S3

Question 1

You have several S3 buckets in your application. Some data is stored in Parquet format while another bucket contains you VPC flow logs. What can you use to analyse this directly?

Answer 1

AWS Athena

Question 2

Can S3 be considered as a database as well as storage?

Answer 2

Yes. S3 data can be queried directly with Athena so can be thought of as a database.

Question 3

What AWS service can be used to mine S3 access logs?

Answer 3

Athena

Question 4

Can you delete a file from an S3 bucket with MFA via the S3 console?

Answer 4

No. It must be deleted via the CLI

Question 5

What are the 3 things that must be done to enable cross region replication in S3

Answer 5

• Versioning must be enabled at source
• Buckets must be in different regions
• IAM Permissions must be set for R.W

Question 6

Why would you use a signed URL to access an S3 bucket?

Answer 6

So you can generate a URL which is valid for a limited time. This is used for ensuring that only authorised users have access to the bucket - i.e. for a premium video or content service for logged in users.

Question 7

Can an S3 Bucket be accessed from instances within a VPC private subnet - i.e a subnet with no internet access

Answer 7

Yes. S3 supports VPC endpoints so buckets can be accessed from a private subnet with no internet access.

Question 8

In S3, who is principal * ?

Answer 8

• is anyone

Question 9

When setting up a static website in S3, what do you need to do?

Answer 9

You need to enable static hosting and you need to grant public access for getObject requests.

Question 10

What is the function of Origin Access Identity?

Answer 10

OAI limits access to an S3 bucket to cloudfront only. This means that someone can’t access your S3 content from the open web.

Question 11

For what requests in S3 do we get read after write consistency - what are the exceptions?

Answer 11

Read after write is for puts of new objects in S3. The exception is if we did a GET, and received a 404 before doing a PUT. This PUT will be eventually consistent.

Question 12

What events result in eventual consistency?

Answer 12

PUTS and DELETES on existing objects.

Question 13

What is the naming convention on S3 buckets?

Answer 13

Lowercase, no underscore, 3-63 chars, not an IP, must start with a lowercase letter or a number.

Question 14

Where do you enable MFA delete for S3? In the bucket console, the IAM console or the CLI?

Answer 14

In the CLI - as the root user.

Question 15

You need to upload a 5.7GB file to S3. What needs to be enabled?

Answer 15

Multipart upload must be enabled for file sizes > 5GB

Question 16

Which policy takes precedent over the other - IAM or Bucket?

Answer 16

IAM policies will take precedent over bucket policies. If the IAM policy has a DENY for writing an object to a bucket - this will override an ALLOW on the bucket policy.

Question 17

In S3 Glacier, what is each item referred to as, where are these stored and what is the max size?

Answer 17

Objects are referenced to as Archives. They are stored in vaults and each archive can be 40TB

Question 18

Can you change the ownership of replicated objects or the storage class for replicated objects for the target in cross region replication?

Answer 18

Yes to both

Question 19

If you looked at an IAM policy for a cross region replication rule, what might you see for source and destination actions?

Answer 19

For a source bucket expect to see list actions. For the target expect to see replication actions.

Question 20

Where are pre-signed URLs generated for S3 and what is the default validity period?

Answer 20

pre-signed URLs are generated via the CLI or SDK. The validity period is 3600 seconds

Question 21

What permissions does a user of a pre-signed URL inherit for PUTs and GETs in an S3 bucket?

Answer 21

the user who uses the pre-signed URL inherits the permissions of the user who created it.

Question 22

Are delete markers replicated in cross region replication?

Answer 22

No

Question 23

Can cross region replication replicate to a bucket in another account?

Answer 23

Yes.

Question 24

There are 3 options that can be applied for replication in cross region replication to determine what gets replicated. What are they?

Answer 24

1. Replicate the whole bucket
2. Replicate objects with specific tags
3. Replicate objects with specific user defined prefix in their name

Question 25

Do all encryption types for S3 support interactions via HTTP AND HTTPS?

Answer 25

No. SSE-C must use HTTPS

Question 26

When uploading to an S3 bucket usig SSE-C, how is the client key transmitted? What about for other requests to this bucket?

Answer 26

The encryption key is in the header of the request. All requests to S3 SSE-C buckets must contain this key

Question 27

When uploading data to S3 using SSE-C, which protocol must you use?

Answer 27

HTTPS. The upload must be encrypted in transit

Question 28

With respect to S3 encryption, what does KMS-CMK refer to?

Answer 28

KMS Customer master key. this is what S3 encrypts data with under SSE-KMS

Question 29

what are the 4 methods of S3 encryption?

Answer 29

SSE-S3: Server side encyption with keys managed by KMS
SSE-KMS: Server side encryption using AWS KMS
SSE-C: Server Side encryption using a customer key
Client Side: Client encrypts data on their side and uploads

Question 30

If you enable versioning on a previously un-versioned bucket what will the version numbers be for objects in that bucket?

Answer 30

“Null”

Question 31

In S3 what level is versioning enabled at?

Answer 31

At the bucket level

Question 32

Does multipart upload support parallel uploads?

Answer 32

Yes. this helps with upload throughput

Question 33

Can you pause or resume an upload to S3?

Answer 33

Yes, using Multipart uploads

Question 34

What tiers does S3 Intelligent Tiering (IT) operate on?

Answer 34

S3 and S3-IA

Question 35

What is the purpose of the following 4 elements in a bucket policy? Resources, Actions, Effect, Principal?

Answer 35

Resource: The bucket or objects in the bucket the policy applies to.
Actions: The API actions against the bucket we will allow or deny
Effect: Allow/Deny
Principal: Account of User to apply the policy to,

Question 36

When routing traffic to a static website hosted in S3, does the S3 bucket have to have the same name as the domain or subdomain registered in route 53?

Answer 36

Yes

Question 37

What requests are logged via S3 access logging?

Answer 37

All requests, from anywhere from any account authorised or denied.

Question 38

Does AWS Glacier encrypt data at rest by default?

Answer 38

Yes

Question 39

When using S3 logs, should you store these in the bucket being logged, or in a separate one - why?

Answer 39

Seperate buckets always - or else the logging activity gets logged.

Question 40

Are you changed for the amount of data on an EBS volume, or the provisioned space?

Answer 40

You are charged for the provisioned space

Question 41

What is the difference between snowball, and snowball edge?

Answer 41

Snowball can store 72TB of data. SB Edge can store 83TB and has local processing capabilities.

Question 42

What S3 encryption type requires the following request headers:
X-AMZ-SERVERSIDE-ENCRYPTION: AES256
X-AMZ-SERVERSIDE-ENCRYPTION: AWS-KMS

Answer 42

AES256=SSE-S3

AWS:KMS=SSE-KMS

Question 43

Is cross region replication synch or asynch?

Answer 43

Asynch

Question 44

There are 2 ways to enforce S3 encryption:
-Use of headers on puts
-Use of default encryption setting on the bucket
Use of headers is enforced by bucket policies. Which order are these evaluated in and which has precedent over the other?

Answer 44

Bucket policies are enforced first.
The easy way to enforce encryption is via the default encryption settings. If something goes wrong on upload, check the policy.

Question 45

What would you use to log and track every request to an S3 bucket including the requester, bucket name, request action, referrer, turn-around time and error code info? What service would you use and why?

Answer 45

You would use server access logging/ Cloud trail will provide detailed data on API calls but does not capture data on the referrer or turn around time.

Question 46

Can you transition an object from S3 to S3-IA or S31Z IA after 7 days?

Answer 46

No transitions to S3IA or 1ZIA can only occur after a minimum of 30 days.

Question 47

What are the minimum and maximum file sizes for S3?

Answer 47

0 Bytes. 5TB.

Question 48

For S3-IA, S3-1ZIA and S3-IT what are the minimum retention periods for objects stored in these classes (in days)?

Answer 48

30 Days

Question 49

For S3 Glacier and Glacier Deep Archive, what is the minimum retention period for objects (in days)?

Answer 49

90 and 180 Days respectively

Question 50

For S3 glacier, what latency can we expect when we retrieve an object for an expedited request?

Answer 50

1-5 minutes

Question 51

For S3 Glacier, what latency can we expect when we retrieve an object for a standard request?

Answer 51

3-5 Hours

Question 52

For S3 Glacier, what latency can we expect when we retrieve objects for a bulk request?

Answer 52

5-10 Hours

Question 53

How many AZ’s is S3 replicated over? What is the exception?

Answer 53

at least 3 AZ’s with the exception of 1Z-IA

Question 54

What 2 storage tiers does S3-IT operate on?

Answer 54

S3-GP and S3-IA

Question 55

Are the S3 performance baselines per account or per S3 Prefix?

Answer 55

Per S3 Prefix

Question 56

If we take the following bucket structure, what is the S3 prefix: Bucket/Folder1/Sub1/file

Answer 56

Folder1/Sub1

Question 57

How many S3 prefixes can you have?

Answer 57

Practically there is no limit.

Question 58

For an S3 lifecycle rule, what is a transition action?

Answer 58

It defines when an object is transitioned from 1 storage tier to another

Question 59

What is the maximum object size in S3 Glacier?

Answer 59

40TiB

Question 60

You have enabled cross region replication on a bucket containing some objects. When you check the replication target, none of the objects are there. Why?

Answer 60

Only new objects are replicated.

Question 61

In terms of the S3 baseline performance - how can these be impacted by S3 SSE-KMS?

Answer 61

If you are using S3 SSE-KMS, these calls have their own limits per region ranging from 5500 to 30000 requests/second. On a bucket with very high request rates KMS may throttle.

Question 62

In terms of GET, HEAD and PUTs what are the baseline request per second performance?

Answer 62

3500 for PUTS and 5500 for GET and HEAD

Question 63

You are uploading a file to an S3 bucket using Transfer acceleration. Which AWS component is the file uploaded to FIRST?

Answer 63

The file is uploaded to an AWS Edge location and then is transferred over the AWS private network to the bucket. This can significantly increase the upload speed

Question 64

When SHOULD you enable multi-part upload, and when MUST you enable it?

Answer 64

you SHOULD use multi-part upload for files over 100MB. You MUST use it for files over 5GB

Question 65

What does an S3 Byte Range Fetch allow?

Answer 65

It allows for parallel downloads of a large file by specific a range of bytes for each parallel request to download. Similar to a multi-part upload but in reverse.

Question 66

You are required to ensure that your application is resilient when it comes to downloading large files from s3. What can help you achieve this?

Answer 66

S3 Byte Range Fetch

Question 67

You need to download the headers of files in S3. You know that in each case the header is contained in the first 50 bytes of the file. What can you use to achieve this?

Answer 67

S3 Byte Range Fetch

Question 68

We have a very large CSV file stored on S3 containing 15 years of sales data. We have built an application that allows the user to filter this set by a date or a product code. Currently, when the application runs it retrieves the entire CSV from S3 and filters it locally. We don’t want to build a database to store the data in, so what S3 technology could we use to offload the filtering task from the local application?

Answer 68

S3 Select will allow simple SQL queries to be used to filter data directly on S3 allowing us to return only the data requested to the client (Also, Glacier Select for Glacier)

Question 69

There are 3 targets for S3 Event notifications. What are they?

Answer 69

SNS, SQS, Lambda

Question 70

We have an S3 event rule set up in an S3 bucket which does not have versioning enabled. Looking at our event handler we can see that an event has fired when an object has been written to. Checking the S3 server access logs though we see that 2 writes were made to the same object concurrently. Why did we only see one event?

Answer 70

On non-versioned objects, if two writes happen at the same time, occasionally only ONE of those may trigger an event. To ensure that every write triggers an event enable versioning.

Question 71

We have an application that allows a user to upload images into an S3 bucket for an album. Part of the use case is that we need to generate a thumbnail every time an image is uploaded. What would we use to trigger this process

Answer 71

We can set up an S3 event notification on the bucket to trigger an event which gets fired to SQS, SNS or Lambda (depending on the architecture) when a image object is created.

Question 72

We have our VPC flow logs being shipped to an S3 bucket. We want to perform analysis on these logs, but don’t want to pull them down locally to do this. What AWS tool allows us to analyse data directly on S3 that we could apply to our flow logs?

Answer 72

Amazon Athena allows you to analyse data directly on S3. This is different to S3 select.

You can think about AWS S3 Select as a cost-efficient storage optimization that allows retrieving data that matches the predicate in S3 and glacier aka push down filtering.

AWS Athena is fully managed analytical service that allows running arbitrary ANSI SQL compliant queries - group by, having, window and geo functions, SQL DDL and DML.

Question 73

You suspect some of your employees to try to access files in S3 that they don’t have access to. How can you verify this is indeed the case without them noticing?

Answer 73

Enable S3 access logging and then analyse using Athena

Question 74

You are looking to provide temporary URLs to a growing list of federated users in order to allow them to perform a file upload on S3 to a specific location. What should you use?

Answer 74

S3 pre-signed URL’s