S3 Bucket Security (nr)

Question 1

IAM policies

S3 bucket security

Answer 1

defines API calls allowed for specific IAM principal

S3 bucket security

Question 2

IAM policy basis

S3 bucket security

Answer 2

user or principal basis

S3 bucket security

Question 3

resource based polices (3)

S3 bucket security

Answer 3

• bucket policies
• object ACL
• bucket ACL

S3 bucket security

Question 4

bucket policies

resource based polices

Answer 4

JSON policy applied to entire bucket

resource based polices

Question 5

security benefit

bucket policies

Answer 5

allows access across accounts

bucket policies

Question 6

policy JSON fields (4)

bucket policies

Answer 6

• resource
• effect
• action
• principal

bucket policies

Question 7

public access

bucket policies

Answer 7

option to allow anyone on the Internet to access objects

bucket policies

Question 8

public access default

bucket policies

Answer 8

blocked to prevent data leaks

bucket policies

Question 9

object ACL

S3 bucket security

Answer 9

optional finer grain policies

S3 bucket security

Question 10

bucket ACL

S3 bucket security

Answer 10

legacy but still valid method of access control

S3 bucket security

Question 11

permission logic

S3 bucket security

Answer 11

IAM principal has access if IAM policy OR resource policy allows it, AND no explicit deny

S3 bucket security

Question 12

optional security feature

S3 bucket security

Answer 12

encryption

S3 bucket security

Question 13

Server-side Encryption (3)

S3 bucket security

Answer 13

• SSE-S3
• SSE-KMS
• SSE-C

S3 bucket security

Question 14

SSE-S3

Server-side Encryption

Answer 14

Amazon S3 manages keys

Server-side Encryption

Question 15

Feature

SSE-S3

Answer 15

Default option for SSE

SSE-S3

Question 16

HTTP Header

SSE-S3

Answer 16

“x-amz-server-side-encryption”:”AES256”

SSE-S3

Question 17

SSE-KMS

Server-side Encryption

Answer 17

Customer manages keys in AWS KMS

Server-side Encryption

Question 18

Auditing option

SSE-KMS

Answer 18

May audit in CloudTrail

SSE-KMS

Question 19

HTTP Header

SSE-KMS

Answer 19

“x-amz-server-side-encryption”:”aws:kms”

SSE-KMS

Question 20

Limitation

SSE-KMS

Answer 20

KMS hits count towards KMS API quota

SSE-KMS

Question 21

SSE-C

Server-side Encryption

Answer 21

customer manages and stores keys

Server-side Encryption

Question 22

Client-side encryption

S3 bucket security

Answer 22

files are encrypted and decrypted outside of S3

S3 bucket security

Question 23

Encryption in transit

S3 bucket security

Answer 23

HTTPS using SSL/TLS

S3 bucket security

Question 24

How to block HTTP access

Encryption in transit

Answer 24

• Policy with “Deny” effect
• condition “aws:secureTransport”:”false”

Encryption in transit

Question 25

Bucket policy for encryption

S3 Encryption

Answer 25

used to force specific encryption type

S3 Encryption

Question 26

CORS header

S3 Bucket Security

Answer 26

used to define which request originds allowed to GET from S3 bucket website

S3 Bucket Security

Question 27

when CORS is needed

CORS Header

Answer 27

must be enabled for other website to use objects in bucket

CORS Header

Question 28

what can be allowed

CORS Header

Answer 28

allow for origin domain and protocol (e.g. https)

CORS Header

Question 29

how to allow wide range of sites

CORS Header

Answer 29

wildcard (*)

CORS Header