S3: Simple Storage Service

Question 1

Is S3 public or private by default?

Answer 1

S3 is private by default.

Question 2

What is a bucket policy?

Answer 2

A resource policy for S3 buckets that can allow access from other AWS accounts or anonymous access.

Question 3

Does S3 have a hierarchical folder structure?

Answer 3

No. S3 storage is flat, but uses prefixes to emulate a folder-like structure.

Question 4

What does the Block Public Access setting on an S3 bucket do?

Answer 4

It blocks public access (in various forms) to an S3 bucket regardless of the bucket policies attached to the bucket.

Question 5

What type of policy is needed to grant anonymous or cross-account access to an S3 bucket?

Answer 5

Bucket policy, which is a type of resource policy.

Question 6

What type of web site hosting is S3 capable of providing?

Answer 6

Static website hosting.

Question 7

What two pages are specified when configuring static website hosting in S3?

Answer 7

Index and error.

Question 8

When using a custom domain for static website hosting, what bucket name must be used?

Answer 8

A bucket name that matches the domain (e.g., http://www.example.com should have a bucket name of www.example.com).

Question 9

When considering static website hosting, what is offloading?

Answer 9

Using S3 to host static content, like images, while other aspects of the site are dynamic and generated outside of S3.

Question 10

When considering static website hosting, what are out-of-band pages?

Answer 10

Using S3 to host a secondary static website that displays content when the main, dynamic website is down for maintenance or has an outage.

Question 11

The S3 Object Versioning setting defaults to what?

Answer 11

Disabled.

Question 12

Can you disable S3 Object Versioning?

Answer 12

No, Object Versioning cannot be disabled once it has been enabled. It can be suspended (and then re-enabled) but it cannot be disabled.

Question 13

What is the ID value of an S3 object when Object Versioning is disabled?

Answer 13

Null.

Question 14

When accessing a version of an S3 object that is not the current version, what information must be specified?

Answer 14

The object ID.

Question 15

If an S3 object is accessed without specifing the object ID, what version of the object is returned?

Answer 15

The current version or latest version.

Question 16

If you delete an S3 Object when Object Versioning is enabled, how does S3 handle the delete?

Answer 16

It creates a delete marker and points the current version at that marker.

Question 17

What happens if an S3 object if its delete marker is deleted?

Answer 17

The object is undeleted and the most recent version becomes the current version.

Question 18

If you want to delete a particular version (including the current version) of an S3 object, what information must be specified?

Answer 18

The object ID.

Question 19

What impact does enabling MFA Delete have?

Answer 19

MFA is required to modify a bucket’s Object Versioning configuration and MFA is required to delete specific versions of objects.

Question 20

What is multipart upload for S3 objects?

Answer 20

Multipart upload allows you to upload a single object as a set of parts. Each part is a contiguous portion of the object’s data. You can upload these object parts independently and in any order. If transmission of any part fails, you can retransmit that part without affecting other parts. After all parts of your object are uploaded, Amazon S3 assembles these parts and creates the object.

Question 21

What is the minimum size for multipart upload to S3?

Answer 21

100MB

Question 22

What is the size range for a single part for a multipart upload to S3?

Answer 22

5MB - 5GB

Question 23

What is S3 Transfer Acceleration?

Answer 23

Data being uploaded to an S3 bucket in any region will upload to the closest AWS Edge Location and transit the AWS Global network, which is much faster than using the Internet to get to the region that contains the S3 bucket.

Question 24

What are the three requirements for an S3 bucket to accept Transfer Acceleration uploads?

Answer 24

1. Transfer Acceleration must be enabled.
2. The bucket name cannot contain periods (.).
3. The bucket name must be DNS compatible.

Question 25

How resilient is an S3 bucket?

Answer 25

Regional resilient, though it can be configured to replicate data across regions.

Question 26

What is the default storage service for AWS?

Answer 26

S3.

Question 27

What is the size range for an S3 object?

Answer 27

0 bytes to 5TB

Question 28

How unique does an S3 bucket name need to be?

Answer 28

Globally unique.

Question 29

What is the maximum number of objects an S3 bucket can hold?

Answer 29

Unlimited.

Question 30

What restrictions are there for S3 bucket names?

Answer 30

1. They must be globally unique names 2. 3-63 characters 3. Letters must be lower case 4. No underscores 5. Must start with a letter or a number 6. Cannot be formatted like an IP address (#.#.#.#)

Question 31

What is the limit for the number of S3 buckets an AWS account can have?

Answer 31

100 soft limit, 1000 hard limit.

Question 32

What are the components of an S3 object?

Answer 32

The key (name) and value (data).

Question 33

Can you mount an S3 bucket?

Answer 33

No, it is object storage, not block or file storage.

Question 34

At what level is encryption defined in S3?

Answer 34

The object level. Buckets aren't encrypted; the objects inside an S3 bucket are.

Question 35

When using Server-Side Encryption (SSE) with S3, where does the at-rest encryption take place?

Answer 35

In S3.

Question 36

How do you enable unencrypted storage on S3?

Answer 36

You can't. You must use SSE at a minimum on S3.

Question 37

What is Server-Side Encryption with Customer-provided keys (SSE-C)?

Answer 37

The customer manages the encryption keys, and Amazon S3 manages the encryption as it writes to disks and the decryption when accessing objects.

Question 38

What is Server-Side Encryption with S3-Managed keys (SSE-S3)?

Answer 38

All data is encrypted with keys managed by S3.

Question 39

What is Server-side encryption with AWS Key Management Service (SSE-KMS)?

Answer 39

Server-side encryption with AWS KMS keys (SSE-KMS) is provided through an integration of the AWS KMS service with Amazon S3.

Question 40

What is the default Server-Side Encryption (SSE) schema for S3?

Answer 40

Server-Side Encryption with S3-Managed keys (SSE-S3).

Question 41

What are two limitations of SSE-S3 in highly regulated environments?

Answer 41

The customer has no key control and cannot use role separation.

Question 42

What type of encryption does SSE-S3 use?

Answer 42

AES-256.

Question 43

What is the maximum number of S3 objects that a KMS Data Encryption Key (DEK) can encrypt/decrypt?

Answer 43

One. Each object uses an unique DEK.

Question 44

When would using S3 bucket keys be helpful?

Answer 44

When repeated object I/O would result in many calls to KMS for DEKs. Calls to KMS have a cost and can be throttled at certain levels.

Question 45

What is an S3 Bucket Key?

Answer 45

A time-limited key provided by KMS that is used to generate DEKs within S3. Using a bucket key reduces the number of API calls to KMS, thus reducing cost and increasing scalability.

Question 46

What are the S3 Object Storage Classes?

Answer 46

Standard Standard Infrequent Access (IA) One Zone IA Glacier - Instant Glacier - Flexible Glacier - Deep Archive

Question 47

Across how many AZs are object replicated when using S3 Standard and S3 Standard Infrequent Access (IA)?

Answer 47

Three.

Question 48

What status code is returned by S3 once an object has been durably stored?

Answer 48

HTTP/1.1 200 OK

Question 49

How are you billed for S3 Standard?

Answer 49

There is a GB/month fee, a per GB transfer out fee, and a fee per 1,000 requests.

Question 50

When should S3 Standard be used?

Answer 50

When data will be frequently accessed and is not replaceable.

Question 51

When should S3 Standard Infrequent Access (IA) be used?

Answer 51

When data will be infrequently accessed and is not replaceable.

Question 52

How are you billed for S3 Standard Infrequent Access (IA)?

Answer 52

There is a GB/month fee, a per GB transfer out fee, a fee per 1,000 requests, and a per GB retrieval fee. There is also a minimum duration charge of 30 days and a minimum capacity charge of 128KB per object.

Question 53

When should S3 One Zone Infrequest Access (IA) be used?

Answer 53

When data will be infrequently accessed and is non-critical or replaceable.

Question 54

How are you billed for S3 One Zone Infrequent Access (IA)?

Answer 54

There is a GB/month fee, a per GB transfer out fee, a fee per 1,000 requests, and a per GB retrieval fee. There is also a minimum duration charge of 30 days and a minimum capacity charge of 128KB per object.

Question 55

How resilient is S3 One Zone Infrequent Access (IA)?

Answer 55

AZ resilient.

Question 56

What is the minimum duration charge for S3 Glacier - Instant Access?

Answer 56

90 days.

Question 57

When should S3 Glacier - Instant Retrieval be used?

Answer 57

When data is not replaceable and will be very infrequently accessed, but instant retrieval is needed when it is accessed.

Question 58

When should S3 Glacier - Flexible Retrieval be used?

Answer 58

When data is not replaceable and will be very infrequently accessed. Immediate or real-time access isn't needed and the data does not need to be made public.

Question 59

What are the three retrieval speed levels for S3 Glacier - Flexible Retrieval?

Answer 59

Expedited (1-5 minutes) Standard (3-5 hours) Bulk (5-12 hours)

Question 60

What is the minimum billable size and duration for S3 Glacier - Flexible?

Answer 60

40KB and 90 Days

Question 61

When should S3 Glacier - Deep Archive Retrieval be used?

Answer 61

When data is not replaceable and will be very infrequently accessed. Immediate or real-time access isn't needed and the data does not need to be made public.

Question 62

What is the minimum billable size and duration for S3 Glacier - Deep Archive?

Answer 62

40KB and 180 Days

Question 63

What are the two retrieval speed levels for S3 Glacier - Flexible Retrieval?

Answer 63

Standard (12 hours) Bulk (up to 48 hours)

Question 64

What is S3 Intelligent Tiering?

Answer 64

Intelligent Tiering moves data between Frequent Access, Infrequent Access, Archive Instant Access, Archive Access, and Deep Archive automatically.

Question 65

What is S3 Lifecycle Configuration?

Answer 65

A set of configuration rules that transition S3 objects between storage classes or expire objects based on age. This is not based on access patterns (that is handled by Intelligent Tiering).

Question 66

What considerations are needed when implementing S3 Lifecycle Configuration rules?

Answer 66

1. Minimum durations at each storage class. 2. Minimum sizes at each storage class. 3. Objects can not move up in storage class. They can only move down.

Question 67

What is Cross-Region Replication for S3?

Answer 67

The copying of data to an S3 Bucket in a different region.

Question 68

What is Same-Region Replication for S3?

Answer 68

The copying of data to an S3 Bucket in the same region.

Question 69

When performing Cross-Region and Same-Region Replication for S3 across AWS accounts, what must be done to the destination bucket to ensure data can be copied successfully?

Answer 69

A bucket policy must be applied to the destination bucket that allows the appropriate role from the source account to write data into the destination bucket.

Question 70

What options are available for S3 Replication?

Answer 70

1. Replication all objects or some objects 2. Change the storage class for the replicated objects 3. Set the ownership of the replicated objects 4. Replication Time Control that guarantees a 15 minute replication time

Question 71

When enabling replication on an S3 Bucket, will existing object be replicated?

Answer 71

No, S3 Replication is not retroactive, but batch replication can be used to replicate existing objects.

Question 72

What needs to be enabled for S3 Replication to work?

Answer 72

Versioning.

Question 73

By default, is S3 Replication one-way or bi-directional?

Answer 73

One way. Objects added to the destination bucket are not replicated back to the source bucket unless the bi-directional setting is enabled.

Question 74

Are deletes replicated by S3 Replication?

Answer 74

No, delete markers are not replicated.

Question 75

How can you give access to an object in a non-public S3 Bucket to an anonymous user?

Answer 75

A pre-signed URL will provide access to a bucket a specified amount of time.

Question 76

When are the permissions for a pre-signed URL evaluated?

Answer 76

When the object or bucket is accessed. If the user that generated the pre-signed URL no longer or never had permissions for the object or bucket, access using the pre-signed URL will be denied.

Question 77

What events can trigger S3 Event Notifications?

Answer 77

Object creation Object delete Object restore Object replication

Question 78

What are the two types of S3 Object Lock?

Answer 78

Retention Period and Legal Hold.

Question 79

What are the modes available for S3 Object Lock - Retention Period and what do they mean?

Answer 79

Compliance - the object cannot be deleted or overwritten for the duration of the retention period. Also, the retention period CANNOT be modified, even by the root user. Governance - the object cannot be deleted or overwritten for the duration of the retention period, but the retention period can be adjusted using the s3:BypassGovernanceRetention permission and by passing the x-amz-bypass-goverance-retention:true header.

Question 80

How do you change or delete an S3 object with a Legal Hold Object Lock?

Answer 80

Turn off the Legal Hold and then modify/delete the object.

Question 81

What command is used to create an S3 Access Point via the CLI?

Answer 81

aws s3control create-access-point --name apname --account-id 12345 --bucket bname

Question 82

How can permissions on an S3 Bucket be controlled using S3 Access Points?

Answer 82

By creating S3 Access Points with different DNS addresses and then applying specific bucket policies to each Access Point.

Question 83

What is the maximum number of parts for a multipart upload to S3?

Answer 83

10,000 parts.