SIMPLE STORAGE SERVICE (S3) Flashcards
Is s3 private by default?
Yes
A form of resource policies used for S3
Bucket Policies
Can resource policies effect different accounts?
Yes
Can bucket policies allow/deny anonymous principals
Yes
Policies used for the identities in the same account or multiple resources
Identity
Policies used for cross-account or just controlling S3
Bucket policies
Allows access to S3 via HTTP once index and error documents are set
Static Web Hosting
Specific address that the bucket can be access from using HTTP
Website Endpoint
Storage is one of the cost components of S3
True
Requests and Data retrievals are one of the cost components of S3
True
Data Transfer is one of the cost components of S3
True
Lets you keep a copy of an object whenever it is overwritten as its versions also protects your objects from accidental deletions
versioning
markers on an object version to mark it as removed, rather than permanently deleting it from your S3 bucket
Delete Markers
Can you disable versioning off after enabling it?
No only suspended
Charged and space is consumed by all version of an object
True
a security feature that is used together with S3 Versioning to prevent unauthorized
or accidental deletions in your S3 bucket
MFA delete
The bucket owner must include two forms of authentication in any request to delete an object version or change the versioning state of the bucket
MFA delete
single data stream to S3, if the stream fails upload fails
Single Put Upload
Max file size per single upload
5 gb
Data is broken up into parts for uploading, parts can fail and be restarted
Multipart Upload
Uses the network of Edge locations to upload to optimize long distance transfers from your client to Amazon S3
Transfer Acceleration
Buckets are not encrypted by objects inside buckets are
True
Data is first encrypted on the client-side before uploaded to Amazon
S3. You manage the encryption process, the encryption keys, and related tools
Client-Side encryption (CSE)
Amazon S3 encrypts your object before saving it on disks in its data
centers and then decrypts it when you download the objects
Server-Side encryption (SSE)
You manage the encryption keys and S3 manages the encryption and decryption process
SSE-C
S3 uses AES-256 encryption keys to encrypt your objects, and each object is encrypted with a unique key
SSE-S3 (AES256)
S3 uses AES-256 encryption keys to encrypt your
objects but the key is managed in a different service, which is AWS KMS
SSE-KMS
Share objects or allow your customers/users to upload objects to buckets without AWS security credentials or permissions. Takes on the realtime permissions of the creator when used
Presigned URL
Grants others time-limited permission to download or upload objects
from and to the owner’s S3 buckets
Presigned URL
Used in serverless architectures where access to a private s3 bucket is controlled
Presigned URL
Can you create a presigned url you have no access to?
Yes
Used to retrieve parts of objects instead of whole objects using SQL like statements
S3 Select
feature to receive notifications when certain events happen in your S3 bucket such as creating, deleting, restoring or replicating an object
Amazon S3 Event Notifications
Can S3 Event Notifications be delivered to EC2?
No SQS, SNS, Lambda only
Provides detailed records for the requests that are made to an Amazon S3 bucket used for security and access audits
S3 server access logging
Store objects using a write-once-read-many (WORM) model which requires versioning
Object Lock
object is WORM-protected and can’t be overwritten or deleted and remains in place until you explicitly remove it
Legal Hold
Retention mode where certain permissions can be granted to adjust the lock settings
Governance
named network endpoints that are attached to buckets that you can use to perform S3 object operations
Access points
Used to monitor malicious activity on S3 such as unauthorized access or suspicious access patterns
AWS Guard Duty
