S3 -Security

Question 1

What type of Object Encryptions are available in S3?

Answer 1

• Server-Side Encryption (SSE)
• Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Enabled by Default
  – Encrypts S3 objects using keys handled, managed, and owned by AWS
• Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)
  – Leverage AWS Key Management Service (AWS KMS) to manage encryption keys
• Server-Side Encryption with Customer-Provided Keys (SSE-C)
  – When you want to manage your own encryption keys
• Client-Side Encryption

Question 2

How does SSE-S3 works?

Answer 2

• Encryption using keys handled, managed, and owned by AWS
• Object is encrypted server-side
• Encryption type is AES-256
• Must set header “x-amz-server-side-encryption”: “AES256”
• Enabled by default for new buckets & new objects

Question 3

How does SSE-KMS works?

Answer 3

• Encryption using keys handled and managed by AWS KMS (Key Management Service)
• KMS advantages: user control + audit key usage using CloudTrail
• Object is encrypted server side
• Must set header “x-amz-server-side-encryption”: “aws:kms

Question 4

What are the SSE-KMS limitations?

Answer 4

• If you use SSE-KMS, you may be impacted by the KMS limits
• When you upload, it calls the GenerateDataKey KMS API
• When you download, it calls the Decrypt KMS API

Question 5

How does SSE-C works?

Answer 5

• Server-Side Encryption using keys fully managed by the customer outside of AWS
• Amazon S3 does NOT store the encryption key you provide
• HTTPS must be used
• Encryption key must provided in HTTP headers, for every HTTP request made

Question 6

How does – Client-Side Encryption works in S3?

Answer 6

• Use client libraries such as Amazon S3 Client-Side Encryption Library
• Clients must encrypt data themselves before sending to Amazon S3
• Clients must decrypt data themselves when retrieving from Amazon S3
• Customer fully manages the keys and encryption cycle

Question 7

How to force encryption in transit for s3?

Answer 7

You can setup a bucket policy to deny s3:GetObject if SecureTransport is false. The file can only access by HTTPS.

Question 8

What is default encryption in S3?

Answer 8

SSE-S3 encryption is automatically applied to new objects stored in S3 bucket

Question 9

Which one evaluated first: Bucket polcies or Defaul encryption?

Answer 9

Bucket policies > Defaul encryption

Question 10

What are the CORS headers?

Answer 10

Access-Control-Allow-Origin: https://www.example.com
Access-Control-Allow-Methods: GET, PUT, DELETE

Question 11

How to enable CORS in S3 buckets?

Answer 11

S3 Bucket > Permissions > CORS settings,You can allow for a specific origin or for * (all origins)

Question 12

What is Amazon S3 – MFA Delete?

Answer 12

MFA (Multi-Factor Authentication) – force users to generate a code on a
device (usually a mobile phone or hardware) before doing important
operations on S3

Question 13

What are the protected actions that need S3 MFA Delete?

Answer 13

• Permanently delete an object version
• Suspend Versioning on the bucket

Question 14

What must be setup for S3 MFA DeletE?

Answer 14

• To use MFA Delete, Versioning must be enabled on the bucket
• Only the bucket owner (root account) can enable/disable MFA Delete

Question 15

What are S3 Access Logs?

Answer 15

• Log all access made to S3 in an other bucket
• Logging bucket must be in the Same AWS Region

Question 16

How NOT TO setup Access Logs?

Answer 16

NEVER use the same bucket to store access logs.

Question 17

What are S3 - Pre-Signed URLs?

Answer 17

• Generate pre-signed URLs using the S3 Console, AWS CLI or SDK
• Users given a pre-signed URL inherit the permissions of the user that generated the URL for GET / PUT

Question 18

Whats expiration can be set for S3 Pre-Signed URLs?

Answer 18

• S3 Console – 1 min up to 720 mins (12 hours)
• AWS CLI – configure expiration with –expires-in parameter in seconds (default 3600 secs, max. 604800 secs ~ 168 hours)

Question 19

Give exmaples for S3 Pre-Signed URLs.

Answer 19

• Allow only logged-in users to download a premium video from your S3 bucket
• Allow an ever-changing list of users to download files by generating URLs dynamically
• Allow temporarily a user to upload a file to a precise location in your S3 bucket

Question 20

What are S3 Access Points?

Answer 20

• Simplify security management for S3 buckets
• Each AP has its own DNS name
• Each AP has its own policy

Question 21

How can you restrict S3 AP to be accessible onyl form you VPC?

Answer 21

1, Create a VPC Endpoint
2, The VPC Endpoint policy must allow access to tartget bucket and AP

Question 22

What’s S3 Object Lambda?

Answer 22

• Use AWS Lambda Functions to change the object before it is retrieved by the caller application.
• Only one S3 bucket is needed, on top of which we create S3 Access Point and S3 Object Lambda Access Points.

Question 23

What’s the uses cases of S3 Object Lambda?

Answer 23

• Redacting personally identifiable information for analytics or non- production
  environments.
• Converting across data formats, such as converting XML to JSON.
• Resizing and watermarking images on the fly using caller-specific details, such as the user who requested the object.