S3

Question 1

S3 Server Side Encryption Types

Answer 1

SSE-S3
S3 manages encryption keys.
Free

SSE-C
Customer manages encryption keys.

SSE-KMS
AWS Key Management Service (KMS) manages the encryption keys.
Audit trail of when your key is used, and by whom.

Question 2

AWS Object Size Limit

Answer 2

0 bytes to 5 terabytes

Question 3

AWS S3 Scope

Answer 3

Region-wise

Question 4

S3 Storage Classes - 6 Types

Answer 4

Standard

Standard Infrequent Access (Standard IA)

Intelligent Tiering

One Zone Infrequent Access (One Zone IA)

S3 Glacier

S3 Glacier Deep Archive

Question 5

S3 Storage Class - Standard
Durability
Availability
Failures sustainability

Answer 5

Durability : 11 - Nines
Availability : 99.99%
Failures sustainability : Two aviability zones (AZ)

Question 6

S3 Storage Class - Standard Infrequent Access (Standard IA)
Durability
Availability
Failures sustainability
Saving :

Answer 6

Durability : 11 - Nines
Availability : 99.9%
Failures sustainability : One aviability zone (AZ)
Saving : ? on storage costs

Question 7

S3 Storage Class - One Zone-Infrequent Access (S3 One Zone-IA)
Durability
Availability
Failures sustainability
Saving :

Answer 7

Durability : 11 - Nines
Availability : 99.5%
Failures sustainability : 1 AZ
Saving : 20% less than S3 Standard-Infrequent Access

Question 8

S3 Storage Class - S3 Intelligent-Tiering
Durability
Availability
Failures sustainability
Saving :

Answer 8

Durability : 11 - Nines
Availability : 99.9%
Failures sustainability :
Saving : 40% on storage costs

Question 9

S3 Archive Standard - Glacier
3 Types

Answer 9

Amazon S3 Glacier Instant Retrieval
Amazon S3 Glacier Flexible Retrieval (Formerly S3 Glacier)
Amazon S3 Glacier Deep Archive

Question 10

S3 Archive Standard :
Amazon S3 Glacier Instant Retrieval

Durability
Availability
Retrieval Time
Cost

Answer 10

Durability : 11 Nines
Availability : 99.9%
Retrieval Time : milliseconds
Cost : 68% on storage costs compared to using the S3 Standard-Infrequent Access (S3 Standard-IA)

Question 11

S3 Archive Standard :
Amazon S3 Glacier Flexible Retrieval

Durability
Availability
Failure :
Retrieval Time
Cost

Answer 11

Durability : 11 Nines
Availability : 99.99%
Failure : one entire Availability Zone destruction
Retrieval Time : Configurable retrieval times, from minutes to hours
Cost : 10% lower cost (than S3 Glacier Instant Retrieval)

Question 12

Amazon S3 Glacier Deep Archive

Durability
Availability
Failure :
Retrieval Time
Cost

Answer 12

Durability :
Availability : 99.99%
Failure : Stored in 3 areas
Retrieval Time : 12 hrs or 48 hrs
Cost : lowest-cost storage class

Question 13

Object Lock & Glacier Lock

Answer 13

Both adopts WORM
(Write Once - Read Many Times)

Objects : Blocks object version deletion for a predetermined time

Glacier : Locks the policy for future edits

Question 14

AWS S3 Replication - Two Types
SRR - CRR

Answer 14

Same Region: Same Region Replication (SRR)

Different Region: Cross-Region Replication (CRR)

Question 15

AWS S3 Replication - points
Versioning
Accounts
Copying mode
IAM requirements

Answer 15

Must enabling versioning in source and destination
Buckets can be different accounts
Copying is asynchronous
Must give proper IAM permissions to S3

Question 16

Retention Period and Legal Hold

Answer 16

Retention Period
- Governance mode
- Compliance mode

Legal Hold
Lock has no expiration until the hold is removed

Lock feature must be enabled during the bucket creation only

Question 17

Governance mode

Answer 17

Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions
With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary.

Question 18

Compliance mode

Answer 18

Protected object version can’t be overwritten or deleted by any user, including the root user in your AWS account.

Question 19

S3 object consists of

Answer 19

Key (Name)
Value
Version ID (used when versioning is turned on)
Metadata (data about the object such as date uploaded)
Sub-resources (ACL & Torrent)

Question 20

S3 Charging

Answer 20

Volume of data you have stored
Number of Requests
Data transfer out (including to buckets in other zones/regions)
Transfer Acceleration (Uses the AWS CloudFront CDN for caching files at edge locations)

Question 21

Uploading to S3

Answer 21

200 OK is returned after a successful upload.
Multipart upload is supported via the S3 API.
Recommended : Always Multipart uploads for file > 100mb.

Question 22

S3 bucket URL format

Answer 22

s3-region.amazonaws.com/bucketname/path-to-file

https://s3-ap-southeast-2.amazonaws.com/lithi/2017/10/8e306.jpg

Question 23

OAI (Origin Access Identity)

Answer 23

For allowing CloudFront to access objects in an S3 bucket,
while preventing the S3 bucket itself from being publicly accessible directly

Question 24

Bucket Policies & ACL

Answer 24

Bucket Policies override any ACLs -
if you enable public access via a Bucket Policy,
the object will be publicly accessible regardless any ACLs on Bucket

Question 25

Versioning

Answer 25

Disabled by default
Versioning once enabled, can only be disabled, but not removed.
Once versioning is enabled on existing bucket, versioning will not be applied to existing objects; versioning will only apply to any new or updated objects
Cross-region replication requires that versioning is enabled.
When you DELETE an object from a bucket with versioning, all versions remain and a delete marker is added.

Question 26

S3 Transfer Acceleration

Answer 26

Enables very fast, secure transfers of files over long distances (S3 bucket to client)
Utilizing Cloud Front’s edge locations.
Compatible with the multipart upload

Question 27

S3 Archives

Answer 27

Archives in Glacier class are immutable.
It can’t be modified but it can be deleted

Question 28

Glacier Vault Lock

Answer 28

Policies is a feature to protect archives to be deleted until a date

Question 29

S3 pre-signed URL

Answer 29

Can be used to provide temporary access to a private S3 object.
Three Parameters
- Bucket
- Key
- Expires

Question 30

S3 requester pays feature

Answer 30

By default, the bucket owner pays for the storage and for downloads. If the bucket owner wants to pay only for storage, the S3 requester pays must be enabled.

The requester pays buckets can’t be accessed by anonymous access.
It must be authenticated for billing purpose

Question 31

Cross-origin resource sharing (CORS)

Answer 31

Security mechanism that allows client web applications in one domain name to access resources in a different domain name.
For example, suppose you use an S3 bucket named Images to store graphics.
By configuring CORS for the Images bucket, you can allow the images in that bucket to be displayed on a website that hasn’t the same domain name

Question 32

S3 batch operations

Answer 32

Can be used to perform large-scale batch operations on S3 objects.
It can do the job on millions of objects. S3 tracks progress, send a notification, and stores a detailed completion report

Question 33

S3 Select

Answer 33

S3 Select runs simple SQL statements to filter the content of S3 objects to retrieve a subset of data

Works only on objects stored in SCV, JSON, or Apache Parquet format.
It works also with objects compressed with Gzip or Bzip2 (for JSON and CSV object only) and server-side encryption only.

Output of S3 Select can be in CSV or JSON

Question 34

Integration with other services

Answer 34

S3 integrates with CloudWatch and CloudTrail

Question 35

S3 Event notification

Answer 35

Sends a notification to SNS, SQS, or lambda to perform an action when events (upload, update, delete, etc) occur in S3

Question 36

S3 Access Logs

Answer 36

Used for audit purposes.
It logs all access to S3 buckets from any account (the operation, access or deny, etc)

Can be analyzed using data analysis tools or Amazon Athena.
It is enabled in the bucket level

Gives more details data than CloudTrail

Question 37

S3 Request Rates

Answer 37

Application can achieve at least
3500 put/copy/Post/Delete
or
5000 GET/HEAD requests per second per prefix in a bucket.

Question 38

S3 permissions

Answer 38

Resource Based Policies
Identity/User Policies

Identity Policy controls WHAT identities can access and Resource Policies controls WHO can access resources

Resource Policy have a “Principal” field.

Question 39

What policy is applied when anonymous users try to access an S3 Bucket?

Answer 39

Only the bucket policy

Question 40

What policy is applied when an external identity tries to access an S3 bucket?

Answer 40

Identity policy and bucket policy are applied and need to allow access.

Question 41

When is preferable to use Identity Policy against Resource Policy?

Answer 41

Allow or deny access to individual resources across multiple accounts

Question 42

When is preferable to use Resource Policy against Identity Policy?

Answer 42

Allow or deny access to everybody in the account or allow anonymous or cross-account access to S3 buckets.

Question 43

Static Hosting
How can you use a custom domain to access files into s3 bucket?

Answer 43

Name the bucket with your domain name and a prefix i.e s3.mydomain.com and add a custom domain on R53 that matches the bucket name.

Question 44

Static Hosting
What are the two good scenario for using S3 Static Web Hosting?

Answer 44

Offloading - Use an S3 bucket to store static content for a website.

#Out-of-band pages - Use an S3 Bucket to have a static website and use DNS to redirect users to that when the main website is unavailable.

Question 45

What are the two S3 Uploading modes?

Answer 45

Single PUT Upload - default - limit of 5Gb/upload - if fails, had to start again from beginning

#Multipart Upload

Question 46

What is the restriction to bucket name to take advantage of S3 Transfer Acceleration?

Answer 46

The bucket name can not have “dots”, and the name format must be DNS compatible.