S3

Question 1

Which S3 security feature can define principals that are allowed to access S3 resources under certain conditions?

Answer 1

S3 Bucket policy (resource-based policy)

Question 2

Which S3 security feature provides controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects will never be accessed publicly?

Answer 2

S3 Block Public Access

Question 3

Name the S3 (legacy) security feature that defines which AWS accounts or groups are granted access and the type of access to both buckets and individual objects within a bucket.

Answer 3

S3 Access Control Lists (ACLs)

Question 4

Provide a good use case for utilizing a bucket policy (resource-based policy) when configuring bucket access permissions.

Answer 4

For permissions that require anonymous user access or cross-account access, or when controlling access to a single S3 resource.

Question 5

Provide a good use case for utilizing an IAM policy (identity-based policy) when configuring bucket access permissions.

Answer 5

For permissions required within the same account, or when controlling access to a range of different resources.

Question 6

Which S3 feature allows you to keep multiple variations of an object and provides the ability to preserve, retrieve, and restore every variation?

Answer 6

S3 Bucket Versioning

Question 7

When you create an S3 bucket, is versioning enabled by default?

Answer 7

No, versioning is disabled by default.

Question 8

Can versioning be disabled on the S3 bucket?

Answer 8

No, once enabled, versioning cannot be disabled. However, it can be suspended and re-enabled when required.

Question 9

Which S3 security feature requires additional authentication to allow permanent object version deletion or changing the versioning state of the bucket?

Answer 9

MFA delete

Question 10

Which S3 feature allows an application to upload a large object as a set of smaller parts uploaded in parallel?

Answer 10

S3 Multipart upload

Question 11

Is it S3’s responsibility to combine smaller pieces into the original object during a multipart upload?

Answer 11

Yes

Question 12

What is the recommended minimum file size to start considering S3 multipart upload?

Answer 12

100MiB

Question 13

What is the minimum and maximum part size for an S3 multipart upload?

Answer 13

The minimum part size is 5MiB, and the maximum part size is 5GiB. The last part (leftover) can be less than 5MiB.

Question 14

Which S3 feature reduces the variability in internet routing, congestion, and speeds that can affect transfers, and logically shortens the distance to S3, resulting in faster uploads?

Answer 14

S3 Transfer Acceleration

Question 14

What is the maximum number of data parts for an S3 multipart upload?

Answer 14

10,000 parts

Question 15

Which components of AWS global infrastructure does S3 Transfer Acceleration utilize?

Answer 15

Edge Locations, to transfer data over the AWS Global Network

Question 16

Which naming restriction may apply to the S3 bucket to enable the Global Acceleration feature?

Answer 16

The bucket name cannot contain periods and must be DNS-compatible.

Question 16

Is S3 Transfer Acceleration enabled by default?

Answer 16

No, it is disabled by default. Enabling Transfer Acceleration incurs additional costs.

Question 17

Are S3 buckets encrypted?

Answer 17

Buckets are not encrypted; objects are.

Question 18

Which types of encryption does S3 support?

Answer 18

Client-side and server-side (SSE-S3, SSE-KMS, and SSE-C)

Question 19

Which type of S3 encryption protects data in transit and at rest so that data is never exposed to any third parties, including AWS? Using this encryption type, you are responsible for key management as well as the encryption and decryption process.

Answer 19

Client-side encryption

Question 20

Which type of S3 encryption automatically encrypts data at the object level as it is written and decrypts it for you when you access it?

Answer 20

Server-side encryption

Question 20

Name a type of S3 server-side encryption, where S3 handles key management as well as the encryption and decryption process but provides no control over encryption keys and no role separation.

Answer 20

SSE-S3 (server-side encryption with S3-managed keys)

Question 21

Name a type of S3 server-side encryption where S3 handles the encryption and decryption process while delegating KMS to manage encryption keys, providing key rotation control and role separation.

Answer 21

SSE-KMS (server-side encryption with KMS-managed keys)

Question 22

Name a type of S3 server-side encryption where S3 handles the encryption and decryption process while delegating customers to manage encryption keys (customers provide encryption keys for each encryption or decryption operation).

Answer 22

SSE-C (server-side encryption with customer-provided keys)

Question 23

Which S3 feature can reduce KMS request costs by decreasing the request traffic from S3 to KMS?

Answer 23

S3 Bucket-level keys

Question 24

What S3 storage classes are there?

Answer 24

Standard, Standard IA, One Zone IA, Glacier (Instant Retrieval, Flexible Retrieval, and Deep Archive), and Intelligent Tiering

Question 25

Which S3 storage class should be used to store frequently accessed non-replaceable data?

Answer 25

Standard

Question 26

Which S3 storage class has no retrieval fee but the most expensive storage fee?

Answer 26

Standard

Question 27

Which S3 storage class should be used to store infrequently accessed, important, and non-replaceable data?

Answer 27

Standard IA

Question 28

Which S3 storage class should be used to store infrequently accessed, non-critical data that can be easily recreated?

Answer 28

One Zone IA

Question 29

Which S3 storage classes replicate data across 3 AZs?

Answer 29

Standard, Standard IA, Glacier

Question 30

How is S3 billed?

Answer 30

S3 incurs a GB/month storage fee, transfer out fee, and per 1k requests fee. Some storage classes incur an additional retrieval fee and a minimum capacity charge (40-128KB), which can vary based on the storage class

Question 31

Which storage classes have a duration charge for a minimum of 30 days of storage?

Answer 31

Standard IA, One Zone IA

Question 32

Which storage classes have a duration charge for a minimum of 90 days of storage?

Answer 32

Glacier Instant Retrieval, Glacier Flexible Retrieval

Question 33

Which storage classes have a duration charge for a minimum of 180 days of storage?

Answer 33

Glacier Deep Archive

Question 34

Which S3 storage class should be used to store non-replicable data that is not often accessed but requires access in real-time?

Answer 34

Glacier Instant Retrieval

Question 35

Which S3 storage class should be used to store archival data, where frequent or real-time access is not required but can be accessed within a 12-hour window?

Answer 35

Glacier Flexible Retrieval

Question 36

Which S3 storage class should be used to store archival data, where frequent or real-time access is not required but can be accessed within a 48-hour window?

Answer 36

Glacier Deep Archive

Question 37

In which S3 storage class is data cold and not instantly accessible but can be temporarily retrieved to S3 Standard IA via Expedited (1-5 min), Standard (3-5 h), or Bulk (5-12 h) jobs (faster = more expensive)?

Answer 37

Glacier Flexible Retrieval

Question 38

In which S3 storage class is data frozen and not instantly accessible but can be temporarily retrieved to S3 Standard IA via Standard (12 h) or Bulk (48 h) jobs (faster = more expensive)?

Answer 38

Glacier Deep Archive

Question 39

Which S3 storage class should be used for cases where data access patterns are unknown?

Answer 39

Intelligent Tiering

Question 40

What tiers are present in the Intelligent Tiering storage class?

Answer 40

Frequent Access, Infrequent Access, Archive Instant Access, Archive Access, and Deep Archive Access tiers

Question 41

In the S3 Intelligent Tiering storage class, how long does it take for an object to transfer from one tier to another?

Answer 41

For non-archival tiers, 30 days; for archival tiers, 90-180 days

Question 42

Which feature of S3 provides a set of rules that can define actions that S3 applies to a group of objects ensuring cost-effective management through their lifecycle?

Answer 42

S3 Lifecycle configuration

Question 43

What types of actions can be configured in the S3 lifecycle configuration?

Answer 43

Transition actions, Expiration actions

Question 44

What kind of S3 lifecycle configuration action defines when an object transitions to another storage class?

Answer 44

Transition actions

Question 45

What kind of S3 lifecycle configuration action defines when an object expires so that S3 deletes these objects on your behalf?

Answer 45

Expiration actions

Question 46

What is the minimum timeframe required for the S3 lifecycle configuration transition action to occur?

Answer 46

30 days

Question 47

With S3 lifecycle configuration, can an object be transitioned to any storage class?

Answer 47

No, the transitioning process follows a waterfall model: Standard -> Standard IA -> Intelligent Tiering -> One Zone IA -> Glacier IR -> Glacier FR -> Glacier DA.

Question 48

Which S3 feature allows objects to be copied between SOURCE and DESTINATION buckets in the same or different AWS Accounts?

Answer 48

S3Replication

Question 49

Which types of replication does S3 offer?

Answer 49

Cross-Region Replication (CRR) and Same-Region Replication (SRR)

Question 50

When would you use S3 Cross-Region Replication over Same-Region Replication?

Answer 50

CRR is used for architecting globally-resilient environments or implementing latency reduction. SRR is used for resilience with strict sovereignty, logs aggregation, and PROD/TEST environment synchronization

Question 51

Which feature of S3 adds a guaranteed 15-minute replication SLA?

Answer 51

S3 Replication Time Control (RTC)

Question 52

When replication is configured in S3, are all objects being replicated?

Answer 52

Replication options allow configuration to replicate all objects or a subset of objects based on prefixes

Question 53

When replication is configured in S3, what storage class do objects belong to in the DESTINATION bucket, and what’s their ownership?

Answer 53

Replication options allow configuration of the objects’ storage class and ownership; by default, it’s the same as the SOURCE bucket

Question 54

Once replication is configured for the S3 bucket, will it retroactively replicate objects that existed in the bucket before replication was configured?

Answer 54

No, to replicate existing objects, batch replication must be performed

Question 55

To configure replication in S3, what must be enabled on both SOURCE and DESTINATION buckets?

Answer 55

S3 Versioning

Question 56

Is S3 replication a one-way process?

Answer 56

By default, yes. However, it can be configured to be bi-directional

Question 57

Can objects in S3 Glacier Flexible Retrieval (FR) or Glacier Deep Archive (DA) be replicated?

Answer 57

No

Question 58

When S3 replication is configured, will deleting an object operation replicate?

Answer 58

No, by default. This requires the configuration of DeleteMarkerReplication

Question 59

Can S3 replication handle both encrypted and unencrypted objects?

Answer 59

Yes, with some extra configuration

Question 60

When configuring S3 replication, which permissions does the SOURCE bucket owner require?

Answer 60

The owner of the SOURCE bucket requires permission for objects that will be replicated

Question 61

When configuring S3 replication, will system events such as lifecycle management events also be replicated?

Answer 61

No, system events are not replicated.

Question 62

Which S3 security feature allows generating a URL with encoded access permissions for a specific bucket or object, valid for a certain period of time?

Answer 62

S3 PreSigned URLs

Question 63

When you generate an S3 PreSigned URL, whose permissions are attached to the URL?

Answer 63

The permissions belong to the identity (user or role) that generated the URL (right now)

Question 63

Is it possible to generate S3 PreSigned URLs for objects that you do not have access to?

Answer 63

Yes, you can generate a PreSigned URL by specifying the object and expiration time, but access to this object will be denied if you don’t have permission

Question 64

What does an “Access Denied” error message mean when accessing an object via a PreSigned URL?

Answer 64

It indicates that the identity used to generate the PreSigned URL either no longer has permission to access the object or never had permission

Question 65

Can you use an IAM Role to generate an S3 PreSigned URL?

Answer 65

Yes, although it’s not recommended practice because PreSigned URLs become invalid as soon as the temporary credentials associated with the IAM Role expire, generally we should use IAM user

Question 66

What is the maximum validity period for an S3 PreSigned URL?

Answer 66

7 days

Question 67

Which feature of S3 lets you specify targeted portions of an object (a range of bytes in SQL-like statements) to retrieve and return rather than returning the entire contents of the object?

Answer 67

S3 Select, or Glacier Select

Question 68

Which feature of S3, once configured by identifying the event to be published, sends notifications when certain events happen in the bucket?

Answer 68

S3 Event Notifications

Question 69

What kinds of events can S3 Event Notifications publish?

Answer 69

ObjectCreated, ObjectRemoved, ObjectRestore

Question 70

To which AWS services can S3 Event Notifications be delivered as targets?

Answer 70

SNS topics, SQS queues, Lambda, EventBridge

Question 71

Which feature of S3 enables access to information about requests made to a bucket for security and access audits and helps you understand the S3 bill?

Answer 71

S3 Access Logs

Question 71

Once enabled, where are S3 Access Logs delivered?

Answer 71

Access logs are delivered to a specified destination S3 bucket. The logs are newline-delimited records with space-delimited attributes

Question 71

When enabling S3 Access Logs, which limitations of the destination bucket must be considered?

Answer 71

The destination bucket should not have access logs, object lock, and requester pays features enabled

Question 72

Which S3 feature stores objects using a write-once-read-many (WORM) model to prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely?

Answer 72

S3 Object Lock

Question 73

Does the Object Lock feature of S3 require versioning to be enabled?

Answer 73

Yes, Object Lock can only be enabled on versioned buckets. Individual versions of objects are locked

Question 74

Once enabled, can the Object Lock feature of S3 be disabled?

Answer 74

No, once enabled, Object Lock cannot be disabled

Question 75

Can you suspend versioning on S3 buckets with the Object Lock feature enabled?

Answer 75

No, versioning cannot be suspended on Object Locked buckets

Question 76

List the main components of the S3 Object Lock feature used to protect object versions from deletion.

Answer 76

Retention periods and Legal Hold

Question 77

Which types of retention modes are supported by the S3 Object Lock feature?

Answer 77

Compliance Mode and Governance Mode

Question 78

Which S3 Object Lock component protects an object version for a fixed amount of time?

Answer 78

Retention periods

Question 79

When S3 Object Lock is enabled, using which retention mode can a protected object version not be overwritten or deleted by any user, including the root user?

Answer 79

Compliance Mode

Question 80

When S3 Object Lock is enabled, using which retention mode can users not overwrite or delete an object version or alter its lock settings unless they have special permissions?

Answer 80

Governance Mode

Question 81

Which S3 Object Lock permissions are required to adjust object lock settings in Governance Mode?

Answer 81

The permissions required are s3:BypassGovernanceRetention and the header x-amz-bypass-governance-retention:true

Question 82

Which S3 Object Lock component prevents an object version from being overwritten or deleted without a fixed amount of time and remains in effect until removed?

Answer 82

Legal Hold

Question 83

Which S3 Object Lock permission is required to turn off Legal Hold?

Answer 83

s3:PutObjectLegalHold

Question 84

When the S3 Object Lock feature is enabled, can an individual object version or a bucket default have both Retention Periods and Legal Hold enabled?

Answer 84

Yes, an object version can have both, one of, or none

Question 85

What feature of S3 simplifies data access at scale for applications using shared data sets on S3, representing unique hostnames that can be created to enforce distinct permissions and network controls for any request made through it?

Answer 85

S3 Access Points

Question 86

What are the benefits of utilizing the S3 Access Points feature?

Answer 86

Each access point has a unique DNS address and can have different policies and network access control, which reduces the burden of managing complex bucket policies.

Question 87

Can the S3 Access Point feature restrict access to specific prefixes, tags, or actions?

Answer 87

Absolutely

Question 88

What is considered the best practice when using the S3 Access Points feature?

Answer 88

Implementing permissions delegation, where the bucket policy grants wide open access to the access points, and the access points policy restricts access as needed, providing more granularity over the objects.

Question 89

Which CLI command can be used to create an S3 Access Point?

Answer 89

aws s3control create-access-point –name <name> --account-id <acc_id> --bucket <bucket></bucket></acc_id></name>

Question 90

What would you use Amazon S3 for?

Answer 90

Web serving and content management, media and entertainment, retaining backups, big data analytics, and data lakes

Question 91

What’s a key limitation to consider when naming an S3 bucket?

Answer 91

S3 bucket names must be globally unique, 3-63 characters long, lowercase letters, numbers, periods, or hyphens only (no underscores), start with a letter or number, and cannot be in IP format. There’s a soft limit of 100 buckets and a hard limit of 1,000 per AWS account. Each bucket can hold an unlimited number of objects, ranging from 0 bytes to 5 TB in size