S3

Question 1

Identity policy vs resource policy scope

Answer 1

You can assign resource Policies to control access from same or different account. And can reference any identity from any source.

You can only control identity Policy for identities within your account.

Question 2

Resource vs Identity policies access

Answer 2

Resource Policy can allow or deny anonymous principal

Identity policy has to be attached to a specific identity

Question 3

Which policy has Principle parameter

Answer 3

Resource policy must reference a principal, while identity Policy do not have to.

Because a single resource policy can contain multiple principals.

Identity Policy are linked directly to an identity, the principal parameter is not necessary

Question 4

Max number of policies per s3 bucket?

Answer 4

There can only be one bucket policy attached per bucket, but that Policy can contain many statements

Question 5

Website Hosting Tip on Domain name vs Bucket name.

Answer 5

You can use a custom domain name for an S3 Bucket; if the domain name is thesame as the bucket name

Question 6

S3 Domain name generation

Answer 6

Static website domain name is automatically generated by AWS using a combination of your domain name and Region

Question 7

Dynamic vs static website

Answer 7

Dynamic websites have static contents that need to access/offload/fetch another server/database in order to deliver a web result to a user e.g, game leaderboard, or weather update website.

while

Static websites contain strictly out of band pages/contents. the static media are sitting and waiting to be delivered

Question 8

Using S3 as a DR component

Answer 8

S3 can be used as a backup landing page for Dynamic website. The out of bound technique helps to keep a section of a webiste active during a total downtime in the main website, traffic is diverted to the static pages using Route53(Fail Over) until DR is successful.

S3 acts as the backup landing page by hosting static versions of critical pages that you want to keep accessible during a main website downtime.

Question 9

Compatible protocles for S3 website?

Answer 9

Amazon S3 supports only the HTTP protocol. If your website uses HTTPS, then at failover the page displays the error “could not display this page”. To serve HTTPS requests, see How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket?

Question 10

Block Public Access

Answer 10

Unticking the Block Public Access box only opens the S3 port for further settings. BTS, routing and protocol selection is done by clicking on other options in settings and permissions section, properts

Conceptual:
UnBlock public access = Enable http protocol
Read/get bucket policy = selecting port address
Enable public access via Acl = routing table settings to route

Question 11

How to disable s3 Versioning

Answer 11

Versioning Can Not be disabled, however, it can be suspended.

Question 12

An S3 object without versioning enabled has an iD of…….?

Answer 12

NULL

Question 13

unless specified S3 will always return the …………………… version object

Answer 13

unless specified S3 will always return the Latest version object

Question 14

Delete Marker

Answer 14

A special version of an object that hides all other versions of that object

Question 15

Delete a delete Marker of an object

Answer 15

This will remove the delete marker from the object and make the object visible again. This is like an Undelete

To Permanently delete an object, specify it’s ID

Question 16

Bucket volum and Versioning effect

Answer 16

You are billed for all versions While versioning is active, total volume of bucket is a sum of all objects (Both original and versioned).
In order to control the volume of your bucket, you may need to delete the bucket and re-upload objects without versioning enabled

Question 17

MFA Delete

Answer 17

Versioning must be enabled

Question 18

Delete or change a version state of an object using CLI/API call when MFA Delete is enabled

Answer 18

To Delete an object via an API call, you must generate and concatenate your MFA Serial number+token generated

Question 19

Suspend Versioning

Answer 19

Suspend Versioning turns off versioning for subsequent uploads but does nothing to all previous versionsMu

Question 20

Multipart upload

Answer 20

Only with files over 100MB. It helps in breaking up the file into small chunks as against single stream of data

Question 21

Max Pieces of a Multipart file?

Answer 21

10,000 parts of 5MB Files = 5,000MB.

Question 22

Advantage of Multipart Upload

Answer 22

Apart from the obvious,

2. each part can be reuploaded incase of a failure. It’s approached like an acid transaction.

3.Transfer rate is also improved

Question 23

S3 Transfer Accelleration

Answer 23

Transfer Acceleration routs request straight into the nearest aws Edge Location(AWS Backbone) to minimise travel routes by data

Question 24

Transfer Acceleration Rules/Steps

Answer 24

1. Bucket must be transfer Acceleration enabled
2. Bucket name must not contain Periods
3. It needs to be DNS compatible in its naming

Question 25

IAM Policy vs s3 bucket Policy

Answer 25

By default bucket and objects are private. You can Allow access to them using either IAM policies, bucket policies or both. Effective permissions will be the union of all these individual permissions.

Question 26

s3 SSE Types

Answer 26

1. Server-Side Encryption with Customer-Provided
   Keys (SSE-C)
2. Server-Side Encryption with Amazon S3-Managed
   Keys (SSE-S3) (this is the default) (AES)
3. Server-Side Encryption with KMS KEYS Stored in
   AWS Key Management Service (SSE-KMS)

Question 27

Use case of SSE

Answer 27

Large volume data encryption where high CPU performance is desirable.

Question 28

SSE-C, CSE use case

Answer 28

Control and Compliance

Question 29

SSE cons (SSE-C,SSE-s3)

Answer 29

1. User control is compromised/lost
2. Key rotation control is forfeited to AWS
3. Compliance requirements may be contradicting
4. Role separation is not possible(the s3 administrator has all the access)

Question 30

SSE-KMS is almost like customer controlled (if using DEK)

Answer 30

This method seems like the best overall because it’s customer-generated and controlled keys(through kms). So issues like role separation, key rotation, and control are addressed. Logging and auditing using CloudTrail also give a transparent view of operations.
SSE-kms role separation also isolates the permitted administrator unauthorized access

Question 31

s3 SSE is mandatory, however, you have a choice of which method

Answer 31

Choose between SSE-kms, SSE-C or SSE-S3(AES-256)

Question 32

SSE-S3 encryption standard ?

Answer 32

AES256

Question 33

Http/1.1 200 ok

Answer 33

s3 Durable and successful response

Question 34

s3 Classes

Answer 34

Standard - Instant retrieval, 3az.
Standard IA - 3AZ, cant retrieve items until after 30days.
Standard IA one Zone - Single AZ, cant retrieve items until after 30days.
Intelligent tiering - minimum 30days retrieval.

Glacier(Flexible) - cant retrieve items until after 90 days, Best for Cold Storage,
objects can be seen in S3 but theyare not instantly retrievable.
Can not be used for public access.
Requires a retrieval job for retrieval:
-

Glacier Instant Retrieval - Instant retrieval but minimum storage charge of 90days.

Question 35

S3 Glacier Flexible retrieval

Answer 35

Glacier(Flexible) - cant retrieve items until after 90 days, Best for Cold Storage,
objects can be seen in S3 but they are not instantly retrievable.

Can not be used for public access.

Requires a retrieval job for access to objects:
1. Expedited Retrieval (1-5mins)
2. Standard retrieval (3-5hrs)
3. Bulk Retrieval (5-12hrs)
(The faster the more expensive).

Question 36

s3 Glacier Deep Archive (Frozen Data)

Answer 36

Glacier Deep Archive - Data in frozen state.
Cheapest
Minimum of 180days before first retrieval.
Not effective fore Compliant objects.
Best for archive, where hours and days is tolerable.

Retrieval Jobs:
1. Standard 12hrs
2. Bulk 48hrs

Question 37

s3 Lifecycle Transition

Answer 37

You must wait 30days to move to Infrequent access

Must wait another 30days from infrequent access before moving to Glacier class.

However, two rules can be set simultaneously

Question 38

s3 Replication Options

Answer 38

1. All objects or a subset(you can select the objects to replicate.
2. Storage Class - default is to maintain storage class. However, ir can be changed.
3. Ownership - default is the source account, in cross-account replication it’s important to change ownership in order to permit other accounts usage.
4. Replication Time Control (RTC) - synchronization of both old and new buckets.
5. s3 Replication is not retroactive
6. A policy(Role) is required on both Origin and replica accounts in a CAR
7. It is required that Versioning Must be activated on both source and destination.
8. Replication by default is not bi-directional until enabled
9. Can handle both encrypted and unencrypted
10. Glacier and Glacier Deep archive objects can not be replicated.
11. Deletes are not replicated by default

Question 39

S3 CRR use cases

Answer 39

1. Log aggregation for SRR
2. Synch between test and prod Account
3. Sovereignty requirements (SRR)
4. Resilience CRR
5. Latency reduction
6. DR (Even for Static websites

Question 40

s3 Pre-signed URL

Answer 40

A direct URL of an object inside of S3 given to a Non-AWS identity with specified permissions as regards
- Access duration
- Object to be accessed
- Possible operations

Presigned URL are time-limited and are encoded with all the access right of the identity that generates them. They can be used to both upload and download objects on s3.

Question 41

s3 Pre-signed url syntax

Answer 41

$ aws s3 presign [uri] –expires-in [time in sec]

eg. ~]$ aws s3 presign s3://animals41ifemedia133333333337/al15.jpg –expires-in 180

Question 42

Pre-signed url Expiry

Answer 42

The default expiration time is 5 minutes and the maximum expiration time of the Presigned-url can be of 7 Days. Objects stored in the S3 bucket are by default Private. It is good practice to keep the S3 bucket and objects private.

Question 43

s3 Select, s3 Glacier Select

Answer 43

Filter within s3 to minimize data transfer fee associated with downloading large unfiltered data from s3. Output format is CVS, Apache ORC, and Apache paquet

Question 44

s3 inventory

Answer 44

An organized view of the objects in an s3 bucket, this view is determined by the filter options selected on the inventory settings. It is generated on a schedule, for a minimum of 48hrs initially

Question 45

s3 inventory setup

Answer 45

requires origin and target buckets, each of which requires a policy to transact with the other. after then a CSV, Apache ORC, or Apache paquet format document is delivered into the target bucket

Question 46

s3 inventory use case

Answer 46

• Audit,
• Compliance,
• Cost Management
• or any specific regulations

Question 47

s3 inventory summary

Answer 47

Helps you manage (at a high level) your storage

• Inventory of objects & various optional fields
• Options: Encryption, Size, Last Modified, Storage Class, Version ID, Replication Status, Object lock, etc …
• Generate daily .. or weekly (can’t be forced)
• Output - CSV, ORC, Parquet
• Multiple inventories can be set up, and they go to a target bucket
• . same account or different account … needs a bucket policy
• Audit, Compliance, Cost Management or any specific regulations

Question 48

s3 Events Notification

Answer 48

Supports only

• SQS
• SNS
• Lambda

Question 49

Events bridge

Answer 49

events in an events bus that matches the specified rule in an events bridge are picked up and forwarded to the assigned target in an events bridge.
Events are in form of a JSON token

Question 50

Events Bridge vs s3 Notification

Answer 50

Same thing, events Bridge integrates with several more services than s3 Notification

Question 51

S3 Object Lock

Answer 51

Object lock can not be removed; Write Once Read Many(WORM). Neither can versioning on the object be removed

Question 52

2 types of S3 Object Lock

Answer 52

1. Retention
   - compliance mode (No changes can be made to the version or retention settings) Compliance Mode is permanent.

-Governance mode (GOVERNANCE - special permissions can be granted allowing lock settings to be adjusted.
*$ s3:BypassGovernanceRetention &
*along with the header, $ .. x-amz-bypass-governance-retention:true (console default)

2. Legal Hold can be changed. Just ON or OFF, however it cannot be deleted or modified