S3 Flashcards
This deck aims to help retain concepts related to the AWS S3 service.
Which S3 security feature allows to define principals that are allowed to access S3 resources under certain conditions?
S3 Bucket policy (resource-based policy)
Which S3 security feature provides controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects will never be accessed publicly?
S3 Block Public Access
Name the S3 (legacy) security feature that defines which AWS accounts or groups are granted access and the type of access to both buckets and individual objects within a bucket.
S3 Access Control Lists (ACLs)
Provide a good use case for utilizing a bucket policy (resource-based policy) when configuring bucket access permissions.
For permissions that require anonymous user access or cross-account access, or when controlling access to a single S3 resource
Provide a good use case for utilizing an IAM policy (identity-based policy) when configuring bucket access permissions.
For permissions required within the same account, or when controlling access to a range of different resources
Which S3 feature allows you to keep multiple variations of an object and provides the ability to preserve, retrieve, and restore every variation?
S3 Bucket Versioning
When you create an S3 bucket, is versioning enabled by default?
No, by default versioning is disabled
Can versioning be disabled on the S3 bucket?
No, once enabled, versioning cannot be disabled, but it can be suspended and re-enabled when required
Which S3 security feature requires additional authentication to allow permanent object version deletion or changing the versioning state of the bucket?
MFA delete
Which S3 feature allows an application to upload a large object as a set of smaller parts uploaded in parallel?
S3 Multipart upload
Is it S3’s responsibility to combine smaller pieces into the original object during a multipart upload?
Yes
What is the recommended minimum file size to start considering S3 multipart upload?
100MiB
What is the minimum and maximum part size for an S3 multipart upload?
The minimum part size is 5MiB, and the maximum part size is 5GiB, the last part (leftover) can be less than 5MiB
Which S3 feature reduces the variability in internet routing, congestion, and speeds that can affect transfers, and logically shortens the distance to S3, resulting in faster uploads?
S3 Transfer Acceleration
What is the maximum number of data parts for an S3 multipart upload?
10,000 parts
Which components of AWS global infrastructure does S3 Transfer Acceleration utilize?
Edge Locations, to transfer data over the AWS Global Network
Which naming restriction may apply to the S3 bucket to enable the Global Acceleration feature?
The bucket name cannot contain periods and must be DNS-compatible
Is S3 Transfer Acceleration enabled by default?
No, it is disabled by default
Enabling Transfer Acceleration incurs additional costs
Are S3 buckets encrypted?
No, buckets are not encrypted but objects are
Which types of encryption does S3 support?
Client-side and server-side (SSE-S3, SSE-KMS, and SSE-C)
Which type of encryption protects data in transit and at rest so that data is never exposed to any third parties, including AWS?
Hint: Using this encryption type, you are responsible for key management as well as the encryption and decryption process.
Client-side encryption
Which type of S3 encryption automatically encrypts data at the object level as it is written and decrypts it for you when you access it?
Server-side encryption
Name a type of S3 server-side encryption, where S3 handles key management as well as the encryption and decryption process but provides no control over encryption keys and no role separation.
SSE-S3 (server-side encryption with S3-managed keys)
Name a type of S3 server-side encryption where S3 handles the encryption and decryption process while delegating KMS to manage encryption keys, providing key rotation control and role separation.
SSE-KMS (server-side encryption with KMS-managed keys)
Name a type of S3 server-side encryption where S3 handles the encryption and decryption process while delegating customers to manage encryption keys (customers provide encryption keys for each encryption or decryption operation).
SSE-C (server-side encryption with customer-provided keys)
Which S3 feature can reduce KMS request costs by decreasing the request traffic from S3 to KMS?
S3 Bucket-level keys
What S3 storage classes are there?
- Standard
- Standard IA
- One Zone IA
- Intelligent Tiering
- Glacier:
- Instant Retrieval
- Flexible Retrieval
- Deep Archive
Which S3 storage class should be used to store frequently accessed non-replaceable data?
Standard
Which S3 storage class has no retrieval fee but the most expensive storage fee?
Standard
Which S3 storage class should be used to store infrequently accessed, important, and non-replaceable data?
Standard IA
Which S3 storage class should be used to store infrequently accessed, non-critical data that can be easily recreated?
One Zone IA
Which S3 storage classes replicate data across 3 AZs?
- Standard
- Standard IA
- S3 Intelligent-Tiering
- Glacier IR, FR, DA
How is S3 billed?
- S3 incurs a GB/month storage fee
- Transfer out fee, and per 1k requests fee
- Some storage classes incur an additional retrieval fee and a minimum capacity charge (40-128KB), which can vary based on the storage class
Which S3 storage classes have a duration charge for a minimum of 30 days of storage?
- Standard IA
- One Zone IA
Which storage classes have a duration charge for a minimum of 90 days of storage?
- Glacier Instant Retrieval
- Glacier Flexible Retrieval
Which storage classes have a duration charge for a minimum of 180 days of storage?
Glacier Deep Archive
Which S3 storage class should be used to store non-replicable data that is not often accessed but requires access in real-time?
Glacier Instant Retrieval
Which S3 storage class should be used to store archival data, where frequent or real-time access is not required but can be accessed within a 12-hour window?
Glacier Flexible Retrieval
Which S3 storage class should be used to store archival data, where frequent or real-time access is not required but can be accessed within a 48-hour window?
Glacier Deep Archive
In which S3 storage class is data cold and not instantly accessible but can be temporarily retrieved to S3 Standard IA via Expedited (1-5 min), Standard (3-5 h), or Bulk (5-12 h) jobs (faster = more expensive)?
Glacier Flexible Retrieval
In which S3 storage class is data frozen and not instantly accessible but can be temporarily retrieved to S3 Standard IA via Standard (12 h) or Bulk (48 h) jobs (faster = more expensive)?
Glacier Deep Archive
Which S3 storage class should be used for cases where data access patterns are unknown?
Intelligent Tiering
What tiers are present in the Intelligent Tiering storage class?
- Frequent Access
- Infrequent Access
- Archive Instant Access
- Archive Access
- Deep Archive Access tiers
In the S3 Intelligent Tiering storage class, how long does it take for an object to transfer from one tier to another?
For non-archival tiers, 30 days; for archival tiers, 90-180 days
Which feature of S3 provides a set of rules that can define actions that S3 applies to a group of objects ensuring cost-effective management through their lifecycle?
S3 Lifecycle configuration
What types of actions can be configured in the S3 lifecycle configuration?
Transition actions, Expiration actions
What kind of S3 lifecycle configuration action defines when an object transitions to another storage class?
Transition actions
What kind of S3 lifecycle configuration action defines when an object expires so that S3 deletes these objects on your behalf?
Expiration actions
What is the minimum timeframe required for the S3 lifecycle configuration transition action to occur?
30 days
With S3 lifecycle configuration, can an object be transitioned to any storage class?
No, the transitioning process follows a waterfall model: Standard -> Standard IA -> Intelligent Tiering -> One Zone IA -> Glacier IR -> Glacier FR -> Glacier DA.
Which S3 feature allows objects to be copied between SOURCE and DESTINATION buckets in the same or different AWS Accounts?
S3Replication
Which types of replication does S3 offer?
- Cross-Region Replication (CRR)
- Same-Region Replication (SRR)
When would you use S3 Cross-Region Replication over Same-Region Replication?
- CRR is used for architecting globally-resilient environments or implementing latency reduction
- SRR is used for resilience with strict sovereignty, logs aggregation, and PROD/TEST environment synchronization
Which feature of S3 adds a guaranteed 15-minute replication SLA?
S3 Replication Time Control (RTC)
When replication is configured in S3, are all objects being replicated?
Replication options allow configuration to replicate all objects or a subset of objects based on prefixes
When replication is configured in S3, what storage class do objects belong to in the DESTINATION bucket, and what’s their ownership?
Replication options allow configuration of the objects’ storage class and ownership; by default, it’s the same as the SOURCE bucket
Once replication is configured for the S3 bucket, will it retroactively replicate objects that existed in the bucket before replication was configured?
No, to replicate existing objects, batch replication must be performed
To configure replication in S3, what must be enabled on both SOURCE and DESTINATION buckets?
S3 Versioning
Is S3 replication a one-way process?
By default, yes, however, it can be configured to be bi-directional
Can objects in S3 Glacier Flexible Retrieval (FR) or Glacier Deep Archive (DA) be replicated?
No
When S3 replication is configured, will deleting an object operation replicate?
No, by default, this requires the configuration of DeleteMarkerReplication
Can S3 replication handle both encrypted and unencrypted objects?
Yes, with some extra configuration
When configuring S3 replication, which permissions does the SOURCE bucket owner require?
The owner of the SOURCE bucket requires permission for objects that will be replicated
When configuring S3 replication, will system events such as lifecycle management events also be replicated?
No, system events are not replicated.
Which S3 security feature allows generating a URL with encoded access permissions for a specific bucket or object, valid for a certain period of time?
S3 PreSigned URLs
When you generate an S3 PreSigned URL, whose permissions are attached to the URL?
The permissions belong to the identity (user or role) that generated the URL (right now)
Is it possible to generate S3 PreSigned URLs for objects that you do not have access to?
Yes, you can generate a PreSigned URL by specifying the object and expiration time, but access to this object will be denied if you don’t have permission
What does an “Access Denied” error message mean when accessing an object via a PreSigned URL?
It indicates that the identity used to generate the PreSigned URL either no longer has permission to access the object or never had permission
Can you use an IAM Role to generate an S3 PreSigned URL?
Yes, although it’s not recommended practice because PreSigned URLs become invalid as soon as the temporary credentials associated with the IAM Role expire, generally should use IAM user
What is the maximum validity period for an S3 PreSigned URL?
7 days
Which feature of S3 lets you specify targeted portions of an object (a range of bytes in SQL-like statements) to retrieve and return rather than returning the entire contents of the object?
S3 Select, or Glacier Select
Which feature of S3, once configured by identifying the event to be published, sends notifications when certain events happen in the bucket?
S3 Event Notifications
What kinds of events can S3 Event Notifications publish?
ObjectCreated, ObjectRemoved, ObjectRestore
To which AWS services can S3 Event Notifications be delivered as targets?
SNS topics, SQS queues, Lambda, EventBridge
Which feature of S3 enables access to information about requests made to a bucket for security and access audits and helps you understand the S3 bill?
S3 Access Logs
Once enabled, where are S3 Access Logs delivered?
Access logs are delivered to a specified destination S3 bucket, the logs are newline-delimited records with space-delimited attributes
When enabling S3 Access Logs, which limitations of the destination bucket must be considered?
The destination bucket should not have access logs, object lock, and requester pays features enabled
Which S3 feature stores objects using a write-once-read-many (WORM) model to prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely?
S3 Object Lock
Does the Object Lock feature of S3 require versioning to be enabled?
Yes, Object Lock can only be enabled on versioned buckets, individual versions of objects are locked
Once enabled, can the Object Lock feature of S3 be disabled?
No, once enabled, Object Lock cannot be disabled
Can you suspend versioning on S3 buckets with the Object Lock feature enabled?
No, versioning cannot be suspended on Object Locked buckets
List the main components of the S3 Object Lock feature used to protect object versions from deletion.
Retention periods and Legal Hold
Which types of retention modes are supported by the S3 Object Lock feature?
Compliance Mode and Governance Mode
Which S3 Object Lock component protects an object version for a fixed amount of time?
Retention periods
When S3 Object Lock is enabled, using which retention mode can a protected object version not be overwritten or deleted by any user, including the root user?
Compliance Mode
When S3 Object Lock is enabled, using which retention mode can users not overwrite or delete an object version or alter its lock settings unless they have special permissions?
Governance Mode
Which S3 Object Lock permissions are required to adjust object lock settings in Governance Mode?
The permissions required are s3:BypassGovernanceRetention and the header x-amz-bypass-governance-retention:true
Which S3 Object Lock component prevents an object version from being overwritten or deleted without a fixed amount of time and remains in effect until removed?
Legal Hold
Which S3 Object Lock permission is required to turn off Legal Hold?
s3:PutObjectLegalHold
When the S3 Object Lock feature is enabled, can an individual object version have both Retention Periods and Legal Hold enabled?
Yes, an object version can have both, one of, or none
What feature of S3 simplifies data access at scale for applications using shared data sets on S3, representing unique hostnames that can be created to enforce distinct permissions and network controls for any request made through it?
S3 Access Points
What are the benefits of utilizing the S3 Access Points feature?
Each access point has a unique DNS address and can have different policies and network access control, which reduces the burden of managing complex bucket policies
Can the S3 Access Point feature restrict access to specific prefixes, tags, or actions?
Absolutely
What is considered the best practice when using the S3 Access Points feature?
Implementing permissions delegation, where the bucket policy grants wide open access to the access points, and the access points policy restricts access as needed, providing more granularity over the objects
Which CLI command can be used to create an S3 Access Point?
aws s3control create-access-point –name <name> --account-id <acc_id> --bucket <bucket></bucket></acc_id></name>
What would you use Amazon S3 for?
Web serving and content management, media and entertainment, retaining backups, big data analytics, and data lakes
What’s a key limitation to consider when naming an S3 bucket?
- S3 bucket names must be globally unique, 3-63 characters long, lowercase letters, numbers, periods, or hyphens only (no underscores), start with a letter or number, and cannot be in IP format
- There’s a soft limit of 100 buckets and a hard limit of 1,000 per AWS account
- Each bucket can hold an unlimited number of objects, ranging from 0 bytes to 5 TB in size
What AWS S3 feature allows the user downloading data from the bucket to pay the transfer-out fees?
The Requester Pays feature
What bucket-level configuration must be updated to enable the Requester Pays feature in AWS S3?
Change the bucket’s setting fromPayer=Owner to Payer=Requester
Can the AWS S3 Requester Pays feature be enabled for individual objects within a bucket?
No, it is a bucket-level feature and applies to the entire bucket
Does the AWS S3 Requester Pays feature support BitTorrents or Static Website Hosting?
No, it is not compatible with these functionalities
Is unauthenticated access supported by AWS S3 buckets with the Requester Pays feature enabled?
No, authenticated access is required, as AWS S3 must allocate billing to a specific identity
What header must be included in requests to AWS S3 buckets with the Requester Pays feature enabled to confirm payment responsibility?
The x-amz-request-payer header must be supplied
Which AWS encryption type enhances data protection by applying two layers of encryption using keys managed by AWS Key Management Service (KMS)?
DSSE-KMS (Dual-layer Server-Side Encryption with AWS KMS keys) enhances security by encrypting data twice, with each layer managed by AWS KMS
What AWS S3 feature allows for auditing and reporting on the replication and encryption status of objects for business, compliance, and regulatory requirements?
AWS S3 Inventory
How can Multi-Factor Authentication (MFA) be enforced when accessing AWS S3 objects?
Implement a bucket policy with Deny effect, that includes the condition:
"aws:MultiFactorAuthPresent":"false"
If a user has sufficient permissions to upload objects to AWS S3, but receives an ‘access denied’ error what could be the issue?
The IAM user’s policy may need to be updated to include the kms:GenerateDataKey action
AWS S3 will reject any requests made over HTTP using what bucket encryption type?
SSE-C
What AWS CLI options can be used for server-side pagination when listing objects within AWS S3 bucket using aws s3api list-objects CLI operation?
--no-paginate: preventing automatic handling of pagination tokens--page-size: requests a smaller number of items per API call--max-items: limits the total number of items--starting-token: specifies the next token retrieving the next set of items
Which AWS S3 feature enables applications to retrieve a subset of data from an S3 object using simple SQL expressions, achieving performance improvements?
S3 Select
Which AWS S3 feature can help audit and report on the replication and encryption status of objects for compliance and regulatory needs in Amazon S3?
S3 Inventory
Which AWS S3 feature helps analyze storage access patterns to decide when to transition data to the right storage class?
S3 Analytics
What happens if you delete an AWS S3 bucket and immediately list all buckets?
Deleted bucket might still appear in the list due to the eventual consistency model of bucket configurations
What happens if an object is deleted from AWS S3 bucket and immediately accessed for read?
S3 will not return any data as the object has been deleted, since it provides strong read-after-write consistency for PUT and DELETE operations
AWS S3 event notifications are designed to be delivered at least once, what happen if two writes are made to a single non-versioned S3 object at the same time?
It is possible that only a single event notification will be sent
