S3 Flashcards
True or False: Buckets must have globally unique names
True
True or False: Buckets are created globally
False. Buckets are created by region. The console may make it seem as though it is global
What is the key in an s3 object?
The key is the full path, starting after the bucket name
What must you use if your object is more than 5GB?
Multi-part upload
What must be required for an IAM principal to access an S3 object?
They must have an IAM permission ALLOW OR the resource policy ALLOWS it AND there’s no explicit deny
True or False: By default, all buckets are public?
False. By default, all S3 resources are private. Only the resource owner can access it.
True or False: It is best practice to disable ACLs unless for specific circumstances?
True
What is CRR and SRR replication?
Same region replication & cross region replication
What must you do for Cross-Region Replication and Same-Region Replication to be enabled?
Must enable versioning
If you want to replicate existing objects, what must you use?
S3 Batch Replication
What is the minimum storage duration for S3 Glacier?
90 days
What are the 3 tiers of S3 Glacier Flexible Retrieval?
Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours)
Why would you choose a storage class of Glacier over Standard?
Standard is when you need frequently accessed objects. The cost per month of storage is more, but the access costs are less for Standard
You have a 25 GB file that you’re trying to upload to S3 but you’re getting errors. What is a possible solution for this?
Use Multi-Part upload when files are greater than 5GB
You have enabled versioning in your S3 bucket which already contains a lot of files. Which version will the existing files have?
Null. Versioning does not exists on previous objects.
You have updated an S3 bucket policy to allow IAM users to read/write files in the S3 bucket, but one of the users complain that he can’t perform a PutObject API call. What is a possible cause for this?
The IAM user has an explicit deny in the attached IAM policy. Explicit DENY take precedence over the bucket policy
You want the content of an S3 bucket to be fully available in different AWS Regions. That will help your team perform data analysis at the lowest latency and cost possible. What S3 feature should you use?
Cross Region Replication.
Why would you choose Standard IA storage class over S3 Glacier Instant Access?
Standard IA are for objects that may still need to be accessed more frequently than a Glacier Instant Retrieval
What is requester pay?
The requester to the S3 bucket resources pays instead of the owner
What is S3 transfer acceleration?
The file transfer goes to an Edge location first before being sent to S3 bucket. This increases speed as Edge location to bucket is faster than standard network delivery by utilizing CloudFront edge locations.
What is S3 transfer acceleration?
The file transfer goes to an Edge location first before being sent to S3 bucket. It utilizes the CloudFront distribution network for faster upload times over optimized network paths
If we want to specify parts of data to retrieve on our bucket objects, what can we use?
S3 Select. We can use SQL commands to filter the contents of S3 Objects that we would like to retrieve
You have an S3 bucket that has S3 Versioning enabled. This S3 bucket has a lot of objects, and you would like to remove old object versions to reduce costs. What’s the best approach to automate the deletion of these old object versions?
S3 Lifecycle Rules - Expiration Actions
How can you automate the transition of S3 objects between their different tiers?
S3 Lifecycle Rules
You are looking to get recommendations for S3 Lifecycle Rules. How can you analyze the optimal number of days to move objects between different storage tiers?
S3 Analytics Storage Class Analysis
When would you use Byte Range Fetch vs S3 Select?
Byte Range Fetch will grab specifically the byte range given, whereas S3 Select is more for extracting data from an object given certain conditions
You have a large dataset stored on-premises that you want to upload to the S3 bucket. The dataset is divided into 10 GB files. You have good bandwidth but your Internet connection isn’t stable. What is the best way to upload this dataset to S3 and ensure that the process is fast and avoid any problems with the Internet connection?
Use S3 Multi-part Upload & S3 Transfer Acceleration. Multi-part helps make sure data transfer is robust as any part that fails to upload, can be retried
How can you request a higher throughout quota for KMS Api
Service Quotas Console
What encryption is automatically applied to an S3 bucket?
SSE-S3
Which is evaluated first for S3 security? Bucket policies or default encryption?
Bucket policies. Such as Deny any PUT operation that does not have “aws:kms”
Default encryption is SSE-S3 and automatically applied to new objects
How can you protect resources in a bucket from being deleted?
Enforce MFA delete (versioning must be enabled)
Object lock
What is the pre-signed URL expiration for S3 Console and AWS CLI
For S3 console, 1 min up to 12 hours
For AWS CLI, default 3600 secs and max 168 hours
What is S3 Object Lock
S3 Object Lock protects objects from being deleted for a specified duration. Great for compliance and data retention. Versioning must be enabled to use this feature
What are the two Object Lock retention modes?
Governance: Only users with special permissions can delete or modify objects
Compliance: No one can delete/modify objects
Your client wants to make sure that file encryption is happening in S3, but he wants to fully manage the encryption keys and never store them in AWS. You recommend him to use…
SSE-C
A company you’re working for wants their data stored in S3 to be encrypted. They don’t mind the encryption keys stored and managed by AWS, but they want to maintain control over the rotation policy of the encryption keys. You recommend them to use…
SSE-KMS
Your company does not trust AWS for the encryption process and wants it to happen on the application. You recommend them to use …
Client-Side encryption
An e-commerce company has its customers and orders data stored in an S3 bucket. The company’s CEO wants to generate a report to show the list of customers and the revenue for each customer. Customer data stored in files on the S3 bucket has sensitive information that we want to redact. How do you recommend the report can be created without exposing sensitive information?
Use an S3 Object Lambda to change the object before they are retrieved by the report generator application
You are looking to provide temporary URLs to a growing list of federated users to allow them to perform a file upload on your S3 bucket to a specific location. What should you use?
Pre-signed URLs
Why would you use a Legal Hold on a bucket?
A Legal Hold does not have a retention period, and prevents Objects from being modified or deleted until the Legal Hold is removed
What storage class would you utilize if you are unsure how frequently objects will be accessed?
S3 Intelligent-Tiering
True or False: You may run into KMS limitations with SSE-KMS for S3 encryption
True. Every time you upload a file it calls GenerateDataKey API and every time you download it calls the Decrypt API
True or False: HTTPS must be used for SSE-C
True
What must be used for SSE-C?
We must use HTTPS and proved the client secret in the header
True or False: You cannot have different objects with different encryption types in the same bucket
False
What can we do to follow activity on our S3 bucket?
S3 Access Logs. Choose another bucket destination and S3 will send activity logs to that bucket
Must be in the same region and cannot be the same bucket we are monitoring
What is a pre-signed URL?
It is a termporary URL that can be given to a user that gives that user permission to GET / PUT to the bucket
What is S3 Glacier Vault Lock?
It locks the object in S3 Glacier and that object can no longer be deleted or changed
What are S3 access points?
S3 access points are named (own DNS name) network endpoints that you can attach security policies to better manage access of objects in your bucket
True or False: Access Point policies overwrite bucket policies
False. If a user does not have permission on the bucket policy but they do on the access policy, they will still be denied
