What type of Object Encryptions are available in S3?
- Server-Side Encryption (SSE)
- Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Enabled by Default
– Encrypts S3 objects using keys handled, managed, and owned by AWS - Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)
– Leverage AWS Key Management Service (AWS KMS) to manage encryption keys - Server-Side Encryption with Customer-Provided Keys (SSE-C)
– When you want to manage your own encryption keys - Client-Side Encryption
How does SSE-S3 works?
- Encryption using keys handled, managed, and owned by AWS
- Object is encrypted server-side
- Encryption type is AES-256
- Must set header “x-amz-server-side-encryption”: “AES256”
- Enabled by default for new buckets & new objects
How does SSE-KMS works?
- Encryption using keys handled and managed by AWS KMS (Key Management Service)
- KMS advantages: user control + audit key usage using CloudTrail
- Object is encrypted server side
- Must set header “x-amz-server-side-encryption”: “aws:kms
What are the SSE-KMS limitations?
- If you use SSE-KMS, you may be impacted by the KMS limits
- When you upload, it calls the GenerateDataKey KMS API
- When you download, it calls the Decrypt KMS API
How does SSE-C works?
- Server-Side Encryption using keys fully managed by the customer outside of AWS
- Amazon S3 does NOT store the encryption key you provide
- HTTPS must be used
- Encryption key must provided in HTTP headers, for every HTTP request made
How does – Client-Side Encryption works in S3?
- Use client libraries such as Amazon S3 Client-Side Encryption Library
- Clients must encrypt data themselves before sending to Amazon S3
- Clients must decrypt data themselves when retrieving from Amazon S3
- Customer fully manages the keys and encryption cycle
How to force encryption in transit for s3?
You can setup a bucket policy to deny s3:GetObject if SecureTransport is false. The file can only access by HTTPS.
What is default encryption in S3?
SSE-S3 encryption is automatically applied to new objects stored in S3 bucket
Which one evaluated first: Bucket polcies or Defaul encryption?
Bucket policies > Defaul encryption
What are the CORS headers?
Access-Control-Allow-Origin: https://www.example.com
Access-Control-Allow-Methods: GET, PUT, DELETE
How to enable CORS in S3 buckets?
S3 Bucket > Permissions > CORS settings,You can allow for a specific origin or for * (all origins)
What is Amazon S3 – MFA Delete?
MFA (Multi-Factor Authentication) – force users to generate a code on a
device (usually a mobile phone or hardware) before doing important
operations on S3
What are the protected actions that need S3 MFA Delete?
- Permanently delete an object version
- Suspend Versioning on the bucket
What must be setup for S3 MFA DeletE?
- To use MFA Delete, Versioning must be enabled on the bucket
- Only the bucket owner (root account) can enable/disable MFA Delete
What are S3 Access Logs?
- Log all access made to S3 in an other bucket
- Logging bucket must be in the Same AWS Region
How NOT TO setup Access Logs?
NEVER use the same bucket to store access logs.
What are S3 - Pre-Signed URLs?
- Generate pre-signed URLs using the S3 Console, AWS CLI or SDK
- Users given a pre-signed URL inherit the permissions of the user that generated the URL for GET / PUT
Whats expiration can be set for S3 Pre-Signed URLs?
- S3 Console – 1 min up to 720 mins (12 hours)
- AWS CLI – configure expiration with –expires-in parameter in seconds (default 3600 secs, max. 604800 secs ~ 168 hours)
Give exmaples for S3 Pre-Signed URLs.
- Allow only logged-in users to download a premium video from your S3 bucket
- Allow an ever-changing list of users to download files by generating URLs dynamically
- Allow temporarily a user to upload a file to a precise location in your S3 bucket
What are S3 Access Points?
- Simplify security management for S3 buckets
- Each AP has its own DNS name
- Each AP has its own policy
How can you restrict S3 AP to be accessible onyl form you VPC?
1, Create a VPC Endpoint
2, The VPC Endpoint policy must allow access to tartget bucket and AP
What’s S3 Object Lambda?
- Use AWS Lambda Functions to change the object before it is retrieved by the caller application.
- Only one S3 bucket is needed, on top of which we create S3 Access Point and S3 Object Lambda Access Points.
What’s the uses cases of S3 Object Lambda?
- Redacting personally identifiable information for analytics or non- production
environments. - Converting across data formats, such as converting XML to JSON.
- Resizing and watermarking images on the fly using caller-specific details, such as the user who requested the object.
-
AWS General8
-
IAM - Identity and Access Management26
-
EC2 - Fundamentals23
-
EC2 - Instance Storages34
-
ELB + ASG Fundamentals44
-
RDS, Aurora & ElastiCache34
-
Route 5333
-
VPC Primer11
-
S3 - Introduciton21
-
CLI, SDK and IAM Policies14
-
S3 - Advanced14
-
S3 -Security23
-
Cloudfront25
-
ECS, ECR, Fargate38
-
AWS Elastic Beanstalk18
-
AWS CloudFormation29
-
AWS CloudWatch, X-Ray and CloudTrail27
