SIMPLE STORAGE SERVICE (S3) Flashcards
Is S3 accessible to the public by default ?
No it’s private by default
S3 Bucket Policies
a form of resource policy that is attached to a bucket
Identity Policy
control what that identity can Access
can only be attached to identities in your account
has to be attached to a valid identity
Resource Policy
controls who can access that resource
Allow/Deny same or different accounts
Allow/Deny anonymous principals
How can you tell the difference between a resource policy and Identity policy
if there is a principle component it’s a resource policy
If your trying to control different resources in the same account. Would you implement a resource policy or Identity policy ?
IAM Policy
Would you use a IAM or Resource Policy if you
want one central place to control access
IAM Policies are the only single place in AWS you can control permissions for everything. you can use resource policies sometimes but you can use IAM policies all the time
What would you use to control
permissions within the same account
IAM policy
What would you use to control the permissions
on one resource like S3
resource policy
When to use IAM vs Resource Policy:
Anonymous or cross-account
resource policy
What are ACLs ?
Access control list Amazon legacy service user before S3 bucket policies
When to use IAM vs Resource Policy:
How about ACLs?
never unless you must
Explain Static Website Hosting in S3
Normal access is via AWS APIs
allows access via HTTP
Index and Error documents are set
Website endpoint is created
Do bucket names matter when hosting a static site in S3?
yes if you have a custom domain via R53
Pricing structure for S3 ?
storage per gb/monthly charge
data transfer in (Free)/out(not fee)
requests and data retrievals per/1,00 requests
How would you disable S3 versioning on an s3 bucket ?
you can’t once it’s been turn on the only way to stop is to suspend that bucket
Object Versioning
versioning lets you store multiple versions of objects within a bucket.Operations which would modify objects generate a new version.
Delete Marker
special version of an object which hides all previous versions of that object
What does deleting the delete marker do ?
restores the deleted version to being active again
Version Delete
you can delete an object by specifying the version. When deleting a current version the prev = current version
How can you reduce cost on a versioned bucket ?
space is consumed by all versions
you are billed for all versions
only way to cut cost to zero is to delete the bucket
MFA Delete
-can be enabled in versioning configuration
MFA is required to change bucket versioning state and delete versions
serial number(MFA) + code is passed with API calls
S3 Performance optimization :
Single Put upload
single data stream to S3
stream fails- upload fails
requires full restart
S3 Performance optimization :
Multipart upload
Data is broken up
min data size 100MB for Multipart
10,00 max part, 5mb → 5gb
last part can be smaller than 5MB
parts can fail, an be restarted
S3 Transfer Acceleration
normally there is no control of how data is routed in the public internet
TA users the network of AWS edge locations
this needs to be enabled in the S3 bucket
once enabled data transmits to the closest edge location which transmits through fewer networks
normal internet is like CT transit and AWS is like CT Express
TA Naming restrictions for Buckets
can’t contain periods
has to be DNS compatible in it’s naming
ciphertext
encrypted data
Symmetric Encryption
the same key is used for encryption and decryption
transfer of the key has to be done in advance
good for local data
Signing
Taking the senders private key and signing a document with it
the public key can then verify that the document was signed by it’s matching public key `
stenography
allows you to embed data in another piece of data like a picture
Key Management Service (KMS)
regional and public service
create,store,and manage keys
symmetric and asymmetric keys
can encrypt and decrypt data
Keys never leave KMS- provides FIPs 140-2(L2)
Customer Master Keys (CMK)
contains : ID,data, policy, description and state
backed by physical key material
can be generated or imported
CMK can be user for up to 4KB of data
Data Encryption Keys (DEKS)
encrypt data using plaintext key
plaintext key is discarded
stores encrypted key with data
KMS doesn’t perform the encryption of decryption with data larger than 4KB in size using data encryption keys you do or KMS does
Can you use CMKs across region ?
CMKs are isolated to a region and never leave
AWS managed Keys vs Customer managed CMKs?
customer managed keys are more configurable
Aliases
shortcut to a CMK/per region
S3 Encryption
Buckets aren’t encrypted objects are
S3 Encryption:
Client side encryption
the data being uploaded are encrypted by the client before they leave meaning you control everything
S3 Encryption:
Server side Encryption
the data being uploaded are only encrypted after they hit the S3 endpoint
Server-side Encryption with customer -Provided Keys SSE-C
if key is provided during decryption the has can identify if the key was used during encryption or not
- user still responsible for key management
- Aws manages encryption and decryption
Server-side Encryption wih Amazon s3-managed Keys SSE-S3
AWS handled keys, encryption and decryption
not good for regulatory environments where you need to control key access or role sepration
What is the encryption type used with Server-side encryption with amazon s3-Managed keys?
SSE-S3(AES256) ≤=> encryption algorithm
Server -Side encryption with customer Master Keys (CMK) stored in AWS key management service
you manage the keys ,rotation control
AWS manages the encryption/decryption and role seperation
S3 Standard
best use for frequently accessed data which is important and non replaceable
99.999999999% (11 nines) durability means that if you store 10 million objects, then you expect to lose an object of your data every 10,000 years
replication over 3 AZ’s
billed a GB/ per month fee for data stored. A $ per GB charge for transfer out(in is free) and a price per 1,00 requests No specified retrieval fee, no minimum duration no minimum size
S3 standard-IA
should be used for long lived data which is important but where access is infrequent
has a per Gb data retrieval fee has a minimum duration charge of 30 days
minimum
everything else the same as s3 standard
S3 One Zone IA
should be used for long-lived data, which is non-critical and replaceable and where access infrequent
does not provide the multi-AZ resilience model only one AZ is used within the region
11 9s durability unless Az fails
S3 Glacier
used for situation which you need to store archival data
first byte latency = minutes or hours
objects are consider cold and aren’t ready for use immediately
you pay for retrieval
they are stores in s3 standard infrequent access until they are access and then they are removed
40 kb minimum billable size
90 days minimum billable duration
S3 Glacier deep Archive
used for Archival data that is really if ever needs to be access-hours or days for retrieval e.g legal or regulatory data storage
First byte latency = hours or days
40kb
180 day min duration
S3 Select and Glacier Select
lets you use SQL-like statements to select part of the object, pre-filtered by s3
accepted file formats CSV, JSON, parquet, bzip2 compression for CSV and JSON
S3 intelligent Tiering
Should be used for log-lived data with changing or unknown patterns
manages the object s3 storage class based on usage or how frequent data is accessed
30 day minimum duration no retrieval fees
monitoring and automation cost per 1,000 objects
PreSigned URL
a way for you to give another person or application access to an object inside an s3 bucket using your credentials
can you generate a pre-signed URL for an object you have no access to ?
yes but your url would also not have access
Can a pre-signed Url be generated with a role?
yes but bad idea URL stop working when temporary credentials expire
can you generated presigned url for an objects that don’t exist ?
yes lol
S3 Event Notification
notifications generated when events occur in a bucket
can be delivered to SNS,SQS and Lambda function
notifications can be for object creation, delete, restore, and replication
S3 Access Logs
provides detailed records for the requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits.
Who manages Access logs if enabled on a bucket ?
your responsible to the Lifecyle and deletion of log files
What system manages S3 Access logs ?
s3 Log Delivery group
How would you setup S3 Access Logging on a bucket?
- enable log on source bucket via console UI or Put bucket logging operation using the CLI or the API
- S3 Log Delivery Group reads the configuration within a few hours
- the S3 Log Delivery Group has to have access to the target bucket done by Bucket ACL
