Section 15: Amazon S3 Security

Question 1

Security feature that forces users to generate a code on a device before doing important operations on S3

Answer 1

S3 MFA Delete

Question 2

Web browser based security mechanism that allows requests to other origins while visiting the main origin page

Answer 2

S3 Cross-Origin Resource Sharing (CORS)

Question 3

True/False: Any admin account can update S3 MFA Delete settings on a bucket

Answer 3

False - Only the root account can configure this

Question 4

Option that allows you to log all access to S3 buckets for audit purposes

Answer 4

S3 Access Logs

Question 5

Feature that lets you create a URL that allows temporary access to files in S3 buckets

Answer 5

S3 Pre-Signed URLs

Question 6

S3 Object lock mode that prevents object version from being overwritten or deleted by any user - including the root user

Answer 6

Compliance

Question 7

S3 Object lock mode that prohibits most users from overwriting or deleting an object version

Answer 7

Governance

Question 8

S3 Object lock mode that protects the object indefinitely, but can be placed and removed from this mode by certain users as needed

Answer 8

Legal Hold

Question 9

Your client wants to make sure that file encryption is happening in S3, but he wants to fully manage the encryption keys and never store them in AWS. You recommend him to use…

Answer 9

SSE-C

Question 10

A company you’re working for wants their data stored in S3 to be encrypted. They don’t mind the encryption keys stored and managed by AWS, but they want to maintain control over the rotation policy of the encryption keys. You recommend them to use…

Answer 10

SSE-KMS

Question 11

Your company does not trust AWS for the encryption process and wants it to happen on the application. You recommend them to use…

Answer 11

Client-Side Encryption

Question 12

You have a website that loads files from an S3 bucket. When you try the URL of the files directly in your Chrome browser it works, but when the website you’re visiting tries to load these files it doesn’t. What’s the problem?

Answer 12

CORS is wrong

Question 13

Feature that defines a way for client web applications that are loaded in one domain to interact with resources in a different domain

Answer 13

Cross-Origin Resource Sharing (CORS)

Question 14

You suspect that some of your employees try to access files in an S3 bucket that they don’t have access to. How can you verify this is indeed the case without them noticing?

Answer 14

Enable S3 Access Logs and analyze them using Athena

Question 15

You are looking to provide temporary URLs to a growing list of federated users to allow them to perform a file upload on your S3 bucket to a specific location. What should you use?

Answer 15

S3 Pre-Signed URLs

Question 16

For compliance reasons, your company has a policy mandate that database backups must be retained for 4 years. It shouldn’t be possible to erase them. What do you recommend?

Answer 16

Glacier Vaults with Glacier Lock Policies

Question 17

You would like all your files in an S3 bucket to be encrypted by default. What is the optimal way of achieving this?

Answer 17

Enable Default Encryption

Question 18

You have enabled versioning and want to be extra careful when it comes to deleting files on an S3 bucket. What should you enable to prevent accidental permanent deletions?

Answer 18

Enable MFA Delete

Question 19

A company has its data and files stored on some S3 buckets. Some of these files need to be kept for a predefined period of time and protected from being overwritten and deletion according to company compliance policy. Which S3 feature helps you in doing this?

Answer 19

S3 Object Lock - Compliance Mode

Question 20

Which S3 Object Lock configuration allows you to prevent an object or its versions from being overwritten or deleted indefinitely and gives you the ability to remove it manually?

Answer 20

Legal Hold

Question 21

True/False: In order to enforce object encryption, you can create an S3 bucket policy that denies any S3 Put request that does not include the x-amz-server-side-encryption header

Answer 21

True - The x-amz-server-side-encryption header tells S3 to encrypt the object using SSE-C, SSE-S3, or SSE-KMS.