S3 Security Flashcards
1
Q
Amazon S3
Security Types
A
- User-Based
- Resource-Based
- Encryption
2
Q
Amazon S3
User-Based Security Policy
A
- IAM Policies
- Which API calls are allowed for a specific IAM user
2
Q
Amazon S3
Resource Based Security Policy Types
A
- Bucket Policies
- Object Access Control List (ACL)
- Bucket Access Control List (ACL)
3
Q
Amazon S3
Bucket Policies
A
- Bucket wide rules from the S3 console
- Allows cross account access
- Make S3 bucket public
- Force encryption at upload
- Most common
4
Q
Amazon S3
Object Access Control List (ACL)
A
- Finer grain, can be disabled
5
Q
Amazon S3
Bucket Access Control List (ACL)
A
- Less common (can be disabled)
6
Q
An IAM principal can access an S3 object if
A
- Permissions OR resource policy ALLOWS it
- AND there is no explicit DENY
7
Q
Bucket settings for Block Public Access
A
- Create as an extra layer of security to prevent data leaks
- Leave on if bucket should never be public
- Can be set at account level
8
Q
S3 Encryption Types
A
- Server-Side Encryption (after upload, default)
- Client-Side Encryption (before upload)
9
Q
IAM Access Analyzer for S3
A
- Monitoring service
- Ensure only intended people have access to buckets
- Evaluates Bucket Policies, ACLs, & Access Point Policies
- Identify which buckets are public
