Simple Storage Service (S3)

Question 1

Which type of S3 encryption shows as AES256

Answer 1

SSE-S3

Question 2

Which S3 Storage class is suitable for data which is easily replaced (choose the most cost effective)

Answer 2

S3 One Zone-IA

Question 3

Which Object class in S3 is ideal for uncertain access and low admin overhead

Answer 3

S3 Intelligent-Tiering

Question 4

What is the cheapest S3 storage class for important data which need to be retained for long periods and is rarely accessed

Answer 4

S3 Glacier

Question 5

Which steps are required to allow an S3 bucket to operate as a website (choose all which apply):

Install the HTTPD server files into the S3
Upload web files
Set index and error documents
Enable static web hosting
Enable versioning
Disable block public access settings
Add a bucket policy
Add an identity policy

Answer 5

Upload web files
Set index and error documents
Enable static web hosting
Disable block public access settings
Add a bucket policy

Question 6

What S3 feature allows objects storage classes to be changed and objects deleted automatically

Answer 6

S3 Lifecycle policies

Question 7

What is the default limit of the number of S3 buckets in an AWS account

Answer 7

100

Question 8

How large can an object in S3 be ? and what (if any) limits are there on the number of objects in a bucket

Answer 8

Object Max = 5TB, No Object bucket limit

Question 9

What S3 feature needs to be enabled to allow Cross-Region Replication (CRR)

Answer 9

Versioning

Question 10

What S3 feature can be used to grant external accounts access to an S3 bucket

Answer 10

Resource Policies

Question 11

Which type of encryption allows for role separation where an S3 Full Admin might not be able to decrypt objects

Answer 11

SSE-KMS

Question 12

Which type of encryption is where AWS perform encryption operations but DON’T hold any keys

Answer 12

SSE-C

Question 13

What type of encryption means AWS perform the encryption operations and handle key creation & management

Answer 13

SSE-S3

Question 14

What feature is required to allow CRR to function

Answer 14

Versioning

Question 15

What happens when an object is deleted in a bucket with versioning enabled

Answer 15

A delete marker is added

Question 16

When should you use ACLs for S3

Answer 16

Never, unless you must, but AWS discourages their use

Question 17

When should you use identity policies to manage S3 bucket access

Answer 17

When you need different identities to control different resources
When you have a preference for IAM

Question 18

When should you use bucket policies

Answer 18

To just control S3
To allow anonymous or cross-account access

Question 19

Can you disable bucket versioning once enabled

Answer 19

No, but you can suspend and unsuspend it

Question 20

Which versions consume space in an S3 bucket with versioning enabled

Answer 20

All the versions

Question 21

How do you achieve 0 cost for a bucket where you had enabled versioning

Answer 21

By deleting the bucket or by manually purging all versions

Question 22

Does suspending bucket versioning delete old versions

Answer 22

No

Question 23

How do you enable MFA delete on an S3 bucket

Answer 23

In versioning configuration

Question 24

What does MFA delete mean on an S3 bucket

Answer 24

It means that MFA is required to change bucket versioning state, and to delete versions

Question 25

What does MFA delete mean with regards to API calls to S3

Answer 25

You need to provide the serial number of the MFA thingy and the code

Question 26

What is the minimum object size for multipart upload

Answer 26

100MB

Question 27

What ar ethe 2 restrictions when using S3 accelerated transfer

Answer 27

No period in bucket name
Naming is DNS-compatible

Question 28

What compliance does KMS provide

Answer 28

FIPS 140-2 Level 2
Some features have L3 compliance, but overall L2

Question 29

Does KMS store Data Encryption Keys (DEKs)

Answer 29

No, it provides it then discards it

Question 30

How are DEKs used

Answer 30

They are generated, then the plaintext version can be used to encrypt and is then discarded, then an encrypted version is kept. It is encrypted with the KMS key that generated it. You store the encrypted key with the data

Question 31

how are KMS keys handled by default with regards to regions

Answer 31

By default, they ar erestricted to one region and never leave it

Question 32

Are buckets ever encrypted

Answer 32

No, the objects within it are.

Question 33

What is SSE-C

Answer 33

Customer manages the keys, S3 does the encrypting

Question 34

What is SSE-S3

Answer 34

S3 manages the keys and encryption

Question 35

What is SSE-KMS

Answer 35

Same as SSE-S3, but with KMS key

Question 36

What algorithm is used by SSE-S3

Answer 36

AES-256

Question 37

What is default encryption for S3 buckets

Answer 37

It only applies to objects for which encryption is not specified

Question 38

What is an advantage of SSE-KMS

Answer 38

Users that have permissions for S3 can only access objects if they also have permissions for the key

Question 39

What can you assume when S3 responds with 200

Answer 39

Data has been stored durably

Question 40

When should S3 standard be used

Answer 40

For frequently accessed data which is important and non replaceable

Question 41

When should S3 standard Infrequent Access be used

Answer 41

For long-lived data, which is important, but for which access is infrequent

Question 42

When should S3 One Zone IA be used

Answer 42

For long-lived data which is non-critical and replaceable and where access is infrequent

Question 43

When should S3 Glacier instant be used

Answer 43

For long-lived data, accessed once per quarter with millisecond access. You still have instant access

Question 44

When should S3 Glacier flexible be used (formerly S3 Glacier)

Answer 44

Use for archival data where frequent or real-time access is not needed. It takes minutes for retrieval.
First byte latency is minutes or hours (different possible speeds)

Question 45

Where are objects retrieved from S3 glacier stored

Answer 45

Temporarily stored in S3 infrequent access

Question 46

When should you used S3 Glacier Deep Archive

Answer 46

Use for archival data that rarely, if ever, needs to be accessed, It takes hours or days for retrieval (Legal or regulation data storage)

Question 47

When should you use AWS intelligent-tiering

Answer 47

Use for long-lived data with changing or unknown access patterns

Question 48

Which tiers are optional in AWS intelligent-tiering

Answer 48

The glacier ones with long access times

Question 49

What can’t you use as a trigger for S3 lifecycle

Answer 49

Accesses, you should use Intelligent Tiering instead

Question 50

What transition can’t be made with Lifecycle configuration for S3

Answer 50

One-zone IA into glacier instant retrieval

Question 51

What should you be careful with when doing lifecycle configurations

Answer 51

Small objects due to minimum billable size for some tiers

Question 52

What is the minimum length of time an objects needs to be in S3 standard before moving to IA or OZ IA with lifecycle configurations

Answer 52

30 days, however you could upload directly to them, it’s just not ok if they are first in standard. You can also do it manyually, you just won’t be able to do it using lifecycle config

Question 53

What is the minimum length of time an object needs to be in IA or OZ IA before going to the glacier classes

Answer 53

30 days

Question 54

What does Replication Time Control do

Answer 54

It adds 15 minutes replication SLA, otherwise it is a best-efforts process. It adds a guaranteed level of predictability and monitoring

Question 55

What is replication

Answer 55

Replicated from source to destination bucket

Question 56

What are the 2 types of replication

Answer 56

Cross-region replication
Same-region replication

Question 57

Is replication retroactive

Answer 57

No

Question 58

What is needed to activate replication

Answer 58

Versioning needs to be enabled

Question 59

Is replication one-way

Answer 59

Yes

Question 60

What encryptions types can be enabled by S3 replication

Answer 60

SSE-S3, SSE-KMS. It cannot handle SSE-C

Question 61

What is a permissions restriction when doing replication

Answer 61

The source bucket owner needs permissions to objects

Question 62

What is not replicated in S3 buckets even when replication is enabled

Answer 62

System events (changes made by lifecycle management), and Glacier or Glacier Deep Archive

Question 63

What is the default deletion behavior with S3 replication

Answer 63

Deletes (delete markers) are not replicated, but it can be enabled

Question 64

What are the reasons to use Same Region Replication

Answer 64

• To aggregate logs from different sources in a single location
• To synchronise prod & test data
• For resilience while maintaining strict sovereignty (keeping data in a specific country)

Question 65

What are the reasons to use Cross-Region Replication

Answer 65

• Global resilience improvements
• Latency reduction

Question 66

What are S3 presigned urls used for

Answer 66

To give a person or an application access to objects inside an S3 bucket using credentials in a safe & secure way

Question 67

How do you use presigned urls

Answer 67

You create an IAM user for an application, then the app asks for a presigned url of this IAM account.

Question 68

What is a common use of Presigned URLs

Answer 68

To offload media into S3, or as a part of serverless architecture

Question 69

Can you create a presigned url for an object you do not have access to

Answer 69

Yes, but the presigned url also won’t have access

Question 70

What time point is referenced when using a presigned url

Answer 70

The permissions at the current moment of the generating identity are used

Question 71

What could an access denied mean when using a presigned url

Answer 71

The the generating ID never had access, or does not have access right now

Question 72

Should you use a URL generated based on a role

Answer 72

No, since the URL will stop working when the temporary credentials expire, which usually happens before the url expires

Question 73

What is S3 select and Glacier Select used for

Answer 73

To retrieve part of an object instead of the entire thing using SQL-like statements

Question 74

What is an advantage of S3 select

Answer 74

It is pre-filtering that helps you save data transfer fees

Question 75

How much can you save with S3 select

Answer 75

Up to 400% faster and 80% cheaper

Question 76

What are the 2 modes for Retention Period of Object Lock

Answer 76

Compliance mode
Governance mode

Question 77

What is the difference between compliance mode and governance mode

Answer 77

Compliance mode can’t be changed

Question 78

Can an account root user change an object in compliance mode

Answer 78

No

Question 79

What do you need to modify an object locked in governance mode

Answer 79

The S3::BypassGovernanceRetention permission
Also need x-amz-bypas-governance-retention:true in header of request, however this is default in console ui

Question 80

What is legal hold for object lock

Answer 80

It is binary, you can’t delete or change until it is removed

Question 81

What permission is required to add or remove legal hold

Answer 81

S3:PutObjectLegalHold

Question 82

What is a use case for legal hold

Answer 82

Prevent accidental deletion of critical object versions

Question 83

Can you use retention period with legal hold

Answer 83

Yes
You can use many with overlap