S3 Flashcards
Identity policy vs resource policy scope
You can assign resource Policies to control access from same or different account. And can reference any identity from any source.
You can only control identity Policy for identities within your account.
Resource vs Identity policies access
Resource Policy can allow or deny anonymous principal
Identity policy has to be attached to a specific identity
Which policy has Principle parameter
Resource policy must reference a principal, while identity Policy do not have to.
Because a single resource policy can contain multiple principals.
Identity Policy are linked directly to an identity, the principal parameter is not necessary
Max number of policies per s3 bucket?
There can only be one bucket policy attached per bucket, but that Policy can contain many statements
Website Hosting Tip on Domain name vs Bucket name.
You can use a custom domain name for an S3 Bucket; if the domain name is thesame as the bucket name
S3 Domain name generation
Static website domain name is automatically generated by AWS using a combination of your domain name and Region
Dynamic vs static website
Dynamic websites have static contents that need to access/offload/fetch another server/database in order to deliver a web result to a user e.g, game leaderboard, or weather update website.
while
Static websites contain strictly out of band pages/contents. the static media are sitting and waiting to be delivered
Using S3 as a DR component
S3 can be used as a backup landing page for Dynamic website. The out of bound technique helps to keep a section of a webiste active during a total downtime in the main website, traffic is diverted to the static pages using Route53(Fail Over) until DR is successful.
S3 acts as the backup landing page by hosting static versions of critical pages that you want to keep accessible during a main website downtime.
Compatible protocles for S3 website?
Amazon S3 supports only the HTTP protocol. If your website uses HTTPS, then at failover the page displays the error “could not display this page”. To serve HTTPS requests, see How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket?
Block Public Access
Unticking the Block Public Access box only opens the S3 port for further settings. BTS, routing and protocol selection is done by clicking on other options in settings and permissions section, properts
Conceptual:
UnBlock public access = Enable http protocol
Read/get bucket policy = selecting port address
Enable public access via Acl = routing table settings to route
How to disable s3 Versioning
Versioning Can Not be disabled, however, it can be suspended.
An S3 object without versioning enabled has an iD of…….?
NULL
unless specified S3 will always return the …………………… version object
unless specified S3 will always return the Latest version object
Delete Marker
A special version of an object that hides all other versions of that object
Delete a delete Marker of an object
This will remove the delete marker from the object and make the object visible again. This is like an Undelete
To Permanently delete an object, specify it’s ID
Bucket volum and Versioning effect
You are billed for all versions While versioning is active, total volume of bucket is a sum of all objects (Both original and versioned).
In order to control the volume of your bucket, you may need to delete the bucket and re-upload objects without versioning enabled
MFA Delete
Versioning must be enabled
Delete or change a version state of an object using CLI/API call when MFA Delete is enabled
To Delete an object via an API call, you must generate and concatenate your MFA Serial number+token generated
Suspend Versioning
Suspend Versioning turns off versioning for subsequent uploads but does nothing to all previous versionsMu
Multipart upload
Only with files over 100MB. It helps in breaking up the file into small chunks as against single stream of data
Max Pieces of a Multipart file?
10,000 parts of 5MB Files = 5,000MB.
Advantage of Multipart Upload
Apart from the obvious,
- each part can be reuploaded incase of a failure. It’s approached like an acid transaction.
3.Transfer rate is also improved
S3 Transfer Accelleration
Transfer Acceleration routs request straight into the nearest aws Edge Location(AWS Backbone) to minimise travel routes by data
Transfer Acceleration Rules/Steps
- Bucket must be transfer Acceleration enabled
- Bucket name must not contain Periods
- It needs to be DNS compatible in its naming
IAM Policy vs s3 bucket Policy
By default bucket and objects are private. You can Allow access to them using either IAM policies, bucket policies or both. Effective permissions will be the union of all these individual permissions.
s3 SSE Types
- Server-Side Encryption with Customer-Provided
Keys (SSE-C) - Server-Side Encryption with Amazon S3-Managed
Keys (SSE-S3) (this is the default) (AES) - Server-Side Encryption with KMS KEYS Stored in
AWS Key Management Service (SSE-KMS)
Use case of SSE
Large volume data encryption where high CPU performance is desirable.
SSE-C, CSE use case
Control and Compliance
SSE cons (SSE-C,SSE-s3)
- User control is compromised/lost
- Key rotation control is forfeited to AWS
- Compliance requirements may be contradicting
- Role separation is not possible(the s3 administrator has all the access)
SSE-KMS is almost like customer controlled (if using DEK)
This method seems like the best overall because it’s customer-generated and controlled keys(through kms). So issues like role separation, key rotation, and control are addressed. Logging and auditing using CloudTrail also give a transparent view of operations.
SSE-kms role separation also isolates the permitted administrator unauthorized access
s3 SSE is mandatory, however, you have a choice of which method
Choose between SSE-kms, SSE-C or SSE-S3(AES-256)
SSE-S3 encryption standard ?
AES256
Http/1.1 200 ok
s3 Durable and successful response
s3 Classes
Standard - Instant retrieval, 3az.
Standard IA - 3AZ, cant retrieve items until after 30days.
Standard IA one Zone - Single AZ, cant retrieve items until after 30days.
Intelligent tiering - minimum 30days retrieval.
Glacier(Flexible) - cant retrieve items until after 90 days, Best for Cold Storage,
objects can be seen in S3 but theyare not instantly retrievable.
Can not be used for public access.
Requires a retrieval job for retrieval:
-
Glacier Instant Retrieval - Instant retrieval but minimum storage charge of 90days.
S3 Glacier Flexible retrieval
Glacier(Flexible) - cant retrieve items until after 90 days, Best for Cold Storage,
objects can be seen in S3 but they are not instantly retrievable.
Can not be used for public access.
Requires a retrieval job for access to objects:
1. Expedited Retrieval (1-5mins)
2. Standard retrieval (3-5hrs)
3. Bulk Retrieval (5-12hrs)
(The faster the more expensive).
s3 Glacier Deep Archive (Frozen Data)
Glacier Deep Archive - Data in frozen state.
Cheapest
Minimum of 180days before first retrieval.
Not effective fore Compliant objects.
Best for archive, where hours and days is tolerable.
Retrieval Jobs:
1. Standard 12hrs
2. Bulk 48hrs
s3 Lifecycle Transition
You must wait 30days to move to Infrequent access
Must wait another 30days from infrequent access before moving to Glacier class.
However, two rules can be set simultaneously
s3 Replication Options
- All objects or a subset(you can select the objects to replicate.
- Storage Class - default is to maintain storage class. However, ir can be changed.
- Ownership - default is the source account, in cross-account replication it’s important to change ownership in order to permit other accounts usage.
- Replication Time Control (RTC) - synchronization of both old and new buckets.
- s3 Replication is not retroactive
- A policy(Role) is required on both Origin and replica accounts in a CAR
- It is required that Versioning Must be activated on both source and destination.
- Replication by default is not bi-directional until enabled
- Can handle both encrypted and unencrypted
- Glacier and Glacier Deep archive objects can not be replicated.
- Deletes are not replicated by default
S3 CRR use cases
- Log aggregation for SRR
- Synch between test and prod Account
- Sovereignty requirements (SRR)
- Resilience CRR
- Latency reduction
- DR (Even for Static websites
s3 Pre-signed URL
A direct URL of an object inside of S3 given to a Non-AWS identity with specified permissions as regards
- Access duration
- Object to be accessed
- Possible operations
Presigned URL are time-limited and are encoded with all the access right of the identity that generates them. They can be used to both upload and download objects on s3.
s3 Pre-signed url syntax
$ aws s3 presign [uri] –expires-in [time in sec]
eg. ~]$ aws s3 presign s3://animals41ifemedia133333333337/al15.jpg –expires-in 180
Pre-signed url Expiry
The default expiration time is 5 minutes and the maximum expiration time of the Presigned-url can be of 7 Days. Objects stored in the S3 bucket are by default Private. It is good practice to keep the S3 bucket and objects private.
s3 Select, s3 Glacier Select
Filter within s3 to minimize data transfer fee associated with downloading large unfiltered data from s3. Output format is CVS, Apache ORC, and Apache paquet
s3 inventory
An organized view of the objects in an s3 bucket, this view is determined by the filter options selected on the inventory settings. It is generated on a schedule, for a minimum of 48hrs initially
s3 inventory setup
requires origin and target buckets, each of which requires a policy to transact with the other. after then a CSV, Apache ORC, or Apache paquet format document is delivered into the target bucket
s3 inventory use case
- Audit,
- Compliance,
- Cost Management
- or any specific regulations
s3 inventory summary
Helps you manage (at a high level) your storage
- Inventory of objects & various optional fields
- Options: Encryption, Size, Last Modified, Storage Class, Version ID, Replication Status, Object lock, etc …
- Generate daily .. or weekly (can’t be forced)
- Output - CSV, ORC, Parquet
- Multiple inventories can be set up, and they go to a target bucket
- . same account or different account … needs a bucket policy
- Audit, Compliance, Cost Management or any specific regulations
s3 Events Notification
Supports only
- SQS
- SNS
- Lambda
Events bridge
events in an events bus that matches the specified rule in an events bridge are picked up and forwarded to the assigned target in an events bridge.
Events are in form of a JSON token
Events Bridge vs s3 Notification
Same thing, events Bridge integrates with several more services than s3 Notification
S3 Object Lock
Object lock can not be removed; Write Once Read Many(WORM). Neither can versioning on the object be removed
2 types of S3 Object Lock
- Retention
- compliance mode (No changes can be made to the version or retention settings) Compliance Mode is permanent.
-Governance mode (GOVERNANCE - special permissions can be granted allowing lock settings to be adjusted.
*$ s3:BypassGovernanceRetention &
*along with the header, $ .. x-amz-bypass-governance-retention:true (console default)
- Legal Hold can be changed. Just ON or OFF, however it cannot be deleted or modified
