S3

Question 1

AWS Bucket

Answer 1

Container for objects

Store unlimited number of objects in bucket

Question 2

S3 key, S3 value

Answer 2

Name of the file
Binary of file

Question 3

URL Pattern to access objects in bucket

Answer 3

https://[bucket].s3.[aws-region].amazonaws.com/[key]
https://s3.[aws-region].amazonaws.com/[bucket]/[key]

Question 4

What does an S3 object consist of?

Answer 4

Key
Value
Version ID
Metadata
Sub resources?
Access control information

Question 5

S3 Gateway Endpoint

Answer 5

Ec2 instances connecting to S3 using private addresses

Used for private subnet EC2s that want to communicate with S3

Question 6

File Storage vs Object Storage

Answer 6

File Share
-data stored in directories
-can have heirarchy of directories
-file systems are mounted to OS (drive name in Windows)
-functions like local storage
-network connection is maintained; don’t need to remount

Object Store
-data stored in buckets
-flat namespace, no heirarchy
-hierarchy can be mimiced with prefixes (e.g. prefix in the object key name)
-accessed via REST API
-network connection reset with each request/complete after each request

Question 7

Durability

S3 Durability offers how many 9’s

Answer 7

Protection against data loss and data corruption

11 9’s 99.999999999

Question 8

Availability

S3 Availability offers how many 9’s

Answer 8

a measurement of the amount of time the data is available to you

expressed as percentage of time per year

4 9’s, 99.99%

Question 9

What are the S3 storage classes and where are they set?

Answer 9

Standard
S3 Intelligent Tiering
Standard IA
One Zone IA
Glacier Instant Retrieval
Glacier Flexible Retrieval
Glacier Deep Archive

Storage class applies to objects

Question 10

What storage class doesn’t offers a different number of 9’s?

Answer 10

One Zone-IA offers 99.5% availability,
S3 Intelligent Tiering, Standard IA, Glacier Instant Retrieval offers 99.9%
while all others offer 4 9’s

Question 11

Which storage class has retrieval fees?

How is the retrieval fee measured?

Answer 11

Standard IA
One Zone IA
Glacier Instant Retrieval
Glacier Flexible Retrieval
Glacier Deep Archive

Per GB retrieved

Question 12

Which storage classes have a minimum storage duration charge?

What is the minimum for each?

Answer 12

Standard IA - 30 days
One Zone IA - 30 days
Glacier Instant Retrieval - 90 days
Glacier Flexible Retrieval - 90 days
Glacier Deep Archive - 180 days

Question 13

Which storage classes has a minimum capacity charge per object?

What is the minimum for each?

Answer 13

Standard IA - 128KB
One Zone IA - 128KB
Glacier Instant Retrieval - 128KB
Glacier Flexible Retrieval - 40KB
Glacier Deep Archive - 40KB

Question 14

How many AZ’s is the data replicated in for each storage class?

Answer 14

All 3 AZ’s except for One Zone IA which is only one AZ

Question 15

What is the Availability SLA for each storage class?

Answer 15

Standard - 99.9%
S3 Intelligent Tiering - 99%
Standard IA- 99%
One Zone IA- 99%
Glacier Instant Retrieval- 99%
Glacier Flexible Retrieval - 99.9%
Glacier Deep Archive - 99.9%

Question 16

S3 Standard Storage class

Answer 16

Default storage class

Question 17

S3 Intelligent Tiering Storage class

Answer 17

Automatically move data between different storage classes based on how you are using data for cost and performance

Question 18

Standard IA Storage class

Answer 18

For infrequently accessed data, lower cost for data storage but fee for data retrieval and minimum storage duration and capacity charge

Question 19

One Zone IA Storage class

Answer 19

For infrequently accessed data only stored in one AZ

Question 20

Glacier Instant Retrieval Storage class

Answer 20

Storage class with the best access to access archival data;
access data within milliseconds

Question 21

Glacier Flexible Retrieval Storage class

Answer 21

Lesser need to access archival data;
access data within minutes to hours (not seconds), lowest minimum capacity charge per object where this applies

Question 22

Glacier Deep Archive Storage class

Answer 22

Don’t need to access archival data
access data within hours (not seconds or minutes) and longest minimum storage

Question 23

Amazon Glacier Storage classes

Answer 23

used for archival data so you can store at a much lower costs for longer time

Question 24

Bucket Policy

Answer 24

resource based policies, only attached to S3 buckets

resource specifies bucket

principal specifies user, group, or role

Action is an S3 action

Question 25

S3 ACL

Answer 25

Access Control List

Legacy access control mechanism that predates IAM

AWS recommends using S3 bucket policies or IAM policies rather than ACLs

ACLs can be attached to the bucket or an object

Limited options for grantees and permissions

Question 26

When should you use IAM policies vs Bucket policies to control access to S3?

Answer 26

IAM policy if:
-YOu need to control access to AWS services other than S3
-You have numerous buckets each with different permission requirements
-Prefer IAM policy

S3 bucket policy if:
-You need simple way to grant cross account access to S3 env without IAM roles
-Your IAM policies are reaching the size limit
-Prefer bucket policies

Question 27

S3 Versioning

Answer 27

a means to keep multiple variants of an object in the same bucket

Use versioining to preserve, retrieve and restore every version of every object stored in your buckett

Question 28

What do version enabled buckets allow?

Answer 28

recovery of objects from accidental deletion or overwrite

Question 29

What are the two forms of S3 Replication?

Features, contraints?

Answer 29

Cross Region Replication (CRR)

Same Region Replication (SRR)

can be same or different accounts
buckets must have versioning enabled to use replication

Question 30

Cross Region Replication

Answer 30

Any data that is written in the original region/bucket is written to the region/bucket configured within CRR

Question 31

Same Region Replication (SRR)

Answer 31

Any data that is written in the original region/bucket is written to the same region and different bucket configured within SRR

can be same or different accounts

Question 32

AWS S3 Lifecycle Management

Answer 32

Transtion Actions - Defines when objects transition to another storage class

Expiration actions - Defines when objects expire/are deleted by S3

Question 33

S3 Lifecycle Transitions

Answer 33

Standard to any other
Any storage class to S3 Glacier or S3 Glacier Deep Archive
Standard IA to Intelligent Tiering or One Zone IA
Intelligent Tiering to One Zone IA

Question 34

What transitions are not allowed

Answer 34

Any storage class to Standard, Reduced Redundancy

Intelligence Tiering to Standard IA

One Zone IA to Standard IA or Intelligent Tiering

Question 35

What S3 operations can you add MFA to?

Answer 35

Changing the versioning state of a bucket
Permanently deleting an object version

Question 36

What are factors of authentication in MFA for S3?

Answer 36

username/password

token generated by HW or SW program

Question 37

What is required for MFA to be configured on bucket?

What must be included in request for MFA operations on a bucket?

Answer 37

versioning

The x-amz-mfa request header must be included in the request

Question 38

Who can enable MFA delete?

Answer 38

bucket owner (root account)

Question 39

SSE-S3

Answer 39

Server-side encryption with S3 managed keys uses:

S3 managed keys
Unique object keys
Master key
AES 256

Encryption/decryption happens on AWS side

Secured at rest via SSE-S3 and in transit via TLS

Question 40

What type of encryption is offered with S3?

Answer 40

SSE-KMS: Server side encryption with AWS KMS

SSE-S3: Server-side encryption with S3 managed keys

SSE-C: Server side encryption with client provided keys

S3 Client Side encryption

S3 Default Encryption

Question 41

SSE-C

Answer 41

Server side encryption with client provided keys

Client managed keys
Not stored on AWS

Question 42

S3 Client Side encryption

Answer 42

Client managed keys
Not stored on AWS or you can use KMS keys

Encryption/decryption on the client side, not in AWS

AWS only sees the encrypted object and can not encrypt/decryt

Question 43

S3 Default Encryption

Answer 43

All Amazon S3 buckets have encryption configured by default

All new object uploads to Amazon S3 are automatically encrypted

There is no additional cost and no impact on performance

Objects are automatically encrypted by using server side encryption with Amazon S3 managed keys (SSE-S3)

Question 44

SSE-KMS

Answer 44

Server side encryption with AWS KMS managed keys uses

KMS managed keys
Can be AWS managed keys or customer managed KMS keys

Encryption/decryption happens on AWS side

Secured at rest via SSE-KMS and in transit via TLS

Question 45

Can you encrypt unencrypted Amazon S3 objects? If so how, if not why?

Answer 45

To encrypt existing unencrypted S3 objects, you can use S3 batch operations

You can also encrypt existing objects using the CopyObject API operation or the copy-object AWS CLI command

Question 46

How can you enforce encryption with bucket policy

Answer 46

You can force the type of SSE using condition

“s3:x-amz-server-side-encryption”: [true | type of encryption]

Question 47

S3 Multipart Upload

Answer 47

Multipart upload uploads objects in part independently in parallel and in any order

Performed using the S3 Multipart upload API

It is recommended for objects 100 MB and larger

Can be used for objects from 5 MB to 5 TB

Must be used for objects larger than 5 GB

Question 48

S3 Transfer Acceleration

Answer 48

Uses CloudFront edge locations to improve performance of transfers from client to S3 bucket

Upload file to CloudFront and then the content traverses the AWS global infrastructure to get to the bucket

Endpoint is different
http://[bucketname].s3-accelerate.amazonaws.com

http://[bucketname].s3-accelerate.dualstack.amazonaws.com

Only charge for additional acceleration if there is a performance improvement

Enable transfer acceleration at the bucket level

Once enabled it can’t be disabled only suspended

Uses anycast packets

Question 49

S3 Select

Glacier Select

Answer 49

Use SQL expressions to access the objects within buckets or objects within objects (e.g. zip)

Question 50

Server Access Logging

Answer 50

Provides detailed records for the request that are made to a bucket

Details include requester, bucket name, request time, request action, response status, and error code (if applicable)

Disabled by default

Must configure a separate bucket as the destination (can specify a prefix)

Need to grant write permissions to the S3 log delivery group on destination bucket

Need to enable logging to specified bucket (should be different than bucket to avoid endless loop)

Question 51

CORS with Amazon S3

Answer 51

Cross Origin Resource Sharing (CORS)

Allow request from an origin to another origin

Origin is defined as DNS name, protocol, port

Must add CORS configuration to bucket to allow requests from the other origin

Question 52

How do you enable CORS with S3

Answer 52

Enable through settings:

-Access-Control-Allow-Origin
-Access-Control-Allow-Methods
-Access-Control-Allow-Headers

These settings are defined using rules
Rules are added by using JSON files in S3

Question 53

S3 Object Lambda

Answer 53

S3 Object lambda uses lambda functions to proces sthe output of S3 GET Request

You can use your own functions or use th AWS pre-built functions

Question 54

S3 Object Lambda - Prebuilt Functions

Answer 54

Prebuilt lambda functions that detect PII

PII includes names, addresses, dates, credit card numbers, SSN

PII Access Control - detects PII and restricts access
PII Redaction - detects PII and returns document with the PII redacted
Decompression - decrypts objects compressed with Bzip2, gzip, snappy, zlib, zstandard, and Zip

All functions have ARNs that can be referenced to use these functions

Question 55

Limit to S3 file size

Answer 55

up to 5 TB

Question 56

S3 namespace

Answer 56

universal namespace so bucket names must be unique globally

Question 57

Where are buckets created and where should you create them as a best practice?

Answer 57

Regions

create buckets in region that are physically closest to your users to reduce latency

Question 58

Limit on number of buckets per account

Answer 58

By default 100 buckets

Question 59

S3 Event Notifications

Answer 59

Sends notifications when events happen in buckets

No polling needed

Destination include:

SNS topics
SQS queues
Lambda

Question 60

What are the cross account access methods for S3?

Answer 60

Resourced based policies and IAM policies for programmatic only access to S3 bucket objects

Resourced based ACL and IAM policies for programmatic only access to S3 bucket objects

Cross account IAM roles for programmatic and console access to S3 bucket objects

Question 61

What are S3 Performance Optimization methods

Answer 61

Se supports at least 3500 PUT, COPY, POST, DELETE OR 5500 GET/HEAD requests per second per prefix in a bucket

Increase read or write performance by parallelizing reads

Use byte-range fetches

Retry request for latency sensitive applications

Combine S3 storage and EC2 compute in the same region

Use S3 Transfer Acceleration to minimize latency caused by distance

Question 62

Presigned URL?

Question 63

Strong read after write consistency