Simple Storage Service (S3) Flashcards

1
Q

Which type of S3 encryption shows as AES256

A

SSE-S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which S3 Storage class is suitable for data which is easily replaced (choose the most cost effective)

A

S3 One Zone-IA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which Object class in S3 is ideal for uncertain access and low admin overhead

A

S3 Intelligent-Tiering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the cheapest S3 storage class for important data which need to be retained for long periods and is rarely accessed

A

S3 Glacier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which steps are required to allow an S3 bucket to operate as a website (choose all which apply):

Install the HTTPD server files into the S3
Upload web files
Set index and error documents
Enable static web hosting
Enable versioning
Disable block public access settings
Add a bucket policy
Add an identity policy

A

Upload web files
Set index and error documents
Enable static web hosting
Disable block public access settings
Add a bucket policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What S3 feature allows objects storage classes to be changed and objects deleted automatically

A

S3 Lifecycle policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the default limit of the number of S3 buckets in an AWS account

A

100

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How large can an object in S3 be ? and what (if any) limits are there on the number of objects in a bucket

A

Object Max = 5TB, No Object bucket limit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What S3 feature needs to be enabled to allow Cross-Region Replication (CRR)

A

Versioning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What S3 feature can be used to grant external accounts access to an S3 bucket

A

Resource Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which type of encryption allows for role separation where an S3 Full Admin might not be able to decrypt objects

A

SSE-KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which type of encryption is where AWS perform encryption operations but DON’T hold any keys

A

SSE-C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What type of encryption means AWS perform the encryption operations and handle key creation & management

A

SSE-S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What feature is required to allow CRR to function

A

Versioning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What happens when an object is deleted in a bucket with versioning enabled

A

A delete marker is added

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When should you use ACLs for S3

A

Never, unless you must, but AWS discourages their use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When should you use identity policies to manage S3 bucket access

A

When you need different identities to control different resources
When you have a preference for IAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

When should you use bucket policies

A

To just control S3
To allow anonymous or cross-account access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Can you disable bucket versioning once enabled

A

No, but you can suspend and unsuspend it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which versions consume space in an S3 bucket with versioning enabled

A

All the versions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How do you achieve 0 cost for a bucket where you had enabled versioning

A

By deleting the bucket or by manually purging all versions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Does suspending bucket versioning delete old versions

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How do you enable MFA delete on an S3 bucket

A

In versioning configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What does MFA delete mean on an S3 bucket

A

It means that MFA is required to change bucket versioning state, and to delete versions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What does MFA delete mean with regards to API calls to S3
You need to provide the serial number of the MFA thingy and the code
26
What is the minimum object size for multipart upload
100MB
27
What ar ethe 2 restrictions when using S3 accelerated transfer
No period in bucket name Naming is DNS-compatible
28
What compliance does KMS provide
FIPS 140-2 Level 2 Some features have L3 compliance, but overall L2
29
Does KMS store Data Encryption Keys (DEKs)
No, it provides it then discards it
30
How are DEKs used
They are generated, then the plaintext version can be used to encrypt and is then discarded, then an encrypted version is kept. It is encrypted with the KMS key that generated it. You store the encrypted key with the data
31
how are KMS keys handled by default with regards to regions
By default, they ar erestricted to one region and never leave it
32
Are buckets ever encrypted
No, the objects within it are.
33
What is SSE-C
Customer manages the keys, S3 does the encrypting
34
What is SSE-S3
S3 manages the keys and encryption
35
What is SSE-KMS
Same as SSE-S3, but with KMS key
36
What algorithm is used by SSE-S3
AES-256
37
What is default encryption for S3 buckets
It only applies to objects for which encryption is not specified
38
What is an advantage of SSE-KMS
Users that have permissions for S3 can only access objects if they also have permissions for the key
39
What can you assume when S3 responds with 200
Data has been stored durably
40
When should S3 standard be used
For frequently accessed data which is important and non replaceable
41
When should S3 standard Infrequent Access be used
For long-lived data, which is important, but for which access is infrequent
42
When should S3 One Zone IA be used
For long-lived data which is non-critical and replaceable and where access is infrequent
43
When should S3 Glacier instant be used
For long-lived data, accessed once per quarter with millisecond access. You still have instant access
44
When should S3 Glacier flexible be used (formerly S3 Glacier)
Use for archival data where frequent or real-time access is not needed. It takes minutes for retrieval. First byte latency is minutes or hours (different possible speeds)
45
Where are objects retrieved from S3 glacier stored
Temporarily stored in S3 infrequent access
46
When should you used S3 Glacier Deep Archive
Use for archival data that rarely, if ever, needs to be accessed, It takes hours or days for retrieval (Legal or regulation data storage)
47
When should you use AWS intelligent-tiering
Use for long-lived data with changing or unknown access patterns
48
Which tiers are optional in AWS intelligent-tiering
The glacier ones with long access times
49
What can't you use as a trigger for S3 lifecycle
Accesses, you should use Intelligent Tiering instead
50
What transition can't be made with Lifecycle configuration for S3
One-zone IA into glacier instant retrieval
51
What should you be careful with when doing lifecycle configurations
Small objects due to minimum billable size for some tiers
52
What is the minimum length of time an objects needs to be in S3 standard before moving to IA or OZ IA with lifecycle configurations
30 days, however you could upload directly to them, it's just not ok if they are first in standard. You can also do it manyually, you just won't be able to do it using lifecycle config
53
What is the minimum length of time an object needs to be in IA or OZ IA before going to the glacier classes
30 days
54
What does Replication Time Control do
It adds 15 minutes replication SLA, otherwise it is a best-efforts process. It adds a guaranteed level of predictability and monitoring
55
What is replication
Replicated from source to destination bucket
56
What are the 2 types of replication
Cross-region replication Same-region replication
57
Is replication retroactive
No
58
What is needed to activate replication
Versioning needs to be enabled
59
Is replication one-way
Yes
60
What encryptions types can be enabled by S3 replication
SSE-S3, SSE-KMS. It cannot handle SSE-C
61
What is a permissions restriction when doing replication
The source bucket owner needs permissions to objects
62
What is not replicated in S3 buckets even when replication is enabled
System events (changes made by lifecycle management), and Glacier or Glacier Deep Archive
63
What is the default deletion behavior with S3 replication
Deletes (delete markers) are not replicated, but it can be enabled
64
What are the reasons to use Same Region Replication
- To aggregate logs from different sources in a single location - To synchronise prod & test data - For resilience while maintaining strict sovereignty (keeping data in a specific country)
65
What are the reasons to use Cross-Region Replication
- Global resilience improvements - Latency reduction
66
What are S3 presigned urls used for
To give a person or an application access to objects inside an S3 bucket using credentials in a safe & secure way
67
How do you use presigned urls
You create an IAM user for an application, then the app asks for a presigned url of this IAM account.
68
What is a common use of Presigned URLs
To offload media into S3, or as a part of serverless architecture
69
Can you create a presigned url for an object you do not have access to
Yes, but the presigned url also won't have access
70
What time point is referenced when using a presigned url
The permissions at the current moment of the generating identity are used
71
What could an access denied mean when using a presigned url
The the generating ID never had access, or does not have access right now
72
Should you use a URL generated based on a role
No, since the URL will stop working when the temporary credentials expire, which usually happens before the url expires
73
What is S3 select and Glacier Select used for
To retrieve part of an object instead of the entire thing using SQL-like statements
74
What is an advantage of S3 select
It is pre-filtering that helps you save data transfer fees
75
How much can you save with S3 select
Up to 400% faster and 80% cheaper
76
What are the 2 modes for Retention Period of Object Lock
Compliance mode Governance mode
77
What is the difference between compliance mode and governance mode
Compliance mode can't be changed
78
Can an account root user change an object in compliance mode
No
79
What do you need to modify an object locked in governance mode
The S3::BypassGovernanceRetention permission Also need x-amz-bypas-governance-retention:true in header of request, however this is default in console ui
80
What is legal hold for object lock
It is binary, you can't delete or change until it is removed
81
What permission is required to add or remove legal hold
S3:PutObjectLegalHold
82
What is a use case for legal hold
Prevent accidental deletion of critical object versions
83
Can you use retention period with legal hold
Yes You can use many with overlap