S3 Bucket Security Flashcards

1
Q

IAM policies

S3 bucket security

A

defines API calls allowed for specific IAM principal

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IAM policy basis

S3 bucket security

A

user or principal basis

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

resource based polices (3)

S3 bucket security

A
  • bucket policies
  • object ACL
  • bucket ACL

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

bucket policies

resource based polices

A

JSON policy applied to entire bucket

resource based polices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

security benefit

bucket policies

A

allows access across accounts

bucket policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

policy JSON fields (4)

bucket policies

A
  • resource
  • effect
  • action
  • principal

bucket policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

public access

bucket policies

A

option to allow anyone on the Internet to access objects

bucket policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

public access default

bucket policies

A

blocked to prevent data leaks

bucket policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

object ACL

S3 bucket security

A

optional finer grain policies

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

bucket ACL

S3 bucket security

A

legacy but still valid method of access control

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

permission logic

S3 bucket security

A

IAM principal has access if IAM policy OR resource policy allows it, AND no explicit deny

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

optional security feature

S3 bucket security

A

encryption

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Server-side Encryption (3)

S3 bucket security

A
  • SSE-S3
  • SSE-KMS
  • SSE-C

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SSE-S3

Server-side Encryption

A

Amazon S3 manages keys

Server-side Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Feature

SSE-S3

A

Default option for SSE

SSE-S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

HTTP Header

SSE-S3

A

“x-amz-server-side-encryption”:”AES256”

SSE-S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

SSE-KMS

Server-side Encryption

A

Customer manages keys in AWS KMS

Server-side Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Auditing option

SSE-KMS

A

May audit in CloudTrail

SSE-KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

HTTP Header

SSE-KMS

A

“x-amz-server-side-encryption”:”aws:kms”

SSE-KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Limitation

SSE-KMS

A

KMS hits count towards KMS API quota

SSE-KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

SSE-C

Server-side Encryption

A

customer manages and stores keys

Server-side Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Client-side encryption

S3 bucket security

A

files are encrypted and decrypted outside of S3

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Encryption in transit

S3 bucket security

A

HTTPS using SSL/TLS

S3 bucket security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How to block HTTP access

Encryption in transit

A
  • Policy with “Deny” effect
  • condition “aws:secureTransport”:”false”

Encryption in transit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Bucket policy for encryption

S3 Encryption

A

used to force specific encryption type

S3 Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

CORS header

S3 Bucket Security

A

used to define which request originds allowed to GET from S3 bucket website

S3 Bucket Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

when CORS is needed

CORS Header

A

must be enabled for other website to use objects in bucket

CORS Header

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

what can be allowed

CORS Header

A

allow for origin domain and protocol (e.g. https)

CORS Header

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

how to allow wide range of sites

CORS Header

A

wildcard (*)

CORS Header

30
Q

Access logs

S3 Bucket Security

A

logs user requests to bucket

S3 Bucket Security

31
Q

where to enable logs

Access logs

A

on each bucket

Access logs

32
Q

what to use to analyze logs

Access logs

A

Amazon Athena

Access logs

33
Q

where to save logs

Access logs

A

a different bucket in same region

Access logs

34
Q

MFA delete

S3 Bucket Security

A

enforces MFA if user attempts to do a destructive action

S3 Bucket Security

35
Q

how to enable

MFA delete

A

must be root account, MFA enabled, and use CLI

MFA delete

36
Q

defines API calls allowed for specific IAM principal

S3 bucket security

A

IAM policies

S3 bucket security

37
Q

user or principal basis

S3 bucket security

A

IAM policy basis

S3 bucket security

38
Q
  • bucket policies
  • object ACL
  • bucket ACL

S3 bucket security

A

resource based polices (3)

S3 bucket security

39
Q

JSON policy applied to entire bucket

resource based polices

A

bucket policies

resource based polices

40
Q

allows access across accounts

bucket policies

A

security benefit

bucket policies

41
Q
  • resource
  • effect
  • action
  • principal

bucket policies

A

policy JSON fields (4)

bucket policies

42
Q

option to allow anyone on the Internet to access objects

bucket policies

A

public access

bucket policies

43
Q

blocked to prevent data leaks

bucket policies

A

public access default

bucket policies

44
Q

optional finer grain policies

S3 bucket security

A

object ACL

S3 bucket security

45
Q

legacy but still valid method of access control

S3 bucket security

A

bucket ACL

S3 bucket security

46
Q

IAM principal has access if IAM policy OR resource policy allows it, AND no explicit deny

S3 bucket security

A

permission logic

S3 bucket security

47
Q

encryption

S3 bucket security

A

optional security feature

S3 bucket security

48
Q
  • SSE-S3
  • SSE-KMS
  • SSE-C

S3 bucket security

A

Server-side Encryption (3)

S3 bucket security

49
Q

Amazon S3 manages keys

Server-side Encryption

A

SSE-S3

Server-side Encryption

50
Q

Default option for SSE

SSE-S3

A

Feature

SSE-S3

51
Q

“x-amz-server-side-encryption”:”AES256”

SSE-S3

A

HTTP Header

SSE-S3

52
Q

Customer manages keys in AWS KMS

Server-side Encryption

A

SSE-KMS

Server-side Encryption

53
Q

May audit in CloudTrail

SSE-KMS

A

Auditing option

SSE-KMS

54
Q

“x-amz-server-side-encryption”:”aws:kms”

SSE-KMS

A

HTTP Header

SSE-KMS

55
Q

KMS hits count towards KMS API quota

SSE-KMS

A

Limitation

SSE-KMS

56
Q

customer manages and stores keys

Server-side Encryption

A

SSE-C

Server-side Encryption

57
Q

files are encrypted and decrypted outside of S3

S3 bucket security

A

Client-side encryption

S3 bucket security

58
Q

HTTPS using SSL/TLS

S3 bucket security

A

Encryption in transit

S3 bucket security

59
Q
  • Policy with “Deny” effect
  • condition “aws:secureTransport”:”false”

Encryption in transit

A

How to block HTTP access

Encryption in transit

60
Q

used to force specific encryption type

S3 Encryption

A

Bucket policy for encryption

S3 Encryption

61
Q

used to define which request originds allowed to GET from S3 bucket website

S3 Bucket Security

A

CORS header

S3 Bucket Security

62
Q

must be enabled for other website to use objects in bucket

CORS Header

A

when CORS is needed

CORS Header

63
Q

allow for origin domain and protocol (e.g. https)

CORS Header

A

what can be allowed

CORS Header

64
Q

wildcard (*)

CORS Header

A

how to allow wide range of sites

CORS Header

65
Q

logs user requests to bucket

S3 Bucket Security

A

Access logs

S3 Bucket Security

66
Q

on each bucket

Access logs

A

where to enable logs

Access logs

67
Q

Amazon Athena

Access logs

A

what to use to analyze logs

Access logs

68
Q

a different bucket in same region

Access logs

A

where to save logs

Access logs

69
Q

enforces MFA if user attempts to do a destructive action

S3 Bucket Security

A

MFA delete

S3 Bucket Security

70
Q

must be root account, MFA enabled, and use CLI

MFA delete

A

how to enable

MFA delete