S3 1

Question 1

Versioning

How do you disable versioning?

Answer 1

Can’t, but can pause it.

Question 2

Versioning

What is the version Key ID on an object without bucket versioning?

Answer 2

Null

Question 3

Versioning

When is a Key ID null once a bucket is versioned?

Answer 3

Absolutely never.

Question 4

Versioning

What happens when you delete an object on a versioned bucket?

Answer 4

Adds a delete marker.

Question 5

Versioning

What happens when you delete a Key ID on a versioned bucket?

Answer 5

True delete, gone forever.

Question 6

Signed URLs

How long is a signed URL good for?

Answer 6

Until the creds that signed it expire or it’s expiration.

Question 7

Signed URLs

What can you do with a signed URL?

Answer 7

Whatever the Principal that signed it can do. Careful signing with R/W privs if you only want to grant R/O!

Question 8

Signed URLs

Can you scope down a PSU to just s3:GetObject, for example?

Answer 8

No. Uses full access rights of whatever signed it.

Question 9

Signed URLs

What is the problematic constraint with signed URLs?

Answer 9

Signed URL expires when the temp creds expire that signed it.

Question 10

Signed URLs

Best practice for signing PSUs?

Answer 10

Use IAM User creds (long-lived creds)

Question 11

Signed URLs

App has a PSU. What boto3 S3 call needed to use it?

Answer 11

Nope, it’s a URL, so use requests: straight HTTPS client only.

Question 12

Signed URLs

Can you create a PSU for an object you don’t have access to?

Answer 12

Yes

Question 13

Signed URLs

Generate PSU, change permissions on signing role, then use PSU. What happens?

Answer 13

Uses the at-this-moment permissions of the signing role when PSU used

Question 14

Signed URLs

Use a PSU, what’s in the audit/access log?

Answer 14

Looks like the principal that signed the PSU did the access