SIMPLE STORAGE SERVICE (S3)

Question 1

Is S3 accessible to the public by default ?

Answer 1

No it’s private by default

Question 2

S3 Bucket Policies

Answer 2

a form of resource policy that is attached to a bucket

Question 3

Identity Policy

Answer 3

control what that identity can Access

can only be attached to identities in your account

has to be attached to a valid identity

Question 4

Resource Policy

Answer 4

controls who can access that resource

Allow/Deny same or different accounts

Allow/Deny anonymous principals

Question 5

How can you tell the difference between a resource policy and Identity policy

Answer 5

if there is a principle component it’s a resource policy

Question 6

If your trying to control different resources in the same account. Would you implement a resource policy or Identity policy ?

Answer 6

IAM Policy

Question 7

Would you use a IAM or Resource Policy if you

want one central place to control access

Answer 7

IAM Policies are the only single place in AWS you can control permissions for everything. you can use resource policies sometimes but you can use IAM policies all the time

Question 8

What would you use to control

permissions within the same account

Answer 8

IAM policy

Question 9

What would you use to control the permissions

on one resource like S3

Answer 9

resource policy

Question 10

When to use IAM vs Resource Policy:

Anonymous or cross-account

Answer 10

resource policy

Question 11

What are ACLs ?

Answer 11

Access control list Amazon legacy service user before S3 bucket policies

Question 12

When to use IAM vs Resource Policy:

How about ACLs?

Answer 12

never unless you must

Question 13

Explain Static Website Hosting in S3

Answer 13

Normal access is via AWS APIs

allows access via HTTP

Index and Error documents are set

Website endpoint is created

Question 14

Do bucket names matter when hosting a static site in S3?

Answer 14

yes if you have a custom domain via R53

Question 15

Pricing structure for S3 ?

Answer 15

storage per gb/monthly charge

data transfer in (Free)/out(not fee)

requests and data retrievals per/1,00 requests

Question 16

How would you disable S3 versioning on an s3 bucket ?

Answer 16

you can’t once it’s been turn on the only way to stop is to suspend that bucket

Question 17

Object Versioning

Answer 17

versioning lets you store multiple versions of objects within a bucket.Operations which would modify objects generate a new version.

Question 18

Delete Marker

Answer 18

special version of an object which hides all previous versions of that object

Question 19

What does deleting the delete marker do ?

Answer 19

restores the deleted version to being active again

Question 20

Version Delete

Answer 20

you can delete an object by specifying the version. When deleting a current version the prev = current version

Question 21

How can you reduce cost on a versioned bucket ?

Answer 21

space is consumed by all versions

you are billed for all versions

only way to cut cost to zero is to delete the bucket

Question 22

MFA Delete

Answer 22

-can be enabled in versioning configuration

MFA is required to change bucket versioning state and delete versions

serial number(MFA) + code is passed with API calls

Question 23

S3 Performance optimization :

Single Put upload

Answer 23

single data stream to S3

stream fails- upload fails

requires full restart

Question 24

S3 Performance optimization :

Multipart upload

Answer 24

Data is broken up

min data size 100MB for Multipart

10,00 max part, 5mb → 5gb

last part can be smaller than 5MB

parts can fail, an be restarted

Question 25

S3 Transfer Acceleration

Answer 25

normally there is no control of how data is routed in the public internet

TA users the network of AWS edge locations

this needs to be enabled in the S3 bucket

once enabled data transmits to the closest edge location which transmits through fewer networks

normal internet is like CT transit and AWS is like CT Express

Question 26

TA Naming restrictions for Buckets

Answer 26

can’t contain periods

has to be DNS compatible in it’s naming

Question 27

ciphertext

Answer 27

encrypted data

Question 28

Symmetric Encryption

Answer 28

the same key is used for encryption and decryption

transfer of the key has to be done in advance

good for local data

Question 29

Signing

Answer 29

Taking the senders private key and signing a document with it

the public key can then verify that the document was signed by it’s matching public key `

Question 30

stenography

Answer 30

allows you to embed data in another piece of data like a picture

Question 31

Key Management Service (KMS)

Answer 31

regional and public service

create,store,and manage keys

symmetric and asymmetric keys

can encrypt and decrypt data

Keys never leave KMS- provides FIPs 140-2(L2)

Question 32

Customer Master Keys (CMK)

Answer 32

contains : ID,data, policy, description and state

backed by physical key material

can be generated or imported

CMK can be user for up to 4KB of data

Question 33

Data Encryption Keys (DEKS)

Answer 33

encrypt data using plaintext key

plaintext key is discarded

stores encrypted key with data

KMS doesn’t perform the encryption of decryption with data larger than 4KB in size using data encryption keys you do or KMS does

Question 34

Can you use CMKs across region ?

Answer 34

CMKs are isolated to a region and never leave

Question 35

AWS managed Keys vs Customer managed CMKs?

Answer 35

customer managed keys are more configurable

Question 36

Aliases

Answer 36

shortcut to a CMK/per region

Question 37

S3 Encryption

Answer 37

Buckets aren’t encrypted objects are

Question 38

S3 Encryption:

Client side encryption

Answer 38

the data being uploaded are encrypted by the client before they leave meaning you control everything

Question 39

S3 Encryption:

Server side Encryption

Answer 39

the data being uploaded are only encrypted after they hit the S3 endpoint

Question 40

Server-side Encryption with customer -Provided Keys SSE-C

Answer 40

if key is provided during decryption the has can identify if the key was used during encryption or not

• user still responsible for key management
• Aws manages encryption and decryption

Question 41

Server-side Encryption wih Amazon s3-managed Keys SSE-S3

Answer 41

AWS handled keys, encryption and decryption

not good for regulatory environments where you need to control key access or role sepration

Question 42

What is the encryption type used with Server-side encryption with amazon s3-Managed keys?

Answer 42

SSE-S3(AES256) ≤=> encryption algorithm

Question 43

Server -Side encryption with customer Master Keys (CMK) stored in AWS key management service

Answer 43

you manage the keys ,rotation control

AWS manages the encryption/decryption and role seperation

Question 44

S3 Standard

Answer 44

best use for frequently accessed data which is important and non replaceable

99.999999999% (11 nines) durability means that if you store 10 million objects, then you expect to lose an object of your data every 10,000 years

replication over 3 AZ’s

billed a GB/ per month fee for data stored. A $ per GB charge for transfer out(in is free) and a price per 1,00 requests No specified retrieval fee, no minimum duration no minimum size

Question 45

S3 standard-IA

Answer 45

should be used for long lived data which is important but where access is infrequent

has a per Gb data retrieval fee has a minimum duration charge of 30 days

minimum

everything else the same as s3 standard

Question 46

S3 One Zone IA

Answer 46

should be used for long-lived data, which is non-critical and replaceable and where access infrequent

does not provide the multi-AZ resilience model only one AZ is used within the region

11 9s durability unless Az fails

Question 47

S3 Glacier

Answer 47

used for situation which you need to store archival data

first byte latency = minutes or hours

objects are consider cold and aren’t ready for use immediately

you pay for retrieval

they are stores in s3 standard infrequent access until they are access and then they are removed

40 kb minimum billable size

90 days minimum billable duration

Question 48

S3 Glacier deep Archive

Answer 48

used for Archival data that is really if ever needs to be access-hours or days for retrieval e.g legal or regulatory data storage

First byte latency = hours or days

40kb

180 day min duration

Question 49

S3 Select and Glacier Select

Answer 49

lets you use SQL-like statements to select part of the object, pre-filtered by s3

accepted file formats CSV, JSON, parquet, bzip2 compression for CSV and JSON

Question 50

S3 intelligent Tiering

Answer 50

Should be used for log-lived data with changing or unknown patterns

manages the object s3 storage class based on usage or how frequent data is accessed

30 day minimum duration no retrieval fees

monitoring and automation cost per 1,000 objects

Question 51

PreSigned URL

Answer 51

a way for you to give another person or application access to an object inside an s3 bucket using your credentials

Question 52

can you generate a pre-signed URL for an object you have no access to ?

Answer 52

yes but your url would also not have access

Question 53

Can a pre-signed Url be generated with a role?

Answer 53

yes but bad idea URL stop working when temporary credentials expire

Question 54

can you generated presigned url for an objects that don’t exist ?

Answer 54

yes lol

Question 55

S3 Event Notification

Answer 55

notifications generated when events occur in a bucket

can be delivered to SNS,SQS and Lambda function

notifications can be for object creation, delete, restore, and replication

Question 56

S3 Access Logs

Answer 56

provides detailed records for the requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits.

Question 57

Who manages Access logs if enabled on a bucket ?

Answer 57

your responsible to the Lifecyle and deletion of log files

Question 58

What system manages S3 Access logs ?

Answer 58

s3 Log Delivery group

Question 59

How would you setup S3 Access Logging on a bucket?

Answer 59

1. enable log on source bucket via console UI or Put bucket logging operation using the CLI or the API
2. S3 Log Delivery Group reads the configuration within a few hours
3. the S3 Log Delivery Group has to have access to the target bucket done by Bucket ACL