S3 Introduction

Question 1

Amazon S3 allows people to store ____ in _____

Answer 1

Amazon S3 allows people to store objects (files) in “buckets” (directories)

Question 2

Buckets must have a ___?

Answer 2

Globally unique name

Question 3

Buckets are defined at what level?

Answer 3

Region Level

Question 4

What’s the naming convention?

Answer 4

• No uppercase
• No underscore
• 3-63 characters long
• Not an IP
• Must start with lowercase letter or number

Question 5

Objects (files) have a key. The key is what?

Answer 5

The full path
• /my_file.txt
• /my_folder1/another_folder/my_file.txt

Question 6

Max size of objects?

Answer 6

5TB

Question 7

• If uploading more than 5GB, must use

Answer 7

“multi-par t upload”

Question 8

You can version your files in AWS. It is enabled at the ___ lvel?

Answer 8

bucket

Question 9

What are the 4 methods of encrypting objects in S3

Answer 9

• SSE-S3: encrypts S3 objects using keys handled & managed by AWS
• SSE-KMS: leverage AWS Key Management Service to manage encryption keys • SSE-C: when you want to manage your own encryption keys
• Client Side Encryption

Question 10

What are the features of SSE-S3?

Answer 10

• SSE-S3: encryption using keys handled & managed by AWS S3 • Object is encrypted server side
• AES-256 encryption type
• Must set header: “x-amz-server-side-encryption”: “AES256”

Question 11

What are features of SSE-KMS?

Answer 11

• SSE-KMS: encryption using keys handled & managed by KMS
• KMS Advantages: user control + audit trail
• Object is encrypted server side
• Must set header: “x-amz-server-side-encryption”: ”aws:kms”

Question 12

What are some features of SSE-C?

Answer 12

• SSE-C: server-side encryption using data keys fully managed by the customer outside of AWS • Amazon S3 does not store the encryption key you provide
• HTTPS must be used
• Encryption key must provided in HTTP headers, for every HTTP request made

Question 13

What are features of Client Side Encryption?

Answer 13

• Client library such as the Amazon S3 Encryption Client
• Clients must encrypt data themselves before sending to S3
• Clients must decrypt data themselves when retrieving from S3 • Customer fully manages the keys and encryption cycle

Question 14

S3 exposes both HTTP and HTTPS endpoint?

Answer 14

True

Question 15

HTTPS is mandatory for what kind of encryption methods?

Answer 15

SSE-C

Question 16

S3 User based Security?

Answer 16

IAM policies - which API calls should be allowed for a specific user from IAM console

Question 17

S3 Resource Based security?

Answer 17

• Bucket Policies - bucket wide rules from the S3 console - allows cross account
• Object Access Control List (ACL) – finer grain
• Bucket Access Control List (ACL) – less common

Question 18

Describe S3 Bucket Policies

Answer 18

• JSON based policies
• Resources: buckets and objects
• Actions: Set of API to Allow or Deny
• Effect: Allow / Deny
• Principal:The account or user to apply the policy to
• Use S3 bucket for policy to:
• Grant public access to the bucket
• Force objects to be encrypted at upload
• Grant access to another account (Cross Account)

Question 19

S3 Security supports VPC endpoints?

Answer 19

True

Question 20

If you get a 403 error make sure what?

Answer 20

Make sure the bucket policy allows public reads

Question 21

If you request data from another S3 bucket, you need to enable what?

Answer 21

CORS

Question 22

Explain read after write consistency for PUTS of new objects

Answer 22

As soon as an object is written, we can retrieve it
ex: (PUT 200 -> GET 200)
• This is true, except if we did a GET before to see if the object existed
ex: (GET 404 -> PUT 200 -> GET 404) – eventually consistent

Question 23

Explain Eventual Consistency for DELETES and PUTS of existing objects

Answer 23

• If we read an object after updating, we might get the older version
ex: (PUT 200 -> PUT 200 -> GET 200 (might be older version))
• If we delete an object, we might still be able to retrieve it for a short time ex: (DELETE 200 -> GET 200)