S3 Bucket Security Flashcards

1
Q

IAM policies

S3 bucket security

A

defines API calls allowed for specific IAM principal

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IAM policy basis

S3 bucket security

A

user or principal basis

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

resource based polices (3)

S3 bucket security

A
  • bucket policies
  • object ACL
  • bucket ACL

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

bucket policies

resource based polices

A

JSON policy applied to entire bucket

resource based polices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

security benefit

bucket policies

A

allows access across accounts

bucket policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

policy JSON fields (4)

bucket policies

A
  • resource
  • effect
  • action
  • principal

bucket policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

public access

bucket policies

A

option to allow anyone on the Internet to access objects

bucket policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

public access default

bucket policies

A

blocked to prevent data leaks

bucket policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

object ACL

S3 bucket security

A

optional finer grain policies

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

bucket ACL

S3 bucket security

A

legacy but still valid method of access control

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

permission logic

S3 bucket security

A

IAM principal has access if IAM policy OR resource policy allows it, AND no explicit deny

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

optional security feature

S3 bucket security

A

encryption

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Server-side Encryption (3)

S3 bucket security

A
  • SSE-S3
  • SSE-KMS
  • SSE-C

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SSE-S3

Server-side Encryption

A

Amazon S3 manages keys

Server-side Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Feature

SSE-S3

A

Default option for SSE

SSE-S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

HTTP Header

SSE-S3

A

“x-amz-server-side-encryption”:”AES256”

SSE-S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

SSE-KMS

Server-side Encryption

A

Customer manages keys in AWS KMS

Server-side Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Auditing option

SSE-KMS

A

May audit in CloudTrail

SSE-KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

HTTP Header

SSE-KMS

A

“x-amz-server-side-encryption”:”aws:kms”

SSE-KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Limitation

SSE-KMS

A

KMS hits count towards KMS API quota

SSE-KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

SSE-C

Server-side Encryption

A

customer manages and stores keys

Server-side Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Client-side encryption

S3 bucket security

A

files are encrypted and decrypted outside of S3

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Encryption in transit

S3 bucket security

A

HTTPS using SSL/TLS

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How to block HTTP access

Encryption in transit

A
  • Policy with “Deny” effect
  • condition “aws:secureTransport”:”false”

Encryption in transit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Bucket policy for encryption | S3 Encryption
used to force specific encryption type | S3 Encryption
26
CORS header | S3 Bucket Security
used to define which request originds allowed to GET from S3 bucket website | S3 Bucket Security
27
when CORS is needed | CORS Header
must be enabled for other website to use objects in bucket | CORS Header
28
what can be allowed | CORS Header
allow for origin domain and protocol (e.g. https) | CORS Header
29
how to allow wide range of sites | CORS Header
wildcard (*) | CORS Header
30
Access logs | S3 Bucket Security
logs user requests to bucket | S3 Bucket Security
31
where to enable logs | Access logs
on each bucket | Access logs
32
what to use to analyze logs | Access logs
Amazon Athena | Access logs
33
where to save logs | Access logs
a **different** bucket in same region | Access logs
34
MFA delete | S3 Bucket Security
enforces MFA if user attempts to do a destructive action | S3 Bucket Security
35
how to enable | MFA delete
must be root account, MFA enabled, and use CLI | MFA delete
36
defines API calls allowed for specific IAM principal | S3 bucket security
IAM policies | S3 bucket security
37
user or principal basis | S3 bucket security
IAM policy basis | S3 bucket security
38
* bucket policies * object ACL * bucket ACL | S3 bucket security
resource based polices (3) | S3 bucket security
39
JSON policy applied to entire bucket | resource based polices
bucket policies | resource based polices
40
allows access across accounts | bucket policies
security benefit | bucket policies
41
* resource * effect * action * principal | bucket policies
policy JSON fields (4) | bucket policies
42
option to allow anyone on the Internet to access objects | bucket policies
public access | bucket policies
43
blocked to prevent data leaks | bucket policies
public access default | bucket policies
44
optional finer grain policies | S3 bucket security
object ACL | S3 bucket security
45
legacy but still valid method of access control | S3 bucket security
bucket ACL | S3 bucket security
46
IAM principal has access if IAM policy OR resource policy allows it, AND no explicit deny | S3 bucket security
permission logic | S3 bucket security
47
encryption | S3 bucket security
optional security feature | S3 bucket security
48
* SSE-S3 * SSE-KMS * SSE-C | S3 bucket security
Server-side Encryption (3) | S3 bucket security
49
Amazon S3 manages keys | Server-side Encryption
SSE-S3 | Server-side Encryption
50
Default option for SSE | SSE-S3
Feature | SSE-S3
51
"x-amz-server-side-encryption":"AES256" | SSE-S3
HTTP Header | SSE-S3
52
Customer manages keys in AWS KMS | Server-side Encryption
SSE-KMS | Server-side Encryption
53
May audit in CloudTrail | SSE-KMS
Auditing option | SSE-KMS
54
"x-amz-server-side-encryption":"aws:kms" | SSE-KMS
HTTP Header | SSE-KMS
55
KMS hits count towards KMS API quota | SSE-KMS
Limitation | SSE-KMS
56
customer manages and stores keys | Server-side Encryption
SSE-C | Server-side Encryption
57
files are encrypted and decrypted outside of S3 | S3 bucket security
Client-side encryption | S3 bucket security
58
HTTPS using SSL/TLS | S3 bucket security
Encryption in transit | S3 bucket security
59
* Policy with "Deny" effect * condition "aws:secureTransport":"false" | Encryption in transit
How to block HTTP access | Encryption in transit
60
used to force specific encryption type | S3 Encryption
Bucket policy for encryption | S3 Encryption
61
used to define which request originds allowed to GET from S3 bucket website | S3 Bucket Security
CORS header | S3 Bucket Security
62
must be enabled for other website to use objects in bucket | CORS Header
when CORS is needed | CORS Header
63
allow for origin domain and protocol (e.g. https) | CORS Header
what can be allowed | CORS Header
64
wildcard (*) | CORS Header
how to allow wide range of sites | CORS Header
65
logs user requests to bucket | S3 Bucket Security
Access logs | S3 Bucket Security
66
on each bucket | Access logs
where to enable logs | Access logs
67
Amazon Athena | Access logs
what to use to analyze logs | Access logs
68
a **different** bucket in same region | Access logs
where to save logs | Access logs
69
enforces MFA if user attempts to do a destructive action | S3 Bucket Security
MFA delete | S3 Bucket Security
70
must be root account, MFA enabled, and use CLI | MFA delete
how to enable | MFA delete