Section 12 & 14: Amazon S3 Introduction & Advanced S3

Question 1

What is Amazon S3?

Answer 1

Amazon S3 is a simple storage service that allows people to store objects (files) in buckets (directories).

Question 2

What are S3 Buckets?

Answer 2

Buckets are highly scalable object (file) storage.

Question 3

What do S3 buckets consist of?

Answer 3

Buckets have a globally unique name, are defined at the region level, file sizes must be between 0 bytes -5 TB, and offer unlimited storage.

Question 4

How many AWS buckets per account by default?

Answer 4

100 buckets per account by default.

Question 5

Is an S3 Bucket suitable for installing an OS or DB?

Answer 5

No, an S3 bucket is not suitable for installing an OS or DB. Block-based storage is better for this.

Question 6

What do S3 objects consist of?

Answer 6

S3 objects consist of metadata, tags for security / lifecycle, Version ID (if versioning is enabled), and a key value (key = filename, value = data) and sub resources (access control lists and torrents).

Question 7

What should you do if uploading for than 5 GB to S3?

Answer 7

You should use multi-part upload

Question 8

What is an S3 Object key composed of?

Answer 8

Prefic + object name. Example: s3://my-bucket/my_folder1/another_folder/my_file.txt

s3://my-bucket/prefix/object_name

Question 9

At what level is S3 Versioning enabled?

Answer 9

S3 Versioning is enabled at the bucket level

Question 10

What happens if you upload the same file to S3 twice?

Answer 10

The file will be assigned a unique version every time

Question 11

Can you disable versioning on an S3 bucket once its enabled?

Answer 11

No. Versioning cannot be disabled, it can only be suspended. Suspending versioning does not delete previous versions.

Question 12

What if you have files that exist prior to versioning being enabled?

Answer 12

All existing files prior to the enabling of versioning will receive a version of “null”

Question 13

What does S3 Versioning do?

Answer 13

S3 Versioning stores all versions of an object (file) including deleted versions.

Question 14

What happens to the permissions on a newly uploaded version? What about the permissions on old versions?

Answer 14

For newly uploaded versions, permissions are automatically reset to private.
For old versions, the existing permissions are retained.

Question 15

What happens when you delete an object (file) with versioning enabled?

Answer 15

Deleting a file with versioning enabled will simply set a delete marker (it won’t actually be deleted). You can restore this version by deleting the delete marker. However, deleting an individual, specific version will actually delete the file version.

Question 16

What are the four (4) methods of encrypting objects in S3?

Answer 16

1) SSE-S3 (Server-Side-Encryption)
2) SSE-KMS (Server-Side-Encryption, AWS Key-Management-System)
3) SSE-C (Server-Side-Encryption, Customer)
4) Client Side Encryption

Question 17

How does SSE-S3 encrypt S3 objects? Main use case?

Answer 17

SSE-S3 encrypts S3 objects using keys handled & managed by AWS. Its main use case is encrypting user data on S3.

Question 18

How does SSE-KMS encrypt S3 objects? Main advantages?

Answer 18

SSE-KMS encrypts S3 objects by leveraging AWS’s Key Management Service (KMS) to manage the encryption keys. KMS provides a customer managed key and an audit trail of who uses the key, and when they used it.

SSE-KMS’s main advantage is user control & audit trail, giving users full control over encryption key rotation policies.

Question 19

When should you use SSE-C?

Answer 19

SSE-C should be used when you want to manage your own encryption keys, outside of AWS. AWS S3 does not store the encryption key provided in every HTTPS request. SSE-C can only be done via the AWS CLI.

Question 20

What is Client Side Encryption?

Answer 20

Client Side Encryption is when the encryption occurs on the client side, rather than the server side. As a result, AWS will not know your encryption key.

Question 21

How does Client Side Encryption work?

Answer 21

Clients must encrypt data themselves before sending it to S3, and decrypt data themselves when retrieving from S3. Customers fully manage the keys and encryption cycle themselves.

Question 22

What are the three Encryption Types?

Answer 22

1) In transit (uses SSL / TLS)
2) At Rest (server-side)
3) At Rest (Client Side)

Question 23

What are the two main types of S3 Security?

Answer 23

1) User-based
2) Resource-based

Question 24

Regarding S3 security, by default all buckets are ____

Answer 24

By default, all S3 buckets are private.

Question 25

Explain User-based S3 security: How does it work?

Answer 25

S3 User-based security is achieved through IAM policies that decide which API calls should be allowed for a specific user. An IAM principal can access an S3 object if their IAM permissions allow it OR the resource policy allows it. Additionally, there must be no explicit DENY

Question 26

Explain Resource-based S3 security: How does it work?

Answer 26

Resource based security works by instituting S3 Bucket Policies that apply at the bucket level

Question 27

What is an S3 Bucket Policy?

Answer 27

An S3 bucket policy is a bucket-wide rule that is set from the S3 console.

Question 28

What is a good S3 setting to prevent company data leaks from S3?

Answer 28

Block Public Access setting. This prevents access outside of your VPC

Question 29

What are the three (3) main uses of an S3 Bucket Policy?

Answer 29

1) To Grant public access to a bucket
2) To force objects to be encrypted at upload to the bucket
3) To grant access to another AWS account (cross account)

Question 30

What is the strongly recommended requirement to include for deleting an S3 bucket or bucket objects?

Answer 30

MFA (multi-factor-authentication) should be required for deleting buckets and objects in S3

Question 31

What is a Pre-Signed URL?

Answer 31

A Pre-Signed URL is a URL that is only valid for a limited time. Users given pre-signed URLs inherit permissions of the person who generated the pre-signed URL.

Question 32

Can S3 host websites?

Answer 32

Yes. S3 can host static websites and have them accessible on the public web.

Question 33

How does S3 interact with CORS?

Answer 33

If a client does a CORS request on our S3 bucket, the correct CORS headers must be enabled & defined on the cross origin bucket. This is a popular exam question

Question 34

What happens to the permissions in a replicated S3 bucket?

Answer 34

Nothing. Replicated buckets maintain the permissions of their original.

Question 35

What happens to the objects in a replicated bucket?

Answer 35

A replicated bucket cannot replicate the objects in the original bucket.

Question 36

What are the three (3) use cases for S3 Cross Region Replication (CRR)?

Answer 36

1) Compliance
2) Lower latency access
3) Replication across accounts

Question 37

What are the two (2) main use cases for S3 Same Region Replication (SRR)?

Answer 37

1) Log aggregation
2) Live replication from production / test accounts

Question 38

Is there S3 replication chaining?

Answer 38

No, there is no replication chaining in S3. Bucket A can not replicate to B, which then replicates to C. Instead, bucket A has to replicate to B, and then replicate itself to C.

Question 39

Explain S3 notifications, and one (1) good use case.

Answer 39

S3 notifications allow you to receive notifications (self-created or pre-created) when certain events happen in your bucket. Use case: send notification to a destination and trigger an action (like triggering a Lambda)

Question 40

What are the four (4) S3 Storage classes?

Answer 40

1) S3 Standard (general purpose)
2) S3 Infrequent Access (IA)
3) S3 One-Zone IA
4) S3 Intelligent Tiering

Question 41

What is the most expensive S3 Storage Class? Why?

Answer 41

S3 Standard Purpose, because it has storage across multiple devices, highest durability and availability (99.99%), and is highly resistant to AZ failures.

Question 42

What are two (2) main use cases of S3 Standard Purpose Storage?

Answer 42

1) Big Data analytics
2) Content Distribution

Question 43

When should you use S3 Infrequent Access (IA) storage and what is the major use case?

Answer 43

You should use S3 Infrequent Access (IA) when data is less frequently accessed, but requires rapid access when it is needed.
Use Case: backups

Question 44

When should you use S3 One Zone IA storage? Major use case?

Answer 44

You should use S3 One Zone for lower-cost, infrequently accessed data that doesn’t require multiple AZ resilience.
Use case: data that can recreated & cached.

Question 45

When should you use S3 intelligent Tiering?

Answer 45

Mostly when you want automatic cost optimization. Automatically move you to the most cost effect tier without performance impact (switches between S3 standard and IA)

Question 46

What is Amazon Glacier?

Answer 46

Amazon Glacier is a low cost object storage meant for backups in S3. Data is retained for the long term (decades). Glacier is for Archives.

Question 47

What on-premise technology is Glacier an alternative for?

Answer 47

Glacier is an alternative to on-premises magnetic tape storage.

Question 48

How do you move files from Glacier to S3?

Answer 48

You need to restore the files from Glacier before moving them to S3.

Question 49

What are the three (3) Amazon Glacier retrieval options?

Answer 49

1) Expedited (1-5 min)
2) Standard (3-5 hrs)
3) Bulk (5-12 hrs)

Question 50

What is the minimum storage duration for items in Glacier?

Answer 50

90 days

Question 51

What is the lowest cost Glacier Storage class?

Answer 51

Glacier Deep Archive is the lowest cost storage class, for long term storage with minimum storage duration of 180 days.

Question 52

What is the WORM model? Why is it useful?

Answer 52

WORM = Write once, read many model.
WORM is useful for meeting regulatory requirements as it prevents objects from being modified for a certain period, or indefinitely. One example is legal retention periods.

Question 53

What is S3 Lifecycle Management?

Answer 53

S3 Lifecycle management is the automation of moving objects between storage tiers. For example, if an object hasn’t been used for 30 days, automatically put it to deeper, cheaper storage.

Question 54

How does Amazon determine S3 Pricing?

Answer 54

Via Storage by the GB, Number of requests, the tier of Storage Management, Data transfer amounts, and how fast Data transfer is needed.

Question 55

Which is better, S3 Standard Storage or S3 Intelligent Tiering Storage?

Answer 55

Intelligent Tiering is better, and should be used for almost all cases (unless working with a massive amount of objects)

Question 56

How can you increase S3 Transfer Acceleration?

Answer 56

Increase S3 transfer speed b transferring files to an AWS edge location. This will forward data to your S3 bucket in the target region. This strategy is compatible with multi-part upload.

Question 57

When is it recommended to use Multi-Part Upload to an S3 bucket?

Answer 57

It is recommended to use Multi-part Upload for files over 100 MB, require for files over 5 GB. Uploads should be parallelized (speeds up transfers)

Question 58

What are S3 Byte-Range fetches / Parallelized downloads?

Answer 58

Parallelized downloads are created by specifying byte ranges for uploads. This limits failures only to specific byte ranges.