S3

Question 1

What are some use cases of S3

Answer 1

Backup and storage, disaster recovering, archive, app hosting, media hosting, data lakes / data analytics, software delivery, static websites

Question 2

What four ways can a S3 bucket / object be secured?

Answer 2

IAM policies, Bucket policies (newer, allows cross account), object ACL (finer grain), bucket ACL (less common)

Question 3

How would you grant access to an S3 bucket from an EC2 instance?

Answer 3

Use an IAM role attached to the EC2 instance, which has IAM permissions for the bucket

Question 4

What are the two types of S3 replication?

Answer 4

Cross region replication & Same region replication

Question 5

What are the 7 S3 storage classes?

Answer 5

Standard (general purpose), Standard Infrequent Access, One-Zone Infrequent Access, Glacier instant revival, Glacier flexible retrieval, Glacier deep archive, Intelligent Tiering

Question 6

What is the difference between durability and availability in terms of S3?

Answer 6

Durability - to what extent can objects be lost in S3 (99.9x%) same for all storage classes. Availability - to what extent a service is available, varies depending on storage class

Question 7

What is the standard general purpose S3 storage class?

Answer 7

99.99% availability, used for frequently accessed data, low latency and high throughput. Use cases: big data analytics, mobile and gaming apps, content distribution

Question 8

What is the infrequent access S3 storage class?

Answer 8

For data that is less frequently accessed but requires rapid access when needed. Lower cost than standard. There are two types, standard infrequent access (e.g. disaster recovery backups) and one-zone infrequent access (e.g. secondary backup copies of data)

Question 9

What is the Glacier S3 storage class?

Answer 9

Low cost object storage meant for archiving / backup. Priced by storage + object retrieval cost.

Question 10

Which of the following is NOT a Glacier Deep Archive retrieval mode? Standard (12hrs), Expedited (1-5 mins), Bulk (48hrs).

Answer 10

Expedited (1-5 mins)

Question 11

Which of the following is NOT a Glacier Flexible retrieval mode? Expedited (1-5 mins), Standard (3-5 hrs), Bulk (5-12 hrs), Instant (10 seconds)

Answer 11

Instant (10 seconds)

Question 12

You have updated an S3 bucket policy to allow IAM users to read/write files in the S3 bucket, but one of the users complain that he can’t perform a PutObject API call. What is a possible cause for this? Bucket Policy is wrong, user is lacking permissions, IAM user must have an explicit deny in the policy

Answer 12

The IAM user must have an explicit deny in the policy

Question 13

What are the three S3 event notification targets?

Answer 13

SNS, SQS and Lambda functions. You can also use EventBridge to target many other services.

Question 14

S3 can achieve at least 3500 put,copy,post,delete requests per second per prefix in a bucket, but what is a prefix?

Answer 14

The part of the path from the bucket to the file, for example my-bucket/one/two/file.txt - the prefix is one/two

Question 15

What are three performance considerations when using S3?

Answer 15

Multi-part upload (recommended for files larger than 100MB and compulsory for more than 5GB). Transfer Acceleration (using an AWS edge location to maximise the speed of the private AWS network). Byte range fetching - downloading a specified range of bytes

Question 16

What is S3 Select?

Answer 16

Ability to query and filter files server side within AWS to find a file in S3 without having to request and return unwanted files

Question 17

Explain what user defined object metadata and object tags are and their differences

Answer 17

They are both key value pairs stored against an object. Tags can be used for fine grain permissions and S3 Analytics. They both cannot be used to search for objects.

Question 18

How can you search for objects in S3?

Answer 18

Build a separate database / index to store object metadata and a reference to the objects in S3

Question 19

What four ways can S3 objects be encrypted?

Answer 19

Server side with amazon managed keys, Server side using KMS (key management service), Server side using customer provided keys, Client side encryption

Question 20

What limitations are there for using KMS for S3 encryption?

Answer 20

KMS rate limits

Question 21

How would you ensure that an S3 bucket can be accessed over HTTPS only?

Answer 21

Use a bucket policy to deny access when the condition aws:secureTransport is false

Question 22

What are S3 Access Points?

Answer 22

A prefix for a particular set of users or use cases, used with access point policies. Each access point has its own DNS name

Question 23

How would you set up access to an S3 access point from a private VPC?

Answer 23

Create a VPC Endpoint in your VPC with a policy allowing traffic to the S3 Access Point

Question 24

What are S3 Object Lambdas?

Answer 24

Lambda function to change an S3 object before it is retrieved by a caller application. The caller uses an object lambda access point. Use cases include redacting data, converting data formats, resizing files etc

Question 25

Which S3 encryption method mandates that you use HTTPS while uploading and downloading objects? SSE-C, SSE-S3, SSE-KMS or client-side?

Answer 25

SSE-C (customer managed keys)