S3 Flashcards

1
Q

Which S3 encryption type MUST use HTTPS for uploads and why?

A

SSE-C MUST use HTTPS as the encryption key is sent in the header for each and every request

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Your client wants to make sure the encryption is happening in S3, but wants to fully manage the encryption keys and never store them in AWS. What encryption scheme would you use?

A

SSE-C. NOT client side encryption as this allows you to manage keys but NOT have encryption occurring in S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You delete an object from S3, but as soon as you do this you find you can still access it and its still there? Why

A

Deletes are eventually consistent on S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Does cross region replication in S3 apply to new AND existing objects?

A

NEW objects only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The bucket policy allows our users to read/write files in the bucket, yet we were not able to perform a PutObject API call. What is your assessment?

A

There is probably an explicit DENY on the IAM policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Name 3 event notification destinations for an s3 bucket

A

lambda, SQS, SNS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Your company wants data to be encrypted in S3, and maintain control of the rotation policy for the encryption keys. What encryption scheme would you use?

A

SSE-KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You have a website that loads files from another S3 bucket. The files work when you access them directly via the s3 URL via a browser, but fail when you use the website that calls them. Whats wrong?

A

This is a CORS problem. If CORS is not enabled then the files won’t load.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which s3 types have 11 9’s durability? What about availability?

A

All of them have 11 9’s.
s3: 99.99% Avail
s3-IT: 99.9%
S3-1ZIA: 99.5%%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the two things that require MFA delete in S3?

A
  1. permanently delete an object version

2. Suspend versioning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How do you enforce encryption on NEW objects ADDED to an S3 bucket (new way and old way)

A

New Way: Enable encryption for new objects
Old Way: Create a bucket policy to enforce the presence of the AWS-SERVER-SIDE-ENCRYPTION header and a valid encryption scheme in the header (i.e AES256). The value of the header must match the encryption scheme for the bucket.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the 4 types of encryption on S3?

A

SSE-S3
SSE-KMS
SSE-C
Client Side encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

If you have an existing bucket with objects in it, and enable versioning, what version will those existing objects have?

A

Null.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In a versioned bucket - when you delete an object, what happens?

A

The object remains, but a delete marker is set.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Can you set up MFA delete in the AWS console?

A

No, it must be setup in the CLI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

For S3 standard, how many AZ’s can it tolerate being down at any one time?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the 3 retrieval options for Glacier, and how long does it take to retrieve an object for each?

A

Expedited: 1-5 minutes
Standard: 3-5 Hours
Bulk: 5-12 Hours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the two security models for S3?

A

User based: IAM policies specifying which api calls should be allowed for a specific user

Resource Based: Bucket policies specifying which actions and principals can operate on a bucket

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Why would you choose SSE-KMS over SSE-S3

A

If you want to manage your keys. KMS offers:

  • User control over key rotation
  • Audit trail for how the key has been used
20
Q

What three things do you need to do enable static website hosting on s3?

A
  1. Enable static website hosting
  2. Make the bucket public
  3. Create a policy allowing getObject requests on the bucket
21
Q

You suspect that people in your organization have been trying to access objects in S3 they don’t have access to. How can you verify this without them knowing?

A

Enable s3 access logs. These will log all requests from any one as well as the allow/deny status. You can then query these in Athena. They are cost effective, easy to set up and leverage existing capabilities within AWS.

22
Q

What is the maximum number of puts and gets/sec on s3?

A

3500 puts, 5500 gets.

23
Q

You need to assign temporary credentials to access an S3 bucket in a master account. You don’t want to create an IAM user for this one action, and its likely that access will only be needed for a short period of time (less than one hour). What can you do (3 steps)

A

You can use STS and assume a role:

  • Determine the required IAM role
  • Define the principals who can access the role
  • Use STS to retrieve the credentials via the Assume Role API
24
Q

What are the 3 conditions under which a principal can access an s3 object (hint: think permissions and policies)

A
The user IAM permissions allow access 
OR
The resource policy allows it 
AND
There is no explicit deny
25
Q
What does this policy allow:
{
    "Version": "2012-10-17",
    "Id": "Policy1607380831371",
    "Statement": [
        {
            "Sid": "Stmt1607380830068",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::udemydevassocbucket-extrares/*"
        }
    ]
}
A

it allows getobject requests on the bucket for everyone (principal:”*”)

26
Q

Can you set an s3 objects permissions on upload, or do you need to wait until its uploaded?

A

you can set an objects permissions on upload.

27
Q

For S3, does versioning need to be enabled for MFA delete?

A

Yes

28
Q

You need to upload an object to a bucket using SSE-C. Can you use the console for this?

A

No. SSE-C must be done via the CLI

29
Q

what is the maximum size of an object in an S3 bucket?

A

5TB

30
Q

Are PUTS on new objects eventually or read after write consistent. Is there an exception?

A

Read After Write. The exception is if you do a GET on the object before you create it and receive a 404 and then PUT the object. In this case, it will be eventually consistent

31
Q

Can you upload a file directly to Glacier via the management console?

A

No. You need to use the CLI or code directly against the API or use the SDK

32
Q

Could you use S3 as a cache for a web applications session state?

A

You could, but you wouldn’t. S3 has higher latency that Elasticache, Dynamo or EFS and is not intended for small objects.

33
Q

What is the maximum size of a file upload for S3? If you need to upload something larger than this, what must you do?

A

5GB. If you need to upload larger files, enable multipart upload

34
Q

Who can enable MFA delete on a bucket?

A

Only the bucket owner (root account) can enable MFA delete

35
Q

With respect to S3, What is the difference between CloudTrail and Server access logs?

A

Cloudtrail logs provide information on actions taken by a USER or ROLE in AWS.
Server access logs provide detailed data on requests made to an s3 bucket including requestor, turnaround time and response status.

36
Q

I have a bucket set up called DOC-EXAMPLE-BUCKET and I want to force all interactions with this bucket to be via HTTPS (SSL) by using the aws:SecureTransport setting. In the following bucket policy what should the value of Effect be (ALLOW|DENY) and what should the value of aws:SecureTransport be (TRUE|FALSE)

Do I set this to be true or false in the following bucket policy? Why?

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSSLRequestsOnly",
      "Action": "s3:*",
      "Effect": "????",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "????"
        }
      },
      "Principal": "*"
    }
  ]
}
A

Effect: DENY
aws:SecureTransport FALSE.

If we set to ALLOW and TRUE
This statement allows anonymous access to s3:GetObject for all objects in the bucket if the request uses HTTPS. Avoid this type of bucket policy unless your use case requires anonymous access through HTTPS.

By setting the values to DENY and FALSE
In this policy we are DENYING any interaction with the bucket that is not HTTPS

37
Q

If I wanted to force SSL access via a bucket policy - would this work? What is the effect of this policy?

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCONFIG-Rule_s3-bucket-ssl-requests-only",
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      },
      "Principal": "*"
    }
  ]
}
A

While we have specified “Effect”: “Allow” and “aws:SecureTransport”: “true” - this does not enforce SSL usage. What this policy does do is allow any anonymous access to the bucket so long as it occurs via SSL which is probably not what we want.

38
Q

If you have enabled versioning in S3, can you revert to an unversioned state? If not, how would you unversion a bucket?

A

You can’t un-version a bucket. If you need to - then create a new unversioned bucket and copy the items to that.

39
Q

How do you best prevent accidental deletion in a bucket (2 things)

A
  1. Enable Versioning

2. Enable MFA delete

40
Q

Does S3 support object locking? What happens if 2 put requests are made against the same object concurrently?

A

S3 does not support object locking. If 2 put requests occur concurrently, the one with the latest time stamp ‘wins’

41
Q

I want to generate a presigned URL to allow PUT and GET requests against a bucket. My account does not have permissions to execute puts or gets against the bucket. If I generate a presigned URL under my account, will the users of that URL be able to perform puts and gets?

A

No. The users of the URL inherit the permissions of the account that created it - so if you don’t have the ability to perform puts and gets, neither will they.

42
Q

What is the difference between a bucket policy and a user IAM role?

A

IAM policies specify what actions are allowed or denied on what AWS resources. You attach IAM policies to IAM users, groups, or roles.

S3 bucket policies, on the other hand, are attached only to S3 buckets. S3 bucket policies specify what actions are allowed or denied for which principals on the bucket that the bucket policy is attached

43
Q

What feature would be enabled if objects are written by other accounts to an S3 bucket with the bucket-owner-full-control canned access control list (ACL)?

A

The S3 Ownership feature has been enabled, this allows the bucket owner to assume ownership of objects within that bucket. Otherwise, objects are owned by the account that uploaded them.

44
Q

We have a bucket which has a bucket policy denying access to write to the bucket. We have an IAM policy that allows a write. How are these evaluated and what is the outcome

A

S3 access is based on the union of IAM and Bucket policies. As there is an explicit deny, access is denied. To allow access there must be a specific ALLOW and NO specific DENY

45
Q

If I wanted to set up cross account access to a bucket WITHOUT using an IAM role, how would you do this?

A

You would use a bucket policy to allow cross account access.