Simple Storage Service (S3) Flashcards
Which type of S3 encryption shows as AES256
SSE-S3
Which S3 Storage class is suitable for data which is easily replaced (choose the most cost effective)
S3 One Zone-IA
Which Object class in S3 is ideal for uncertain access and low admin overhead
S3 Intelligent-Tiering
What is the cheapest S3 storage class for important data which need to be retained for long periods and is rarely accessed
S3 Glacier
Which steps are required to allow an S3 bucket to operate as a website (choose all which apply):
Install the HTTPD server files into the S3
Upload web files
Set index and error documents
Enable static web hosting
Enable versioning
Disable block public access settings
Add a bucket policy
Add an identity policy
Upload web files
Set index and error documents
Enable static web hosting
Disable block public access settings
Add a bucket policy
What S3 feature allows objects storage classes to be changed and objects deleted automatically
S3 Lifecycle policies
What is the default limit of the number of S3 buckets in an AWS account
100
How large can an object in S3 be ? and what (if any) limits are there on the number of objects in a bucket
Object Max = 5TB, No Object bucket limit
What S3 feature needs to be enabled to allow Cross-Region Replication (CRR)
Versioning
What S3 feature can be used to grant external accounts access to an S3 bucket
Resource Policies
Which type of encryption allows for role separation where an S3 Full Admin might not be able to decrypt objects
SSE-KMS
Which type of encryption is where AWS perform encryption operations but DON’T hold any keys
SSE-C
What type of encryption means AWS perform the encryption operations and handle key creation & management
SSE-S3
What feature is required to allow CRR to function
Versioning
What happens when an object is deleted in a bucket with versioning enabled
A delete marker is added
When should you use ACLs for S3
Never, unless you must, but AWS discourages their use
When should you use identity policies to manage S3 bucket access
When you need different identities to control different resources
When you have a preference for IAM
When should you use bucket policies
To just control S3
To allow anonymous or cross-account access
Can you disable bucket versioning once enabled
No, but you can suspend and unsuspend it
Which versions consume space in an S3 bucket with versioning enabled
All the versions
How do you achieve 0 cost for a bucket where you had enabled versioning
By deleting the bucket or by manually purging all versions
Does suspending bucket versioning delete old versions
No
How do you enable MFA delete on an S3 bucket
In versioning configuration
What does MFA delete mean on an S3 bucket
It means that MFA is required to change bucket versioning state, and to delete versions
What does MFA delete mean with regards to API calls to S3
You need to provide the serial number of the MFA thingy and the code
What is the minimum object size for multipart upload
100MB
What ar ethe 2 restrictions when using S3 accelerated transfer
No period in bucket name
Naming is DNS-compatible
What compliance does KMS provide
FIPS 140-2 Level 2
Some features have L3 compliance, but overall L2
Does KMS store Data Encryption Keys (DEKs)
No, it provides it then discards it
How are DEKs used
They are generated, then the plaintext version can be used to encrypt and is then discarded, then an encrypted version is kept. It is encrypted with the KMS key that generated it. You store the encrypted key with the data
how are KMS keys handled by default with regards to regions
By default, they ar erestricted to one region and never leave it
Are buckets ever encrypted
No, the objects within it are.
What is SSE-C
Customer manages the keys, S3 does the encrypting
What is SSE-S3
S3 manages the keys and encryption
What is SSE-KMS
Same as SSE-S3, but with KMS key
What algorithm is used by SSE-S3
AES-256
What is default encryption for S3 buckets
It only applies to objects for which encryption is not specified
What is an advantage of SSE-KMS
Users that have permissions for S3 can only access objects if they also have permissions for the key
What can you assume when S3 responds with 200
Data has been stored durably
When should S3 standard be used
For frequently accessed data which is important and non replaceable
When should S3 standard Infrequent Access be used
For long-lived data, which is important, but for which access is infrequent
When should S3 One Zone IA be used
For long-lived data which is non-critical and replaceable and where access is infrequent
When should S3 Glacier instant be used
For long-lived data, accessed once per quarter with millisecond access. You still have instant access
When should S3 Glacier flexible be used (formerly S3 Glacier)
Use for archival data where frequent or real-time access is not needed. It takes minutes for retrieval.
First byte latency is minutes or hours (different possible speeds)
Where are objects retrieved from S3 glacier stored
Temporarily stored in S3 infrequent access
When should you used S3 Glacier Deep Archive
Use for archival data that rarely, if ever, needs to be accessed, It takes hours or days for retrieval (Legal or regulation data storage)
When should you use AWS intelligent-tiering
Use for long-lived data with changing or unknown access patterns
Which tiers are optional in AWS intelligent-tiering
The glacier ones with long access times
What can’t you use as a trigger for S3 lifecycle
Accesses, you should use Intelligent Tiering instead
What transition can’t be made with Lifecycle configuration for S3
One-zone IA into glacier instant retrieval
What should you be careful with when doing lifecycle configurations
Small objects due to minimum billable size for some tiers
What is the minimum length of time an objects needs to be in S3 standard before moving to IA or OZ IA with lifecycle configurations
30 days, however you could upload directly to them, it’s just not ok if they are first in standard. You can also do it manyually, you just won’t be able to do it using lifecycle config
What is the minimum length of time an object needs to be in IA or OZ IA before going to the glacier classes
30 days
What does Replication Time Control do
It adds 15 minutes replication SLA, otherwise it is a best-efforts process. It adds a guaranteed level of predictability and monitoring
What is replication
Replicated from source to destination bucket
What are the 2 types of replication
Cross-region replication
Same-region replication
Is replication retroactive
No
What is needed to activate replication
Versioning needs to be enabled
Is replication one-way
Yes
What encryptions types can be enabled by S3 replication
SSE-S3, SSE-KMS. It cannot handle SSE-C
What is a permissions restriction when doing replication
The source bucket owner needs permissions to objects
What is not replicated in S3 buckets even when replication is enabled
System events (changes made by lifecycle management), and Glacier or Glacier Deep Archive
What is the default deletion behavior with S3 replication
Deletes (delete markers) are not replicated, but it can be enabled
What are the reasons to use Same Region Replication
- To aggregate logs from different sources in a single location
- To synchronise prod & test data
- For resilience while maintaining strict sovereignty (keeping data in a specific country)
What are the reasons to use Cross-Region Replication
- Global resilience improvements
- Latency reduction
What are S3 presigned urls used for
To give a person or an application access to objects inside an S3 bucket using credentials in a safe & secure way
How do you use presigned urls
You create an IAM user for an application, then the app asks for a presigned url of this IAM account.
What is a common use of Presigned URLs
To offload media into S3, or as a part of serverless architecture
Can you create a presigned url for an object you do not have access to
Yes, but the presigned url also won’t have access
What time point is referenced when using a presigned url
The permissions at the current moment of the generating identity are used
What could an access denied mean when using a presigned url
The the generating ID never had access, or does not have access right now
Should you use a URL generated based on a role
No, since the URL will stop working when the temporary credentials expire, which usually happens before the url expires
What is S3 select and Glacier Select used for
To retrieve part of an object instead of the entire thing using SQL-like statements
What is an advantage of S3 select
It is pre-filtering that helps you save data transfer fees
How much can you save with S3 select
Up to 400% faster and 80% cheaper
What are the 2 modes for Retention Period of Object Lock
Compliance mode
Governance mode
What is the difference between compliance mode and governance mode
Compliance mode can’t be changed
Can an account root user change an object in compliance mode
No
What do you need to modify an object locked in governance mode
The S3::BypassGovernanceRetention permission
Also need x-amz-bypas-governance-retention:true in header of request, however this is default in console ui
What is legal hold for object lock
It is binary, you can’t delete or change until it is removed
What permission is required to add or remove legal hold
S3:PutObjectLegalHold
What is a use case for legal hold
Prevent accidental deletion of critical object versions
Can you use retention period with legal hold
Yes
You can use many with overlap
