Section 15: Amazon S3 Security Flashcards
Security feature that forces users to generate a code on a device before doing important operations on S3
S3 MFA Delete
Web browser based security mechanism that allows requests to other origins while visiting the main origin page
S3 Cross-Origin Resource Sharing (CORS)
True/False: Any admin account can update S3 MFA Delete settings on a bucket
False - Only the root account can configure this
Option that allows you to log all access to S3 buckets for audit purposes
S3 Access Logs
Feature that lets you create a URL that allows temporary access to files in S3 buckets
S3 Pre-Signed URLs
S3 Object lock mode that prevents object version from being overwritten or deleted by any user - including the root user
Compliance
S3 Object lock mode that prohibits most users from overwriting or deleting an object version
Governance
S3 Object lock mode that protects the object indefinitely, but can be placed and removed from this mode by certain users as needed
Legal Hold
Your client wants to make sure that file encryption is happening in S3, but he wants to fully manage the encryption keys and never store them in AWS. You recommend him to use…
SSE-C
A company you’re working for wants their data stored in S3 to be encrypted. They don’t mind the encryption keys stored and managed by AWS, but they want to maintain control over the rotation policy of the encryption keys. You recommend them to use…
SSE-KMS
Your company does not trust AWS for the encryption process and wants it to happen on the application. You recommend them to use…
Client-Side Encryption
You have a website that loads files from an S3 bucket. When you try the URL of the files directly in your Chrome browser it works, but when the website you’re visiting tries to load these files it doesn’t. What’s the problem?
CORS is wrong
Feature that defines a way for client web applications that are loaded in one domain to interact with resources in a different domain
Cross-Origin Resource Sharing (CORS)
You suspect that some of your employees try to access files in an S3 bucket that they don’t have access to. How can you verify this is indeed the case without them noticing?
Enable S3 Access Logs and analyze them using Athena
You are looking to provide temporary URLs to a growing list of federated users to allow them to perform a file upload on your S3 bucket to a specific location. What should you use?
S3 Pre-Signed URLs
For compliance reasons, your company has a policy mandate that database backups must be retained for 4 years. It shouldn’t be possible to erase them. What do you recommend?
Glacier Vaults with Glacier Lock Policies
You would like all your files in an S3 bucket to be encrypted by default. What is the optimal way of achieving this?
Enable Default Encryption
You have enabled versioning and want to be extra careful when it comes to deleting files on an S3 bucket. What should you enable to prevent accidental permanent deletions?
Enable MFA Delete
A company has its data and files stored on some S3 buckets. Some of these files need to be kept for a predefined period of time and protected from being overwritten and deletion according to company compliance policy. Which S3 feature helps you in doing this?
S3 Object Lock - Compliance Mode
Which S3 Object Lock configuration allows you to prevent an object or its versions from being overwritten or deleted indefinitely and gives you the ability to remove it manually?
Legal Hold
True/False: In order to enforce object encryption, you can create an S3 bucket policy that denies any S3 Put request that does not include the x-amz-server-side-encryption header
True - The x-amz-server-side-encryption header tells S3 to encrypt the object using SSE-C, SSE-S3, or SSE-KMS.
