S3 Security

Question 1

What are the 4 ways to encrypt objects in S3 buckets

Answer 1

1. Server-Side Amazon S3 managed keys (SSE-S3)
2. Server-Side KMS keys (SEE-KMS)
3. Server-Side Customer provided keys (SSE-C)
4. Client Side

Question 2

What type of encryption does SSE-S3 used and what header must be set?

Answer 2

AES-256 - x-amz-server-side-encryption: AES-256

Question 3

What are two advantages of using AWS KMS?

Answer 3

1. Customer can create keys in KMS
2. Key usage is logged in CloudTrail

Question 4

What header must be set to use AWS KMS encryption?

Answer 4

x-amz-server-side-encryption: aws:kms

Question 5

What is a limitation of SSE-KMS?

Answer 5

May encounter rate limits of KMS when making GenerateDataKey and Decrypt API calls

Question 6

What protocol must be used when using SSE-C?

Answer 6

HTTPS

Question 7

How could you enforce encryption in transit for S3?

Answer 7

Create an IAM policy that Deny’s requests based on the aws:secureTransport flag

Question 8

What is the default encryption of S3

Answer 8

SSE-S3

Question 9

How can you enforce encryption at rest for S3?

Answer 9

Create an IAM policy that Deny’s requests based on the s3:x-amz-server-side-encryption-customer-algorithm

Question 10

What must you ensure if a client makes a cross-origin request onto an S3 bucket?

Answer 10

Ensure the clients origin is included in the AllowedOrigins of the S3 CORS configuration

Question 11

What must be enabled in order to use MFA delete?

Answer 11

Versioning

Question 12

Who can enable/disable MFA delete?

Answer 12

Bucket owner (root account)

Question 13

What is a trap to avoid when enabling S3 logging buckets?

Answer 13

Dont set the logging bucket to the same bucket you are monitoring. This will create a loop!!

Question 14

What’s the easiest way to log all access to S3 buckets?

Answer 14

Create a logging bucket which all logs from one bucket will be put into

Question 15

What are the 3 different methods to generate S3 presigned URLS?

Answer 15

1. S3 console
2. AWS CLI/SDK

Question 16

What permissions are applied to the person using an S3 presigned URL?

Answer 16

The permissions of the user who generated the URL

Question 17

What is a good method to manage access to a shared bucket for multiple groups of users?

Answer 17

Define IAM policies and apply them to S3 access points

Question 18

What must be created in order to access a S3 access point endpoint without leaving a VPC?

Answer 18

VPC endpoint that has an endpoint policy that allows access to the bucket and the access point

Question 19

What must be created in order to run a lambda function when retrieving from S3?

Answer 19

S3 Object lambda access point -> Lambda function -> S3 access point