answer 4

Multi-part upload

Question 5

What must be required for an IAM principal to access an S3 object?

Answer 5

They must have an IAM permission ALLOW OR the resource policy ALLOWS it AND there’s no explicit deny

Question 6

True or False: By default, all buckets are public?

Answer 6

False. By default, all S3 resources are private. Only the resource owner can access it.

Question 7

True or False: It is best practice to disable ACLs unless for specific circumstances?

Answer 7

True

Question 8

What is CRR and SRR replication?

Answer 8

Same region replication & cross region replication

Question 9

What must you do for Cross-Region Replication and Same-Region Replication to be enabled?

Answer 9

Must enable versioning

Question 10

If you want to replicate existing objects, what must you use?

Answer 10

S3 Batch Replication

Question 11

What is the minimum storage duration for S3 Glacier?

Answer 11

90 days

Question 12

What are the 3 tiers of S3 Glacier Flexible Retrieval?

Answer 12

Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours)

Question 13

Why would you choose a storage class of Glacier over Standard?

Answer 13

Standard is when you need frequently accessed objects. The cost per month of storage is more, but the access costs are less for Standard

Question 14

You have a 25 GB file that you’re trying to upload to S3 but you’re getting errors. What is a possible solution for this?

Answer 14

Use Multi-Part upload when files are greater than 5GB

Question 15

You have enabled versioning in your S3 bucket which already contains a lot of files. Which version will the existing files have?

Answer 15

Null. Versioning does not exists on previous objects.

Question 16

You have updated an S3 bucket policy to allow IAM users to read/write files in the S3 bucket, but one of the users complain that he can’t perform a PutObject API call. What is a possible cause for this?

Answer 16

The IAM user has an explicit deny in the attached IAM policy. Explicit DENY take precedence over the bucket policy

Question 17

You want the content of an S3 bucket to be fully available in different AWS Regions. That will help your team perform data analysis at the lowest latency and cost possible. What S3 feature should you use?

Answer 17

Cross Region Replication.

Question 18

Why would you choose Standard IA storage class over S3 Glacier Instant Access?

Answer 18

Standard IA are for objects that may still need to be accessed more frequently than a Glacier Instant Retrieval

Question 19

What is requester pay?

Answer 19

The requester to the S3 bucket resources pays instead of the owner

Question 20

What is S3 transfer acceleration?

Answer 20

The file transfer goes to an Edge location first before being sent to S3 bucket. This increases speed as Edge location to bucket is faster than standard network delivery by utilizing CloudFront edge locations.

Question 20

What is S3 transfer acceleration?

Answer 20

The file transfer goes to an Edge location first before being sent to S3 bucket. It utilizes the CloudFront distribution network for faster upload times over optimized network paths

Question 21

If we want to specify parts of data to retrieve on our bucket objects, what can we use?

Answer 21

S3 Select. We can use SQL commands to filter the contents of S3 Objects that we would like to retrieve

Question 22

You have an S3 bucket that has S3 Versioning enabled. This S3 bucket has a lot of objects, and you would like to remove old object versions to reduce costs. What’s the best approach to automate the deletion of these old object versions?

Answer 22

S3 Lifecycle Rules - Expiration Actions

Question 23

How can you automate the transition of S3 objects between their different tiers?

Answer 23

S3 Lifecycle Rules

Question 24

You are looking to get recommendations for S3 Lifecycle Rules. How can you analyze the optimal number of days to move objects between different storage tiers?

Answer 24

S3 Analytics Storage Class Analysis

Question 25

When would you use Byte Range Fetch vs S3 Select?

Answer 25

Byte Range Fetch will grab specifically the byte range given, whereas S3 Select is more for extracting data from an object given certain conditions

Question 26

You have a large dataset stored on-premises that you want to upload to the S3 bucket. The dataset is divided into 10 GB files. You have good bandwidth but your Internet connection isn’t stable. What is the best way to upload this dataset to S3 and ensure that the process is fast and avoid any problems with the Internet connection?

Answer 26

Use S3 Multi-part Upload & S3 Transfer Acceleration. Multi-part helps make sure data transfer is robust as any part that fails to upload, can be retried

Question 27

How can you request a higher throughout quota for KMS Api

Answer 27

Service Quotas Console

Question 28

What encryption is automatically applied to an S3 bucket?

Answer 28

SSE-S3

Question 29

Which is evaluated first for S3 security? Bucket policies or default encryption?

Answer 29

Bucket policies. Such as Deny any PUT operation that does not have “aws:kms”

Default encryption is SSE-S3 and automatically applied to new objects

Question 30

How can you protect resources in a bucket from being deleted?

Answer 30

Enforce MFA delete (versioning must be enabled)

Object lock

Question 31

What is the pre-signed URL expiration for S3 Console and AWS CLI

Answer 31

For S3 console, 1 min up to 12 hours
For AWS CLI, default 3600 secs and max 168 hours

Question 32

What is S3 Object Lock

Answer 32

S3 Object Lock protects objects from being deleted for a specified duration. Great for compliance and data retention. Versioning must be enabled to use this feature

Question 33

What are the two Object Lock retention modes?

Answer 33

Governance: Only users with special permissions can delete or modify objects

Compliance: No one can delete/modify objects

Question 34

Your client wants to make sure that file encryption is happening in S3, but he wants to fully manage the encryption keys and never store them in AWS. You recommend him to use…

Answer 34

SSE-C

Question 35

A company you’re working for wants their data stored in S3 to be encrypted. They don’t mind the encryption keys stored and managed by AWS, but they want to maintain control over the rotation policy of the encryption keys. You recommend them to use…

Answer 35

SSE-KMS

Question 36

Your company does not trust AWS for the encryption process and wants it to happen on the application. You recommend them to use …

Answer 36

Client-Side encryption

Question 37

An e-commerce company has its customers and orders data stored in an S3 bucket. The company’s CEO wants to generate a report to show the list of customers and the revenue for each customer. Customer data stored in files on the S3 bucket has sensitive information that we want to redact. How do you recommend the report can be created without exposing sensitive information?

Answer 37

Use an S3 Object Lambda to change the object before they are retrieved by the report generator application

Question 38

You are looking to provide temporary URLs to a growing list of federated users to allow them to perform a file upload on your S3 bucket to a specific location. What should you use?

Answer 38

Pre-signed URLs

Question 39

Why would you use a Legal Hold on a bucket?

Answer 39

A Legal Hold does not have a retention period, and prevents Objects from being modified or deleted until the Legal Hold is removed

Question 40

What storage class would you utilize if you are unsure how frequently objects will be accessed?

Answer 40

S3 Intelligent-Tiering

Question 41

True or False: You may run into KMS limitations with SSE-KMS for S3 encryption

Answer 41

True. Every time you upload a file it calls GenerateDataKey API and every time you download it calls the Decrypt API

Question 42

True or False: HTTPS must be used for SSE-C

Answer 42

True

Question 43

What must be used for SSE-C?

Answer 43

We must use HTTPS and proved the client secret in the header

Question 44

True or False: You cannot have different objects with different encryption types in the same bucket

Answer 44

False

Question 45

What can we do to follow activity on our S3 bucket?

Answer 45

S3 Access Logs. Choose another bucket destination and S3 will send activity logs to that bucket

Must be in the same region and cannot be the same bucket we are monitoring

Question 46

What is a pre-signed URL?

Answer 46

It is a termporary URL that can be given to a user that gives that user permission to GET / PUT to the bucket

Question 47

What is S3 Glacier Vault Lock?

Answer 47

It locks the object in S3 Glacier and that object can no longer be deleted or changed

Question 48

What are S3 access points?

Answer 48

S3 access points are named (own DNS name) network endpoints that you can attach security policies to better manage access of objects in your bucket

Question 49

True or False: Access Point policies overwrite bucket policies

Answer 49

False. If a user does not have permission on the bucket policy but they do on the access policy, they will still be denied