Amazon S3 security (associate)

Question 1

What are some features of Amazon S3 object encryption?

Answer 1

• You can encrypt object in S3 buckets using one of 4 methods:

1. Sever side encryption (SSE)
   - sever side encryption with Amazon S3-managed keys (SSE-S3) - enabled by default (encrypts S3 objects using keys handled, managed, and owned by AWS)
2. Server side encryption with KMS keys stored in AWS KMS (SSE -KMS)
   (Leverage AWS key management service (AWS KMS) to manage encryption keys
3. Server side encryption with customer provided keys (SSE-C) (when you want to manage your own encryption keys)
4. Client side encryption

Question 2

What are some features of Amazon S3 encryption-SSE-S3? (Server side encryption)

Answer 2

• Encryption using megs handled, managed, and owned by AWS
• Object is encrypted server side
• Encryption type is AES-256
• Must der Header “x-amz-Server-side encryption”:”AES256”
• Enabled by default for new buckets & new objects

Question 3

What are some features of SSE KMS?

Answer 3

• Encryption using Jets handled and managed by AWS KMS (key management service)
• KMS advantage: user control + audit key using CloudTrail
• Object is encrypted server side
• Must set header “x-and-Server-Side-Encryption”:”aws:kms”

Question 4

What are the limitations to SSE KMS?

Answer 4

• If you use SSE KMS you may be impacted by the KMS limits
• When you upload it calls the generatedatakey KMS API
• When you download, it calls the decrypt KMS API
• Count towards the KMS quota per second
• You can request a quotas increase using the service quotas console

Question 5

What are some features of SSE-C encryption?

Answer 5

• Server Side Encryption using keys fully managed by the customer outside of AWS
• Amazon S3 DOESNT store the Encryption key you provide
• HTTPS must be used
• Encryption key must provide in HTTP headers for every HTTP request made

Question 6

What are some features of client side encryption?

Answer 6

• Use client libraries such as Amazon S3 client side encryption library
• Clients must encrypt data themselves before sending to Amazon S3
• Clients Must decrypt data themselves when retrieving from Amazon S3
• Customer fully manage the keys and encryption cycle

Question 7

What are some features of encryption in transit (SSL/TLS)?

Answer 7

• Encryption in flight is also called SSL/TLS
• Amazon S3 exposes two endpoints:
  1. HTTP endpoint (no encrypted)
  2. HTTPS endpoint (encryption in flight)
• HTTPS is recommended
• HTTPS is mandatory for SSE-C

Question 8

__________ is just “double encryption based on KMS”.

Answer 8

DSSE-KMS

Question 9

What are the features of default encryption vs bucket policies?

Answer 9

1. SSE-S3 encryption is automatically applied to new objects stores in S3 bucket
2. Optionally you can force encryption using a bucket policy and refuse any API call to PUT an S3 object without encryption headers (SSE-KMS or SSE-C)
3. Bucket policies are evaluated before default encryption

Question 10

What is CORS?

Answer 10

1. Cross Origin resource sharing (CORS)
2. Origin= scheme (protocol) + host (domain) + port
3. Web browser based mechanism to allow request to other origins while visiting the main origin

Ex. Same origin: http://example.com/app1 & http://example.com/app2

Different origins: http://www.example.com & http://other.example.com

4. The request won’t be fulfilled unless the other origin allows for the request using CORA headers (ex. Access-control-allow-origin)

Question 11

How does Amazon S3 and CORS interact?

Answer 11

1. If a client makes a cross-origin request on our S3 bucket, we need to enable the correct CORS headers
2. You can allow for a specific origin or for * (all origins)

CORS is a web browser security that allows you to enable images/assest/ or files being retrieved from one S3 bucket in case the request is originating from another origin

Question 12

Describe MFA delete

Answer 12

1. MFA (Multi factor authentication) force user to generate a code on a device before doing important operations on S3
2. MFA will be required to:
   - Permanently delete an object version
   - Suspend versioning on the bucket
3. MFA wont be required to:
   - Enable versioning
   - List deleted versions
4. To use MFA delete, versioning must be enabled on the bucket
5. Only the bucket owner (root account) can be enable/disable MFA delete

Question 13

What are some features of S3 Access Logs?

Answer 13

1. For audit purpose you may want to log all access to S3 buckets
2. Any request made to S3, from any account, authorized or denied will be logged into another S3 bucket
3. That data can be analyzed using data analysis tools
4. The target logging bucket must be in the same AWS region

Question 14

What are some warnings when it comes to access logs?

Answer 14

1. DONT set your logging bucket to be the monitored bucket
2. It will create a logging loop and your bucket will grow exponentially so don’t do it at home

Question 15

What’s are some features of Pre-Signed URLs

Answer 15

1. Generate pre signed URLs using the S3 console, AWS CLI or SDK
2. URL expiration:
   - S3 Console (1 mins up to 720 mins (12hrs))

• AWS CLI configure expiration with expires in parameters in seconds

3. User given a pre signed URL inherit the permission of the user that generated the URL for GET/PUT

Question 16

What are some features of S3 glacier Vault lock?

Answer 16

1. Adopt a WORK (write on e read many) model
2. Create a vault lock policy
3. Lock the policy for future edits (can no longer be changed or deleted)
4. Helpful for compliance and data retention

Question 17

What are some features of S3 Object lock (versioning must be enabled) ?

Answer 17

1. Adopt a WORM (write once read many) model
2. Block an object version deletion for a specified amount of time
3. Retention mode- compliance:
   - object version makes cant be overwritten or deleted by any user, including the root user

• objects retention mode can’t be changed and retention periods can’t be shortened

4. Retention mode- Governance:
   - most users can’t overwrite or deleted an object version or alter its lock settings
   - some user have special permissions tk change the retention or Felge the object
5. Retention period: protect the object for a fixed period it can be extenddd
6. Legal hold
   - protect the object indefinitely, independent from retention period

• can be freely placed and removed using the IAM permission (put legal hold permission)

Question 18

What are some features of access points?

Answer 18

1. Access pints simplify security management for S3 buckets
2. Each access point has:
   - it’s own DNS name (internet origin or VPC origin)

• an access point policy (similar to bucket policy) manage security at scale

Question 19

What are some features of VPC origin related to access points?

Answer 19

1. We can define the access point to be accessible only from with the VPC
2. You must create a VOC endpoint to access the access point (gateway or interface endpoint)
3. The VPC endpoint policy must allow access to the target bucket and access point