S3-Security

Question 1

You can encrypt objects in S3 buckets using one of four methods:

• Server-Side Encryption (SSE)
  
  • Amazon S3-Managed Keys (SSE-S3) - default
  • KMS Keys stored in AWS KMS (SSE-KMS)
  • Customer-Provided Keys (SSE-C)
• Client-Side Encryption

Question 2

Amazon S3-Managed Keys (SSE-S3)

• encryption using keys handled, managed, and owned by ____
• object is encrypted server-side
• encryption type is ____
• must set header “x-amz-server-side-encryption”:”AES256”
• enabled by default for new buckets and objects

Answer 2

AWS
AES-256

Question 3

KMS Keys stored in AWS KMS (SSE-KMS)

• encryption using keys handled and managed by AWS KMS
• KMS advantages: user control + audit key usage using ____
• object is encrypted server-side
• must set header “x-amz-server-side-encryption”:”aws:kms”

Answer 3

CloudTrail

Question 4

SSE-KMS Limitations

When you upload data it calls the ____ KMS API.
When you download data it calls the ____ KMS API.

These calls count toward the KMS quota per second. (5500, 10000, 30000 req/s based on region)
you can request a quota increase using the ____.

Answer 4

GenerateDataKey
Decrypt
Service Quotas Console

Question 5

Customer Provided Keys (SSE-C)

• Server-side encryption using keys fully managed by the customer outside of AWS.
• Amazon S3 does NOT store the encryption key you provide.
• HTTPS must be used
• Encryption key must be provide in HTTP headers, for every HTTP request made.
• Will not see the option in the UI, must be done via CLI.

Question 6

Client-Side Encryption

• use client libraries such as Amazon S3 Client-Side Encryption Library
• Clients must encrypt the data themselves before sending to S3
• Clients must decrypt data themselves when retrieving from S3
• Customer fully manages the keys and encryption cycle

Question 7

Encryption in-flight is called ____.

S3 exposes two endpoints:
- http endpoint: non encrypted
- https endpoint: encryption in-flight

http is recommended
https is mandatory for which S3 encryption method?

Answer 7

SSL/TLS
SSE-C

Question 8

How can you force S3 encryption in transit?

Answer 8

via a bucket policy, by adding a condition to Deny the GetObject action when aws:SecureTransport is false.

Question 9

Amazon S3 bucket policies are evaluated ____ “Default Encryption”.

Answer 9

before

Question 10

Which S3 encryption method is automatically applied to new objects stored in an S3 bucket?

Answer 10

SSE-S3

Question 11

You can “force encryption” using a bucket policy and refuse any API call to PUT an S3 object without encryption headers (SSE-KMS or SSE-C).

Question 12

CORS: Cross-Origin Resource Sharing

origin = scheme (protocol) + host (domain) + port
ex: https://www.example.com

CORS is a web browser based mechanism to allow requests to other origins while visiting the main origin.
Same origin: http://example.com/app1 & https://example.com/app2
Different origins: http://www.example.com & https://other.example.com

These request won’t be fulfilled unless the other origin allows for the requests, using CORS Headers (ex: Access-Control-Allow-Origin)

Answer 12

Question 13

** If a client makes a cross-origin request on our S3 bucket, we need to enable the correct ____.

Answer 13

CORS headers

you can allow for a specific origin or for * (all origins)

Question 14

To use MFA Delete, ____ must be enabled on the S3 bucket.

Answer 14

versioning

Question 15

Only the ____ can enable/disable MFA Delete.

Answer 15

bucket owner (root account)

Question 16

Identify the actions below that require MFA to be enabled:

• enable versioning
• suspend versioning on the bucket
• list deleted versions
• permanently delete an object version

Answer 16

suspend versioning on the bucket
permanently delete and object version

Question 17

MFA Delete can only be enabled via the ____ using the root account.

Answer 17

CLI

Question 18

For ____ purposes, you may want to log all access to S3 buckets.
Any request made to S3, from any account, authorized or denied, will be logged into another S3 bucket.
That data can be analyzed using data analysis tools (such as Athena)
The target logging bucket must be in the same AWS ____.

Answer 18

audit
region

Question 19

Do not set your S3 access logging bucket to the the ____ bucket.
It will create a loggin loop and your bucket will grow exponentially and be very expensive.

Answer 19

monitoring

Question 20

S3 Pre-Signed URLs can be generated using what 3 methods?

Answer 20

S3 Console
AWS CLI
AWS SDK

Question 21

What are the expiration times for S3 pre-signed URLs?

• S3 Console: 1 min up to 720 mins (12 hours)
• AWS CLI: default 3600 secs, max 604800 sec ~ 168 hours
  
  • configure expiration with –expires-in parameter in seconds

Question 22

Users given a ____ URL inherit the permissions of the user that generated the URL for GET / PUT

Answer 22

pre-signed

Question 23

Use case for pre-signed URL: when you want to provide a user access to a private S3 file for them to download (or upload).

Answer 23

Examples:

• allow only logged-in users to download a premium video from your S3 bucket
• allow an ever-changing list of users to download files by generating URLs dynamically
• allow temporarily a user to upload a file to a precise location in your S3 bucket (while keeping your bucket private)

Question 24

The S3 Glacier ____ feature is helpful for compliance and data retention because it adopts the WORM (Write Once Ready Many) model.

Answer 24

Valut Lock

• The lock policy is at the bucket level
• Create a vault lock policy, the lock the policy for future edits. (can no longer be changed or deleted)

Question 25

Before you can use the S3 Object Lock feature, you must enable ____.

Answer 25

versioning

Question 26

Unlike the Glacier Vault lock at the bucket level, the S3 Object Lock is at the object/file level.

Question 27

S3 Object Lock can block and object version ____ for a specified amount of time.

Answer 27

deletion

Question 28

Which S3 Object Lock retention mode is described below: - Object versions can't be overwritten or deleted by any user, including the root user - Objects retention modes can't be changed, and retention periods can't be shortened

Answer 28

Compliance

Question 29

Which S3 Object Lock retention mode is described below: - Most users can't overwrite or delete and object version or alter its lock settings - Some users have special permissions to change the retention or delete the object

Answer 29

Governance

Question 30

The S3 Object Lock ____ protects the object for a fixed period of time (it can be extended).

Answer 30

retention period

Question 31

Using S3 Object Lock, a ____ can be placed on an object that will protect it indefintely, independent from the retention period.

Answer 31

Legal Hold

Question 32

In order to place/remove a legal hold on an S3 object you need which IAM permission?

Answer 32

s3:PutObjectLegalHold

Question 33

S3 ____ simplify security management for S3 buckets.

Answer 33

Access Points

Question 34

Each S3 Access Point has: - its own DNS name (internet origin or VPC origin) - an access point policy (similar to bucket policy) - manage security at scale

Question 35

Using a ___ origin, we can make the S3 access point only accessible from within the VPC. You must create a VPC ____ to access the Access Point (Gateway or Interface Endpoint). The VPC Endpoint policy must allows access to the ____ and ____.

Answer 35

VPC Endpoint target bucket and Access Point

Question 36

S3 Object ____ uses AWS Lambda Functions to change the object before it is retrieved by the caller application.

Answer 36

S3 Object Lambda

Question 37

With S3 Object Lambda, only one S3 bucket is needed. On top of which, we create S3 Access Point and S3 Object Lambda Access Points.

Question 38

What S3 feature is best for the following use cases? - redacting PII data for analytics or non-production environments - converting across data formats, such as XML to JSON - resizing and watermarking images on the fly using caller-specific details, such as the user who requested the object

Answer 38

S3 Object Lambda