S3 - MFA Delete/Access Logs/Glacier Vault Lock & Object Lock

Question 1

What is the primary purpose of MFA Delete?

Answer 1

To provide extra protection against the permanent deletion of object versions and to prevent accidental or malicious changes to Versioning settings.

Question 2

Who can enable or disable MFA Delete on a bucket?

Answer 2

Only the bucket owner (root account) can enable or disable MFA Delete.

Question 3

What must be enabled on a bucket to use MFA Delete?

Answer 3

Versioning must be enabled on the bucket.

Question 4

When is MFA required in Amazon S3 when MFA Delete is enabled?

Answer 4

Permanently deleting an object version.
Suspending Versioning on a bucket.

Question 5

What is the purpose of S3 Access Logs?

Answer 5

To log all requests made to an S3 bucket, whether authorized or denied, for audit and analysis purposes.

Question 6

Where are S3 Access Logs stored?

Answer 6

In a separate S3 bucket (called the logging bucket) in the same AWS region.

Question 7

What can you use to analyze S3 Access Logs?

Answer 7

You can analyze the logs using tools like Amazon Athena.

Question 8

What is a critical warning about the logging bucket?

Answer 8

Never set the logging bucket to be the same as the monitored bucket, as this will create an infinite logging loop and significantly increase costs.

Question 9

What is a pre-signed URL for S3?

Answer 9

Users are given a URL which inherits the permissions of the user that generated the URL. This is so they can access objects within the bucket. You can enable from 1-720 minutes.

Question 10

What is the purpose of S3 Glacier Vault Lock?

Answer 10

To enforce a Write Once Read Many (WORM) model by locking Glacier Vaults, preventing objects from being modified or deleted.

Question 11

How do you enable S3 Glacier Vault Lock?

Answer 11

Create a Vault Lock Policy.
Lock the policy to prevent future edits.

Question 12

What are the key benefits of S3 Glacier Vault Lock?

Answer 12

Ensures compliance and data retention.
Prevents objects from being deleted or modified by any user, including administrators.

Question 13

What is S3 Object Lock, and how does it differ from Glacier Vault Lock?

Answer 13

S3 Object Lock applies at the object level, not the bucket level.
Supports a WORM model for individual object versions.

Question 14

What must be enabled on a bucket to use S3 Object Lock?

Answer 14

Versioning must be enabled.

Question 15

What are the two retention modes for S3 Object Lock?

Answer 15

Compliance Mode:
Object versions cannot be deleted or overwritten by any user, including the root user.
Retention modes and periods cannot be changed or shortened.

Governance Mode:
Most users cannot delete or overwrite object versions.
Admins with special IAM permissions can modify retention settings or delete objects.

Question 16

What is the purpose of a retention period in S3 Object Lock?

Answer 16

To specify the duration during which an object version is protected from deletion or modification.

Question 17

Can the retention period for S3 Object Lock be extended?

Answer 17

Yes, the retention period can be extended.

Question 18

What is a legal hold in S3 Object Lock?

Answer 18

A legal hold protects an object indefinitely, independent of retention mode or period.
Used for legal or compliance purposes.

Question 19

Who can manage legal holds on S3 objects?

Answer 19

Users with the S3 PutObjectLegalHold IAM permission can place or remove legal holds.

Question 20

What is the difference between retention modes and legal holds in S3 Object Lock?

Answer 20

Retention Modes: Protect objects for a specified period based on compliance or governance rules.
Legal Holds: Protect objects indefinitely, overriding retention periods.