S3

Question 1

Which S3 encryption type MUST use HTTPS for uploads and why?

Answer 1

SSE-C MUST use HTTPS as the encryption key is sent in the header for each and every request

Question 2

Your client wants to make sure the encryption is happening in S3, but wants to fully manage the encryption keys and never store them in AWS. What encryption scheme would you use?

Answer 2

SSE-C. NOT client side encryption as this allows you to manage keys but NOT have encryption occurring in S3

Question 3

You delete an object from S3, but as soon as you do this you find you can still access it and its still there? Why

Answer 3

Deletes are eventually consistent on S3

Question 4

Does cross region replication in S3 apply to new AND existing objects?

Answer 4

NEW objects only

Question 5

The bucket policy allows our users to read/write files in the bucket, yet we were not able to perform a PutObject API call. What is your assessment?

Answer 5

There is probably an explicit DENY on the IAM policy

Question 6

Name 3 event notification destinations for an s3 bucket

Answer 6

lambda, SQS, SNS

Question 7

Your company wants data to be encrypted in S3, and maintain control of the rotation policy for the encryption keys. What encryption scheme would you use?

Answer 7

SSE-KMS

Question 8

You have a website that loads files from another S3 bucket. The files work when you access them directly via the s3 URL via a browser, but fail when you use the website that calls them. Whats wrong?

Answer 8

This is a CORS problem. If CORS is not enabled then the files won’t load.

Question 9

Which s3 types have 11 9’s durability? What about availability?

Answer 9

All of them have 11 9’s.
s3: 99.99% Avail
s3-IT: 99.9%
S3-1ZIA: 99.5%%

Question 10

What are the two things that require MFA delete in S3?

Answer 10

1. permanently delete an object version

2. Suspend versioning

Question 11

How do you enforce encryption on NEW objects ADDED to an S3 bucket (new way and old way)

Answer 11

New Way: Enable encryption for new objects
Old Way: Create a bucket policy to enforce the presence of the AWS-SERVER-SIDE-ENCRYPTION header and a valid encryption scheme in the header (i.e AES256). The value of the header must match the encryption scheme for the bucket.

Question 12

What are the 4 types of encryption on S3?

Answer 12

SSE-S3
SSE-KMS
SSE-C
Client Side encryption

Question 13

If you have an existing bucket with objects in it, and enable versioning, what version will those existing objects have?

Answer 13

Null.

Question 14

In a versioned bucket - when you delete an object, what happens?

Answer 14

The object remains, but a delete marker is set.

Question 15

Can you set up MFA delete in the AWS console?

Answer 15

No, it must be setup in the CLI

Question 16

For S3 standard, how many AZ’s can it tolerate being down at any one time?

Answer 16

2

Question 17

What are the 3 retrieval options for Glacier, and how long does it take to retrieve an object for each?

Answer 17

Expedited: 1-5 minutes
Standard: 3-5 Hours
Bulk: 5-12 Hours

Question 18

What are the two security models for S3?

Answer 18

User based: IAM policies specifying which api calls should be allowed for a specific user

Resource Based: Bucket policies specifying which actions and principals can operate on a bucket

Question 19

Why would you choose SSE-KMS over SSE-S3

Answer 19

If you want to manage your keys. KMS offers:

• User control over key rotation
• Audit trail for how the key has been used

Question 20

What three things do you need to do enable static website hosting on s3?

Answer 20

1. Enable static website hosting
2. Make the bucket public
3. Create a policy allowing getObject requests on the bucket

Question 21

You suspect that people in your organization have been trying to access objects in S3 they don’t have access to. How can you verify this without them knowing?

Answer 21

Enable s3 access logs. These will log all requests from any one as well as the allow/deny status. You can then query these in Athena. They are cost effective, easy to set up and leverage existing capabilities within AWS.

Question 22

What is the maximum number of puts and gets/sec on s3?

Answer 22

3500 puts, 5500 gets.

Question 23

You need to assign temporary credentials to access an S3 bucket in a master account. You don’t want to create an IAM user for this one action, and its likely that access will only be needed for a short period of time (less than one hour). What can you do (3 steps)

Answer 23

You can use STS and assume a role:

• Determine the required IAM role
• Define the principals who can access the role
• Use STS to retrieve the credentials via the Assume Role API

Question 24

What are the 3 conditions under which a principal can access an s3 object (hint: think permissions and policies)

Answer 24

The user IAM permissions allow access 
OR
The resource policy allows it 
AND
There is no explicit deny

Question 25

What does this policy allow:
{
    "Version": "2012-10-17",
    "Id": "Policy1607380831371",
    "Statement": [
        {
            "Sid": "Stmt1607380830068",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::udemydevassocbucket-extrares/*"
        }
    ]
}

Answer 25

it allows getobject requests on the bucket for everyone (principal:”*”)

Question 26

Can you set an s3 objects permissions on upload, or do you need to wait until its uploaded?

Answer 26

you can set an objects permissions on upload.

Question 27

For S3, does versioning need to be enabled for MFA delete?

Answer 27

Yes

Question 28

You need to upload an object to a bucket using SSE-C. Can you use the console for this?

Answer 28

No. SSE-C must be done via the CLI

Question 29

what is the maximum size of an object in an S3 bucket?

Answer 29

5TB

Question 30

Are PUTS on new objects eventually or read after write consistent. Is there an exception?

Answer 30

Read After Write. The exception is if you do a GET on the object before you create it and receive a 404 and then PUT the object. In this case, it will be eventually consistent

Question 31

Can you upload a file directly to Glacier via the management console?

Answer 31

No. You need to use the CLI or code directly against the API or use the SDK

Question 32

Could you use S3 as a cache for a web applications session state?

Answer 32

You could, but you wouldn’t. S3 has higher latency that Elasticache, Dynamo or EFS and is not intended for small objects.

Question 33

What is the maximum size of a file upload for S3? If you need to upload something larger than this, what must you do?

Answer 33

5GB. If you need to upload larger files, enable multipart upload

Question 34

Who can enable MFA delete on a bucket?

Answer 34

Only the bucket owner (root account) can enable MFA delete

Question 35

With respect to S3, What is the difference between CloudTrail and Server access logs?

Answer 35

Cloudtrail logs provide information on actions taken by a USER or ROLE in AWS.
Server access logs provide detailed data on requests made to an s3 bucket including requestor, turnaround time and response status.

Question 36

I have a bucket set up called DOC-EXAMPLE-BUCKET and I want to force all interactions with this bucket to be via HTTPS (SSL) by using the aws:SecureTransport setting. In the following bucket policy what should the value of Effect be (ALLOW|DENY) and what should the value of aws:SecureTransport be (TRUE|FALSE)

Do I set this to be true or false in the following bucket policy? Why?

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSSLRequestsOnly",
      "Action": "s3:*",
      "Effect": "????",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "????"
        }
      },
      "Principal": "*"
    }
  ]
}

Answer 36

Effect: DENY
aws:SecureTransport FALSE.

If we set to ALLOW and TRUE
This statement allows anonymous access to s3:GetObject for all objects in the bucket if the request uses HTTPS. Avoid this type of bucket policy unless your use case requires anonymous access through HTTPS.

By setting the values to DENY and FALSE
In this policy we are DENYING any interaction with the bucket that is not HTTPS

Question 37

If I wanted to force SSL access via a bucket policy - would this work? What is the effect of this policy?

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCONFIG-Rule_s3-bucket-ssl-requests-only",
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      },
      "Principal": "*"
    }
  ]
}

Answer 37

While we have specified “Effect”: “Allow” and “aws:SecureTransport”: “true” - this does not enforce SSL usage. What this policy does do is allow any anonymous access to the bucket so long as it occurs via SSL which is probably not what we want.

Question 38

If you have enabled versioning in S3, can you revert to an unversioned state? If not, how would you unversion a bucket?

Answer 38

You can’t un-version a bucket. If you need to - then create a new unversioned bucket and copy the items to that.

Question 39

How do you best prevent accidental deletion in a bucket (2 things)

Answer 39

1. Enable Versioning

2. Enable MFA delete

Question 40

Does S3 support object locking? What happens if 2 put requests are made against the same object concurrently?

Answer 40

S3 does not support object locking. If 2 put requests occur concurrently, the one with the latest time stamp ‘wins’

Question 41

I want to generate a presigned URL to allow PUT and GET requests against a bucket. My account does not have permissions to execute puts or gets against the bucket. If I generate a presigned URL under my account, will the users of that URL be able to perform puts and gets?

Answer 41

No. The users of the URL inherit the permissions of the account that created it - so if you don’t have the ability to perform puts and gets, neither will they.

Question 42

What is the difference between a bucket policy and a user IAM role?

Answer 42

IAM policies specify what actions are allowed or denied on what AWS resources. You attach IAM policies to IAM users, groups, or roles.

S3 bucket policies, on the other hand, are attached only to S3 buckets. S3 bucket policies specify what actions are allowed or denied for which principals on the bucket that the bucket policy is attached

Question 43

What feature would be enabled if objects are written by other accounts to an S3 bucket with the bucket-owner-full-control canned access control list (ACL)?

Answer 43

The S3 Ownership feature has been enabled, this allows the bucket owner to assume ownership of objects within that bucket. Otherwise, objects are owned by the account that uploaded them.

Question 44

We have a bucket which has a bucket policy denying access to write to the bucket. We have an IAM policy that allows a write. How are these evaluated and what is the outcome

Answer 44

S3 access is based on the union of IAM and Bucket policies. As there is an explicit deny, access is denied. To allow access there must be a specific ALLOW and NO specific DENY

Question 45

If I wanted to set up cross account access to a bucket WITHOUT using an IAM role, how would you do this?

Answer 45

You would use a bucket policy to allow cross account access.