S3

Question 1

• Backup and storage
• Disaster Recovery
• Archive
• Hybrid Cloud storage * Application hosting
• Media hosting
• Data lakes & big data analytics * Software delivery
• Static website

Answer 1

Amazon S3 Use cases

Question 2

Amazon S3 allows people to store __________ in ___________.

Answer 2

objects (files)
“buckets” (directories)

Question 3

Buckets must have a ___________ (across all regions all accounts)

Answer 3

globally unique name

Question 4

What level are Buckets defined at?

Answer 4

region level

Question 5

Amazon S3 Objects (files) have a ______?

Answer 5

Key

Question 6

What is the max size of an Object?

Answer 6

5TB (5000GB)

Question 7

If uploading more than 5GB, must use _____________?

Answer 7

“multi-part upload”

Question 8

3 things that an object can have other than the body??

Answer 8

• Metadata (list of text key / value pairs – system or user metadata)
• Tags (Unicode key / value pair – up to 10) – useful for security / lifecycle
• Version ID (if versioning is enabled)

Question 9

2 ways to grant access to a S3 bucket?

Answer 9

User-Based
Resource-Based

Question 10

Which API calls should be allowed for a specific user

Answer 10

IAM Policies (User-Based)

Question 11

What are the 3 Resource-Based Amazon S3 – Security?

Answer 11

Bucket Policies
Object Access Control List (ACL)
Bucket Access Control List (ACL)

Question 12

Bucket wide rules from the S3 console - allows cross account

Answer 12

Bucket Policies (Resource-Based)

Question 13

Which resouce based security is finer grain and can be disabled

Answer 13

Object Access Control List (ACL) (Resource-Based)

Question 14

Which resouce based security is less common and can be disabled

Answer 14

Bucket Access Control List (ACL) (Resource-Based)

Question 15

an IAM principal can access an S3 object if …..

Answer 15

• The user IAM permissions ALLOW it OR the resource policy ALLOWS it
• AND there’s no explicit DENY

Question 16

S3 Bucket Policies JSON based policies (4)

Answer 16

• Resources: buckets and objects
• Effect: Allow / Deny
• Actions: Set of API to Allow or Deny
• Principal:The account or user to apply the policy to

Question 17

Bucket Policies JSON based policies - buckets and objects

Answer 17

Resources

Question 18

Bucket Policies JSON based policies - Allow / Deny

Answer 18

Effect

Question 19

Bucket Policies JSON based policies - Set of API to Allow or Deny

Answer 19

Actions

Question 20

Bucket Policies JSON based policies - The account or user to apply the policy to

Answer 20

Principal

Question 21

Use S3 bucket for policy to:

Answer 21

• Grant public access to the bucket
• Force objects to be encrypted at upload
• Grant access to another account (Cross Account)

Question 22

Can be set at the account level

Answer 22

Bucket settings for Block Public Access

Question 23

S3 can host __________ and have them accessible on the Internet

Answer 23

static websites

Question 24

f you get a _________ error, make sure the bucket policy allows public reads!

Answer 24

403 Forbidden

Question 25

Amazon S3 - Versioning is enabled at what level???

Answer 25

Bucket Level

Question 26

2 best practices to version your buckets

Answer 26

• Protect against unintended deletes (ability to restore a version)
• Easy roll back to previous version

Question 27

Any file that is not versioned prior to enabling versioning will
have version ______

Answer 27

“null”

Question 28

Suspending versioning does OR does not delete the previous versions

Answer 28

DOES NOT

Question 29

2 types of Amazon S3 – Replication

Answer 29

• Cross-Region Replication (CRR)
• Same-Region Replication (SRR)

Question 30

When using S3 replication, you must enable Versioning in _______ AND ________ buckets

Answer 30

source
destination

Question 31

Can buckets be in different AWS accounts??

Answer 31

YES

Question 32

Replication copying what kind of synchronized???

Answer 32

asynchronous

Question 33

DO you need to give proper IAM permissions to S3

Answer 33

YES

Question 34

Compliance, lower latency access, replication across accounts

Answer 34

CRR

Question 35

Log aggregation, live replication between production and test accounts

Answer 35

SRR

Question 36

After you enable Replication, only __________ are replicated

Answer 36

new objects

Question 37

You can replicate existing objects using __________?

Answer 37

S3 Batch Replication

Question 38

Replicates existing objects and objects that failed replication

Answer 38

S3 Batch Replication

Question 39

• Can replicate delete markers from source to target (optional setting)
• Deletions with a version ID are not replicated (to avoid malicious deletes)

Answer 39

Replication DELETE operations

Question 40

There is no _________ of replication

Answer 40

“chaining”
* If bucket 1 has replication into bucket 2, which has replication into bucket 3
* Then objects created in bucket 1 are not replicated to bucket 3

Question 41

S3 Storage Classes (7)

Answer 41

• Amazon S3 Standard - General Purpose
• Amazon S3 Standard-Infrequent Access (IA)
• Amazon S3 One Zone-Infrequent Access
• Amazon S3 Glacier Instant Retrieval
• Amazon S3 Glacier Flexible Retrieval
• Amazon S3 Glacier Deep Archive
• Amazon S3 Intelligent Tiering

Question 42

Can you move between classes manually or using S3 Lifecycle configurations

Answer 42

YES

Question 43

• 99.99% Availability
• Used for frequently accessed data
• Low latency and high throughput
• Sustain 2 concurrent facility failures
• Use Cases: Big Data analytics, mobile & gaming applications, content distribution…

Answer 43

S3 Standard – General Purpose

Question 44

• For data that is less frequently accessed, but requires rapid access when needed
• Lower cost than S3 Standard

Answer 44

S3 Storage Classes – Infrequent Access

Question 45

• 99.9% Availability
• Use cases: Disaster Recovery, backups

Answer 45

Amazon S3 Standard-Infrequent Access (S3 Standard-IA)

Question 46

• High durability (99.999999999%) in a single AZ; data lost when AZ is destroyed
• 99.5% Availability
• Use Cases: Storing secondary backup copies of on-premises data, or data you can recreate

Answer 46

Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

Question 47

2 types of S3 Storage Classes – Infrequent Access

Answer 47

Amazon S3 Standard-Infrequent Access (S3 Standard-IA)
Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

Question 48

3 types of Amazon S3 Glacier Storage Classes

Answer 48

Amazon S3 Glacier Instant Retrieval
Amazon S3 Glacier Flexible Retrieval (formerly Amazon S3 Glacier)
Amazon S3 Glacier Deep Archive

Question 49

• Low-cost object storage meant for archiving / backup
• Pricing: price for storage + object retrieval cost

Answer 49

Amazon S3 Glacier Storage Classes

Question 50

• Millisecond retrieval, great for data accessed once a quarter
• Minimum storage duration of 90 days

Answer 50

Amazon S3 Glacier Instant Retrieval

Question 51

• Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours) – free
• Minimum storage duration of 90 days

Answer 51

Amazon S3 Glacier Flexible Retrieval

Question 52

• Standard (12 hours), Bulk (48 hours)
• Minimum storage duration of 180 days

Answer 52

Amazon S3 Glacier Deep Archive

Question 53

• Small monthly monitoring and auto-tiering fee
• Moves objects automatically between Access Tiers based on usage
• There are no retrieval charges

Answer 53

S3 Intelligent-Tiering

Question 54

5 types of S3 Intelligent-Tiering

Answer 54

Frequent Access tier
Infrequent Access tier
Archive Instant Access tier
Archive Access tier
Deep Archive Access tier

Question 55

S3 Intelligent-Tiering - (automatic): default tier

Answer 55

Frequent Access tier

Question 56

S3 Intelligent-Tiering - (automatic): objects not accessed for 30 days

Answer 56

Infrequent Access tier

Question 57

S3 Intelligent-Tiering - (automatic): objects not accessed for 90 days

Answer 57

Archive Instant Access tier

Question 58

S3 Intelligent-Tiering - (optional): configurable from 90 days to 700+ days

Answer 58

Archive Access tier

Question 59

S3 Intelligent-Tiering - (optional): config. from 180 days to 700+ days

Answer 59

Deep Archive Access tier

Question 60

2 types of Amazon S3 – Lifecycle Rules

Answer 60

Transition Actions
Expiration actions

Question 61

configure objects to move to another storage class
* Move objects to Standard IA class 60 days after creation
* Move to Glacier for archiving after 6 mont

Answer 61

Transition Actions

Question 62

configure objects to expire (delete) after some time
* Access log files can be set to delete after a 365 days
* Can be used to delete old versions of files (if versioning is enabled)
* Can be used to delete incomplete Multi-Part uploads

Answer 62

Expiration actions

Question 63

Can rules be created for a certain prefix

Answer 63

YES

Question 64

Can rules be created for certain objectsTags

Answer 64

YES

Question 65

• Help you decide when to transition objects to the right storage class
• Recommendations for Standard and Standard IA
• Does NOT work for One-Zone IA or Glacier
• Report is updated daily
• 24 to 48 hours to start seeing data analysis
• Good first step to put together Lifecycle Rules (or improve them)!

Answer 65

Amazon S3 Analytics – Storage Class Analysis

Question 66

In general, ______________ pay for all Amazon S3 storage and data transfer costs associated with their bucket

Answer 66

Bucket owners

Question 67

The requester instead of the bucket owner pays the cost of the request and the data download from the bucket

Answer 67

Requester Pays buckets

Question 68

• Helpful when you want to share large datasets with other accounts
• The requester must be authenticated in AWS (cannot be anonymous)

Answer 68

S3 – Requester Pays

Question 69

For S3 Event Notifications, is Object name filtering possible??

Answer 69

YES

Question 70

How many “S3 events” can you create??

Answer 70

As many as you want

Question 71

S3 event notifications typically deliver events in _______ but can sometimes take __________?

Answer 71

seconds
a minute or longer

Question 72

What are the 4 places S3 Event Notifications can send notifications?

Answer 72

SNS
SQS
Lambda Functions
Eventbridge

Question 73

• Advanced filtering options with JSON rules (metadata, object size, name…)
• Multiple Destinations – ex Step Functions, Kinesis Streams / Firehose…
• Capabilities – Archive, Replay Events, Reliable delivery

Answer 73

S3 Event Notifications with Amazon EventBridge

Question 74

Your application can achieve at least ________ PUT/COPY/POST/DELETE or _______ GET/HEAD requests per second per prefix in a bucket.

Answer 74

3500
5500

Question 75

What is the limits to the number of prefixes in a bucket??

Answer 75

No limits

Question 76

• recommended for files > 100MB, must use for files > 5GB
• Can help parallelize uploads (speed up transfers)

Answer 76

Multi-Par t upload

Question 77

• Increase transfer speed by transferring file to an AWS edge location which will forward the data to the S3 bucket in the target region
• Compatible with multi-part upload

Answer 77

S3 Transfer Acceleration

Question 78

• Retrieve less data using SQL by performing server-side filtering
• Can filter by rows & columns (simple SQL statements)
• Less network transfer, less CPU cost client-side

Answer 78

S3 Select & Glacier Select

Question 79

What are examples of S3 batch operations?

Answer 79

• Modify object metadata & properties
• Copy objects between S3 buckets
• Encrypt un-encrypted objects
• Modify ACLs, tags
• Restore objects from S3 Glacier
• Invoke Lambda function to perform custom action on each object

Question 80

Perform bulk operations on existing S3 objects with a single request

Answer 80

S3 Batch Operations

Question 81

What does a S3 Batch Operation job consist of?? (3)

Answer 81

a list of objects
the action to perform
optional parameters

Question 82

S3 Batch Operations manages (4)

Answer 82

retries
tracks progress
sends completion notifications
generate reports

Question 83

You can use ___________ to get object list and use ________ to filter your objects

Answer 83

S3 Inventory
S3 Select

Question 84

You can encrypt objects in S3 buckets using one of 4 methods

Answer 84

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)
Server-Side Encryption with Customer-Provided Keys (SSE-C)
Client-Side Encryption

Question 85

• Encryption using keys handled, managed, and owned by AWS * Object is encrypted server-side
• Encryption type is AES-256
• Must set header “x-amz-server-side-encryption”: “AES256”
• Enabled by default for new buckets & new objects

Answer 85

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

Question 85

• Encryption using keys handled and managed by AWS KMS (Key Management Service)
• KMS advantages: user control + audit key usage using CloudTrail
• Object is encrypted server side
• Must set header “x-amz-server-side-encryption”: “aws:kms”

Answer 85

Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)

Question 86

• Server-Side Encryption using keys fully managed by the customer outside of AWS * Amazon S3 does NOT store the encryption key you provide
• HTTPS must be used
• Encryption key must provided in HTTP headers, for every HTTP request made

Answer 86

Server-Side Encryption with Customer-Provided Keys (SSE-C)

Question 87

• Use client libraries such as Amazon S3 Client-Side Encryption Library
• Clients must encrypt data themselves before sending to Amazon S3
• Clients must decrypt data themselves when retrieving from Amazon S3
• Customer fully manages the keys and encryption cycle

Answer 87

Client-Side Encryption

Question 88

SSE-KMS Limitation

Answer 88

• If you use SSE-KMS, you may be impacted by the KMS limits
• When you upload, it calls the GenerateDataKey KMS API
• When you download, it calls the Decrypt KMS API
• Count towards the KMS quota per second (5500, 10000, 30000 req/s based on region)
• You can request a quota increase using the Service Quotas Console

Question 89

Encryption in flight is also called?

Answer 89

SSL/TLS

Question 90

Amazon S3 – Encryption in transit (SSL/TLS) - HTTPS is mandatory for _______

Answer 90

SSE-C

Question 91

Amazon S3 – Encryption in transit (SSL/TLS) - HTTPS is ________

Answer 91

recommended

Question 92

Can you for encryption in Transit??

Answer 92

YES

Question 93

What does CORS stand for??

Answer 93

Cross-Origin Resource Sharing

Question 94

The requests won’t be fulfilled unless the other origin allows for the requests, using_________?

Answer 94

CORS Headers

Question 95

If a client makes a cross-origin request on our S3 bucket, What do we need to do??

Answer 95

enable the correct CORS headers

Question 96

Which CORS, You can allow for ____________

Answer 96

specific origin or for * (all origins)

Question 97

Amazon S3 – MFA Delete will be required to ……

Answer 97

• Permanently delete an object version
• Suspend Versioning on the bucket

Question 98

Amazon S3 – MFA Delete will NOT be required to ……

Answer 98

• Enable Versioning
• List deleted versions

Question 99

To use MFA Delete, Versioning must be __________ on the bucket

Answer 99

enabled

Question 100

Only the bucket ______________ can enable/disable MFA Delete

Answer 100

owner (root account)

Question 101

S3 Access Logs - The target logging bucket ________ be in the same AWS region

Answer 101

MUST

Question 102

How can you generate pre-signed URLs?

Answer 102

S3 Console, AWS CLI or SDK

Question 103

What are the pre-signed URL’s expirations?

Answer 103

• S3 Console – 1 min up to 720 mins (12 hours)
• AWS CLI – configure expiration with –expires-in parameter in seconds (default 3600 secs, max. 604800 secs ~ 168 hours)

Question 104

Examples of Amazon S3 – Pre-Signed URLs

Answer 104

• Allow only logged-in users to download a premium video from your S3 bucket
• Allow an ever-changing list of users to download files by generating URLs dynamically
• Allow temporarily a user to upload a file to a precise location in your S3 bucket

Question 105

• Adopt a WORM (Write Once Read Many) model
• Create a Vault Lock Policy
• Lock the policy for future edits
  (can no longer be changed or deleted)
• Helpful for compliance and data retention

Answer 105

S3 Glacier Vault Lock

Question 106

• Adopt a WORM (Write Once Read Many) model
• Block an object version deletion for a specified amount of time

Answer 106

S3 Object Lock

Question 107

2 types of Retention Modes for S3 Object Lock

Answer 107

Retention mode - Compliance
Retention mode - Governance

Question 108

• Object versions can’t be overwritten or deleted by any user, including the root user
• Objects retention modes can’t be changed, and retention periods can’t be shortened

Answer 108

Retention mode - Compliance

Question 109

• Most users can’t overwrite or delete an object version or alter its lock settings
• Some users have special permissions to change the retention or delete the object

Answer 109

Retention mode - Governance

Question 110

S3 Object Lock - protect the object for a fixed period, it can be extended

Answer 110

Retention Period

Question 111

• protect the object indefinitely, independent from retention period
• can be freely placed and removed using the s3:PutObjectLegalHold IAM permission

Answer 111

Legal Hold

Question 112

Simplify security management for S3 Buckets

Answer 112

Access Points

Question 113

Each Access Point has (2)

Answer 113

• its own DNS name (Internet Origin or VPC Origin)
• an access point policy (similar to bucket policy) – manage security at scale

Question 114

We can define the access point to be accessible ________?

Answer 114

only from within the VPC

Question 115

You must create a __________ to access the
Access Point (Gateway or Interface Endpoint)

Answer 115

VPC Endpoint

Question 116

The VPC Endpoint Policy __________ allow access to the target bucket and Access Point

Answer 116

MUST

Question 117

To change the object before it is retrieved by the caller application

Answer 117

AWS Lambda Functions