S3 Introduction Flashcards
Amazon S3 allows people to store ____ in _____
Amazon S3 allows people to store objects (files) in “buckets” (directories)
Buckets must have a ___?
Globally unique name
Buckets are defined at what level?
Region Level
What’s the naming convention?
- No uppercase
- No underscore
- 3-63 characters long
- Not an IP
- Must start with lowercase letter or number
Objects (files) have a key. The key is what?
The full path
• /my_file.txt
• /my_folder1/another_folder/my_file.txt
Max size of objects?
5TB
• If uploading more than 5GB, must use
“multi-par t upload”
You can version your files in AWS. It is enabled at the ___ lvel?
bucket
What are the 4 methods of encrypting objects in S3
- SSE-S3: encrypts S3 objects using keys handled & managed by AWS
- SSE-KMS: leverage AWS Key Management Service to manage encryption keys • SSE-C: when you want to manage your own encryption keys
- Client Side Encryption
What are the features of SSE-S3?
- SSE-S3: encryption using keys handled & managed by AWS S3 • Object is encrypted server side
- AES-256 encryption type
- Must set header: “x-amz-server-side-encryption”: “AES256”
What are features of SSE-KMS?
- SSE-KMS: encryption using keys handled & managed by KMS
- KMS Advantages: user control + audit trail
- Object is encrypted server side
- Must set header: “x-amz-server-side-encryption”: ”aws:kms”
What are some features of SSE-C?
- SSE-C: server-side encryption using data keys fully managed by the customer outside of AWS • Amazon S3 does not store the encryption key you provide
- HTTPS must be used
- Encryption key must provided in HTTP headers, for every HTTP request made
What are features of Client Side Encryption?
- Client library such as the Amazon S3 Encryption Client
- Clients must encrypt data themselves before sending to S3
- Clients must decrypt data themselves when retrieving from S3 • Customer fully manages the keys and encryption cycle
S3 exposes both HTTP and HTTPS endpoint?
True
HTTPS is mandatory for what kind of encryption methods?
SSE-C
S3 User based Security?
IAM policies - which API calls should be allowed for a specific user from IAM console
S3 Resource Based security?
- Bucket Policies - bucket wide rules from the S3 console - allows cross account
- Object Access Control List (ACL) – finer grain
- Bucket Access Control List (ACL) – less common
Describe S3 Bucket Policies
- JSON based policies
- Resources: buckets and objects
- Actions: Set of API to Allow or Deny
- Effect: Allow / Deny
- Principal:The account or user to apply the policy to
- Use S3 bucket for policy to:
- Grant public access to the bucket
- Force objects to be encrypted at upload
- Grant access to another account (Cross Account)
S3 Security supports VPC endpoints?
True
If you get a 403 error make sure what?
Make sure the bucket policy allows public reads
If you request data from another S3 bucket, you need to enable what?
CORS
Explain read after write consistency for PUTS of new objects
As soon as an object is written, we can retrieve it
ex: (PUT 200 -> GET 200)
• This is true, except if we did a GET before to see if the object existed
ex: (GET 404 -> PUT 200 -> GET 404) – eventually consistent
Explain Eventual Consistency for DELETES and PUTS of existing objects
• If we read an object after updating, we might get the older version
ex: (PUT 200 -> PUT 200 -> GET 200 (might be older version))
• If we delete an object, we might still be able to retrieve it for a short time ex: (DELETE 200 -> GET 200)
