Simple Storage Service

Question 1

When creating an S3 Bucket, who can access it?

Answer 1

ONLY the Root User

S3 is completely private by default - just because a bucket is enabled, doesn’t mean it’s publicly accessible.

You must explicitly allow this via a bucket policy or an identity policy otherwise there is the inherent implicit DENY.

Question 2

What is an S3 Bucket Policy?

Answer 2

This is a Resource Policy attached to a bucket which grants or denies access to that bucket or objects within that bucket.

Question 3

What is the difference between RESOURCE policy and IDENTITY policy?

Answer 3

Resource based policies are basically inline policies but applied to an AWS Resource instead of a user (like S3 or KMS or SQS or SNS etc)

Identity Policies only work for identities (Principle) within the same AWS account.

Question 4

REVIEW:

A good way to tell if a Policy is a resource policy or an identity policy is the presence of a Principal (the identity that the policy applies to) within the policy statement.

Answer 4

If it’s present –> it’s probably a Resource Policy.

Question 5

How many bucket policies can be attached to an S3 bucket?

Answer 5

Only ONE bucket policy, but there can be multiple statements within that policy.

Question 6

What is the “Block Public Access” setting when creating a bucket?

Answer 6

Allows you to create an “Open” bucket policy but only for valid AWS Identities - not for Public Access.

Anonymous users will still not have access even though the bucket is public.

Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both. In order to ensure that public access to all your S3 buckets and objects is blocked, turn on “block all public access” at the account level. These settings apply account-wide for all current and future buckets.

Question 7

Can you host Static Websites on S3?

Answer 7

Yes - S3 is great for static website hosting.

Offloads compute resources needed to generate changes/files/etc. and is also much cheaper.

Question 8

When are you charged for Data in S3?

Answer 8

You are not charged for data going IN, only for data going OUT as well as anytime you retrieve data.

Question 9

What is Object Versioning?

Answer 9

When you modify an existing Object within a bucket, a new version is created and made the “current version” of that object.

Question 10

Is Object Versioning turned on by default?

Can you turn it OFF if so?

Answer 10

NO - it is DISABLED by default, and once it is ENABLED you can never go back to the disabled state on that bucket. If you want to permanently disable it, you just save the images, delete the bucket and re-upload to a new bucket.

You can however SUSPEND the feature, and once it is suspended it can go back into the ENABLED state.

Question 11

What happens when you DELETE an object in a bucket with versioning turned on?

Answer 11

The object becomes hidden and S3 will add a “Delete Marker” which becomes the current version.

Keep in mind the objects are still there which costs $$. You have to permanently delete the objects by specifying an Object ID.

Question 12

What is MFA Delete (in S3)?

Answer 12

Prompts S3 to require an MFA authentication in order for a user to delete an object.

This can help to avoid accidentally modifying/deleting important objects.

Question 13

What is Single PUT Upload?

How big can the upload be?

Answer 13

This is default when uploading to S3.

The data get’s uploaded in a single “blob” or stream, of up to 5GB. If that stream fails for whatever reason, you must re-upload the entirety of that file.

Question 14

What is Multi-part Upload?

Answer 14

Breaking up a single “blob” of data into smaller chunks to then upload in multiple streams.

This improves speed and also reliability - if any of the smaller streams fail, that piece can re-upload in isolation versus having to re-upload the entire file.

Question 15

What are the specs of a Multi-part Upload?

Answer 15

• minimum size of ORIGINAL blob of data is 100MB
• maximum of 10K smaller streams
• streams range from 5MB to 5GB

Question 16

What is S3 Transfer Acceleration?

Answer 16

Uploads & frequently accessed data is sent to Edge Locations instead of directly to S3. This way, the data will traverse Amazon’s CDN network versus going over the internet.

Question 17

What two types of Encryption methods does AWS have?

Examples of each?

Answer 17

Crypto @ Rest - prevents physical theft/tampering. Data stored on shared HW is all encrypted.

Crypto in Transit - protecting data while it’s being transferred from point A to B. Data is wrapped in a tunnel before it is sent off.

Question 18

Key Terms for Encryption:

Plain Text?
Algorithm?
Key?
Ciphertext?

Answer 18

Plain Text - text/images/app that’s human readable

Algorithm - code/math that takes data + a key and and creates encrypted data (ciphertext)

Key - password/handshake

Ciphertext - data that is encrypted by an algorithm

Question 19

Asymmetric v. Symmetric Encryption

Which key can Encrypt data? What key can Decrypt data?

Answer 19

Symmetric - same key is used for encrypt/decrypt on both sides.

Asymmetric - key is not the same on both sides. This involves a PUBLIC and PRIVATE key. PUB key creates ciphertext but can never decrypt - only a PRIVATE key can decrypt data.

Question 20

What is Key Signing?

What does it provide?

Answer 20

Key Signing is a way for Side A to validate the encrypted data being sent from Side B is legit. Key Signing is a way to prove IDENTITY.

Question 21

What is Stenography?

Answer 21

The method of hiding encrypted data in something else - such as hidden in an image file/dummy file.

This is like using invisible ink.

Question 22

What is AWS Key Management System (KMS)? What can it handle?

Answer 22

This is a public and also regional service that creates, stores, and manages encryption keys.

It can handle Asym/Sym crypto keys and can also handle all the encryption functions - encrypt/decrypt/etc.

KMS generates CMK’s and DEK’s.

Question 23

What are Customer Managed Keys (CMK)?

What does it contain?

Answer 23

Logical container/representation of a Master Key. It can be used directly to encrypt/decrypt data.

It contains Metadata about they key such as:

• key ID
• key state
• key description

Question 24

What is a big limitation with CMKs?

Answer 24

They can only be used to encrypt/decrypt data no larger than 4KB in size.

Question 25

What are Data Encryption Keys (DEK)?

Answer 25

These are used to encrypt/decrypt data larger than 4KB in size. This is how we get around the CMK limitation.

Question 26

KEY CONCEPTS:

1. CMKs are stored/isolated in KMS and never leave. They are in the region specific to the KMS instance (KMS is a regional service).
2. There are 2 types of CMKs: AWS-managed (generated automatically) and Customer-managed (created by customer; much more customizable).
3. CMKs support key rotation: AWS-managed keys rotate every 3-years and Customer-managed CMKs rotate every year by default (optional).

Answer 26

4. CMK’s contain the “key backing” metadata about the current Master Key, and also all the historical data from previous keys (if they key has been rotated).
5. You can create CMK aliases which can be used as shortcuts to specific CMKs (can be good if you have a ton of CMKs that are customer-managed).

Question 27

Are S3 buckets encrypted?

Answer 27

False - Objects inside the bucket can be encrypted (different objects can use different settings) but the bucket itself is not encrypted.

Question 28

What are the 2 main methods of S3 Encryption while data is @ Rest? (Hint: sides that handle the Crypto functions)

** Data in transit is encrypted by default **

Answer 28

Client Side Encryption - data is encrypted by the client before it leaves to be uploaded in S3 i.e data is ciphertext the entire time.

Server-side encryption - data is encrypted in transit but arrives to S3 in plaintext. S3 then encrypts the data before it is stored.

Question 29

What are the 3 types of Server-Side encryption in S3?

Answer 29

1. SSE-C - customer provided keys; S3 handles crypto ops and customer handles the keys.
2. SSE-S3 - AWS manages the keys; this is the most common because customer has no added management overhead with encryption.
3. SSE-KMS - customer master keys (CMKs) that are held within KMS. The CMKs can be either customer/AWS-managed.

Question 30

S3 Encryption Summary:

Answer 30

When uploading an image to S3, you can always access it assuming you have S3 permissions.

When uploading using SSE-S3 or AES256, you can always access assuming you have S3 permissions

When uploading with SSE-KMS, even though you have S3 permissions, you must also have permissions for the CMK (which is KMS-managed) that is being used or you will be denied.

You need KMS and S3 permissions OR you can keep these separate to create what’s called “Role Separation” which allows for more granular policy and manipulation of who has what permissions in S3 when accessing specific data.

–> Ex. A User might have CMK permissions but no Permissions for S3, so they can upload encrypted data but have no access to the Bucket.

Question 31

What are the SIX storage classes of S3?

Answer 31

1. S3 Standard
2. S3 Standard-IA
3. S3 One Zone-IA

** these top 3 classes support object availability within milliseconds**

4. S3 Glacier
5. S3 Glacier Deep Archive
6. S3 Intelligent Tiering

Question 32

What’s the default storage tier in S3?

Answer 32

S3 Standard - if you don’t specify, it’ll automatically be this tier.

Objects are replicated to minimum 3 x AZs.

Question 33

What’s the minimum duration charge for S3-IA?

Answer 33

30 days

Question 34

What’s the retrieval time for S3 Glacier?

Whats the minimum billing duration?

Answer 34

3-5 hours but you can also pay for expedited retrieval which can take minutes (significant cost).

Minimum duration is 90-days.

Question 35

What’s the retrieval time for S3 Glacier Deep Archive?

Answer 35

12-hours and there is no Expedite option.

Question 36

What is S3 Intelligent Tiering?

Answer 36

Combines S3-Standard and S3-IA with some automation for moving objects between the two tiers.

Any object that hasn’t been accessed in 30 consecutive days get’s moved to the IA tier which has a much lower cost associated to storing the data.

Question 37

What are Lifecycle Policies?

Answer 37

These are sets of rules that you can apply to S3 buckets for the lifecycle of the objects within the bucket.

Ex - After 90 days, move object from S3-standard to S3-IA, and then after another 180 days, move it to Glacier.

or

Ex - after 365 days of the object not being accessed, purge the object so that you can save on cost since it has no more use/is not being used.

Question 38

REVIEW - Replication:

→ Replication is NOT retroactive - only when Replication is turned ON will objects begin replicating.. If there are objects already in the source bucket when turned on, they will not be copied to the desty bucket, only objects that are added after will be copied.

→ Source and Desty buckets both need to have Versioning enabled for Replication

→ This is a ONE-WAY process only i.e from SOURCE to DESTY (not bi-directional)

→ Can handle objects that are unencrypted or encrypted (SSE-S3 and SS3-KMS) i.e no objects with SSE-C (customer managed keys)

Answer 38

→ Owner of Source bucket needs permissions to those objects that will be replicated

→ NO replication of system events (only User events) and also NO replication to Glacier or Glacier Deep Archive

→ DELETES are not replicated i.e if you Delete in the Source bucket, it will not be deleted in the Desty bucket
○ It also doesn’t copy “Delete Markers” –> when you delete objects with Versioning enabled, it keeps the objects but adds a delete marker on the source bucket. That marker is also not replicated over to the Destination bucket
○ You have to manually go in and delete all objects + versions from both buckets to actually delete everything

Question 39

What is a Pre-Signed URL?

Answer 39

This is a method that gives temporary access to an S3 bucket.

Admin creates list of parameters/rules, send them to S3, and S3 sends back a URL. The person who get’s this URL will have the same exact access to the bucket/objects as the Admin does up until the URL expires.

Once expired the access is gone.

Question 40

What is S3 Glacier Select?

Answer 40

This is a method that allows a user to retrieve/restore smaller parts of a large object.

Avoids lengthy time and also full transfer fees for the entire object, when you might only need to access a small or specific part of it.

Question 41

When using S3/Glacier Select, where is the filtering performed? Why is this beneficial?

Answer 41

The filter point is placed inside the S3 service itself - S3 can take the SQL-like query and apply it to the raw data inside S3 before transferring it out to an App or the end user.

Without this, the filtering would be done by the App but you’d still be charged for the $$ + time for the full object. The parts you didn’t request simply et discarded.

Question 42

EXAM POWER UPS:

→ If you’re granting/denying permissions on lots of different resources across AWS accounts then you use IDENTITY POLICIES (these policies get attached to Users, Groups, or Roles)

→ IAM is the only single place in AWS where you can control the permissions for everything; most permissions control are done with IAM (Users/Roles/Groups)

→ You can use bucket or resource policies in general if you’re managing permissions on a specific product (like S3)

→ External/anonymous identities accessing resources - you must use a resource policy (i.e they are not an IAM user or AWS user)

→ Do NOT use ACLs unless you absolutely have to.. AWS is phasing out ACLs

Answer 42

→ AES-256 is the encryption algorithm used when selecting SSE-S3 as the default encryption method

→ Presigned URLs:

○ You can create a presigned URL for an object that you have no access to; you just need to specify a particular object and an expiration date
§ Because you have no access to the object and the URL is linked to you - anyone who uses it will also not have access to the object

○ When you use the generated URL - your permissions to the bucket/object match the identity that created it at that exact point in time when trying to access
§ Ex - someone creates a URL for an object that they have access to, but the access is all of a sudden revoked, the user of that URL will also all of a sudden have no access either

○ DO NOT generate presigned URLs with an IAM Role — remember, IAM Roles use temporary credentials so any URLs that get created and assume the IAM Role identity will also expire when the Role’s credentials expire. These typically expire way before a presigned URL credential would

Question 43

Which steps are required to allow an S3 bucket to operate as a website?

Answer 43

○ Upload web files
○ Set index and error documents 
○ Enable static website hosting 
○ Disable/block public access settings 
○ Add a bucket policy

Question 44

What is the default limit of the number of S3 buckets in an AWS account?

Answer 44

100

Question 45

What are S3 Events?

Answer 45

Notification feature enables you to receive notifications when certain events happen in your bucket.

Question 46

How can S3 Events play into an Event-Driven ARCH?

Answer 46

Sends a notification based on a triggered event to either SNS, SQS, or Lambda to execute an action.

Question 47

What is the alternative to S3 Events?

Which of the 2 options is preferred?

Answer 47

EventBridge

You should always default to EventBridge unless there is a specific reason not to/to use S3 Events

Question 48

What are S3 Access Logs?

Answer 48

Provides detailed records for the requests that are made to a bucket.

Question 49

What are 2 use cases for S3 Server Access Logs?

Answer 49

○ access log information can be useful in security and access audits

○ It can help you learn about your customer base and understand your Amazon S3 bill.