SIMPLE STORAGE SERVICE (S3)

Question 1

Is S3 private by default?

Answer 1

Yes

Question 2

What can S3 Bucket Policies be used for?

Answer 2

1. Is Resource Police
2. Allow or Deny same or different accounts
3. Allow or Deny Anonymous principals (which Identity Policies are not able of)

Question 3

When to use Identity and Bucket Policies?

Answer 3

Identity: control diff resources, only applicable for the same account
Bucket: just for S3, work with anonymous or cross-accounts

Question 4

Can you disable an Object Version after enabling it?

Answer 4

No

Question 5

Can you suspend an Object Version after enabling it?

Answer 5

Yes

Question 6

What is MFA Delete?

Answer 6

MFA is required to change/delete bucket versioning state

Question 7

What is the maximum Single PUT Upload S3 Object size?

Answer 7

5GB

Question 8

What is the minimum Object size eligible for S3 Multipart Upload?

Answer 8

100MB

Question 9

What is the maximum number of parts allowed with Multipart Upload? What can be the minimum and maximum size of each part?

Answer 9

10.000 parts. Minimum: 5MB, Maximum: 5GB

Question 10

What is S3 Transfer Acceleration?

Answer 10

S3 Transfer Acceleration uses Edge Locations to speed up the transfer of object to S3 (by default it is switched off, the bucket name cannot contain periods and needs to be DNS compatible)

Question 11

What is KMS?

Answer 11

1. Key Management Service
2. It is regional and public service
3. Keys never leave KMS. IMPORTANT: provides FIPS 140-2 (L2)

Question 12

What is file max size that KMS can work with?

Answer 12

4 KB

Question 13

What can be used to overcome KMS file limitation of 4 KB?

Answer 13

DEK: Data Encryption Keys. In this case the user is responsible by encrypting and decrypting data manually.

Question 14

Can you extract a KMS key or make it leave a region?

Answer 14

No

Question 15

IMP: Study KMS Keu Policies

Question 16

What is S3 SSE?

Answer 16

Server-Side Encryption (bucket cannot be enrypted, only objects)

Question 18

What are the different types of SSE?

Answer 18

1. SSE-C: Customer-Provided
2. SSE-S3: Amazon S3-Managed Keys (default)
3. SSE-KMS: KMS Keys Stored in AWS Key Management Service

Question 18

Is S3 SSE mandatory?

Answer 18

Yes

Question 18

IMP: S3 Storage Classes

Answer 18

!!!

Question 19

What are S3 Lifecycle Configurations?

Answer 19

Set of rules. Transition actions and expiration actions

Question 20

What is the exception in S3 Lifecycle Configuration - Transition actions?

Answer 20

You can transition in a “water-fall”manner to the Storage Classes below the current class, except for the S3 One Zone-IA that cannot transition to S3 Glacier - Instant Retrieval

Question 21

IMP: Study well S3 Lifecycle Configuration - Transition actions

Answer 21

!!!

Question 22

What are S3 Replication types?

Answer 22

1. Cross-Region Replication (CRR)
2. Same-Region Replication (SRR)

Question 23

What are some S3 Replication Considerations?

Answer 23

1. By default, replication is non retroactive (it start from the moment you request replication even if the bucket already have objects). But you can use batch replication to overcome this situation
2. Versioning needs to be ON
3. By default, it is one-way replication process, from source to destination
4. No system events are replicated
5. No Glacier or Glacier Deep Archive objects can be replicated
6. By default, deletes are replicated between buckets

Question 24

What is S3 Presigned URL?

Answer 24

Should be used when there is an unauthenticated user that needs to temporarily access a private S3 Bucket, and we do not want to give him a specific IAM Identity nor provide AWS credentials

Question 25

Can you create a Presigned URL for a S3 object you have no access to?

Answer 25

Yes

Question 26

Does the permissions associated to a Presigned URL match the identity which generated it?

Answer 26

Yes

Question 27

Is it OK to generate a Presigned URL with a role?

Answer 27

No. URL stops working when temporary credentials expire

Question 28

What is S3 Select and Glacier Select?

Answer 28

It lets you use SQL-Like statements to select part of the object, pre-filtered by S3

Question 29

What are the types of S3 Event Notifications?

Answer 29

1. Create
2. Delete
3. Restore
4. Replicate

Question 30

What is S3 Object Lock?

Answer 30

Applies WORM principle (Write-Once-Read-Many), with no delete and no overwrite. Requires versioning

Question 31

What are S3 Object Lock types?

Answer 31

1. Retention period (days or years)
   a. Compliance: can’t be adjusted, deleted or overwritten even by root user until retention expires
   b. Governance: like Compliance but special permissions can be granted to adjust lock settings
2. Legal Hold: no retention period. It is set on Object version - ON or OFF. There are NO deletes or changes until removed

Question 32

What is S3 Access Points?

Answer 32

Is simplify managing access to S3 Buckets and Objects. Instead of having 1 Bucket policy, it is possible to:
1. create many access points
2. each w/ different policies
3. each w/ different network access controls
With one address endpoint to each access point.

Question 33

What is the AWS CLI command to create a S3 Access Point?

Answer 33

aws s3control create-access-point –name <A_NAME> -- account-id <A_NUMBER> --bucket <A_BUCKET></A_BUCKET></A_NUMBER></A_NAME>