AWS: Amazon S3

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

what header must you set for SSE-KMS?

"x-amz-server-side-encryption" :"aws:kms"

what header must you set for SSE-S3?

"x-amz-server-side-encryption":"AES256"

Amazon S3 exposes what two endpoints?

- Http endpoint: non encrypted -https endpoint: encryption in flight

S3 bucket policies can be applied to what two resources?

- buckets and objects

why is it best practice to version your buckets?

- protect against unintended deletes and ability to restore a version - roll back to previous version

what are the four methods to encrypt objects in S3?

1) SSE-S3 2) SSE-KMS 3) SSE-C 4) Client Side

what are the three resource based policies?

1.) Bucket Policies' 2) Object Access Control 3) Bucket Access Control List

what is the max object size?

5 tb

GET, PUT, DELETE are examples of what in Preflight response and http://www.ex.com is an example of what preflight response?

Access-Control-Allow-Methods, Access-Control-Allow-Origin

what are the effect of JSON s3 bucket policies?

Allow or deny

_____ implies getting resources from a different origin

CORS

a web browser visits our first origin and it's going to be asked from the files uploaded from origin to make a request to the cross-origin, so the web browser will do what is called a preflight request, the preflight request is going to ask the cross origin if it is allowed to do a request on it, if the cross origin will reply with a yes if allowed. The methods that are authorized are GET,PUT, DELETE. This is the _______ method. Because the web browser has been authorized to do so, it can issue for an example a GET to this url, and it is allowed because the CORS Header received previously allowed the web browser to make the request *(review 238

CORS

if a client does a cross-region request on our S3 bucket, we need to enable the correct _____ ______

CORS Headers

the requests of one origin to another will not be fulfilled unless the other origin allows for the requests using _____ _______

CORS headers (ex. Access-Control-Allow-Origin)

a service to log API calls in your accounts

CloudTrail

in S3 security logging and audit API calls can be logged in AWS _________

CloudTrail

True or False: S3 is a region service

False, S3 is a global service but buckets are created for a region

True or False: you need to provision S3 size in advance

False, it is infinitely scaling and does not need to be provisioned in advance

True or False: most clients would use the HTTP endpoint by default

False, most client use the HTTPS: endpoint by default

True or False: suspending version of bucket will delete previous versions

False, suspending versioning does not delete previous versions

True or False: using SSE-C Amazon S3 stores the encryption key you provide

False: Amazon S3 does not store the encryption key you provide

When sending data to S3 using SSE-C you must use _______

HTTPS

_________ is mandatory for SSE-C

HTTPS

what endpoint is recommended for S3?

HTTPS

in S3 security ______ ______ authorize which api calls should be allowed and if our user is authorized through IAM policy how to access our AWS S3 bucket, this is _____ _____ security

IAM policies, user based

S3 bucket policies are _____ based policies

JSON

We have the object we uploaded using HTTP and the header and then using this header. Amazon S3 knows to apply the ____ _______ _______ ______ you have defined on top of it and using this _____ ____ _______ So the key of defined and your object there's some encryption that will happen and the file will be stored in your S3 buckets under the SSE-KMS encryption scheme.

KMS customer master key, customer master key

KMS stands for

Key Managed Service

For S3 user security you can use ____ _____ which requires MFA in versioned buckets to delete objects

MFA delete

what security is resource based and we set the object level the access rule?

Object Access Control List (ACL)

______ _______ _______ is a way to perform that Client Side Encryption

S3 Encryption Client

- grant public access to the bucket - force objects to be encrypted at upload - grant access to another account ( Cross Account these are use cases for ___ ______ _______

S3 bucket policies

<bucket-name>.s3-website-<AWS-region>.amazonaws.com or <bucket-name>.s3-website.<AWS-region>.amazonaws.com these are examples of what?

S3 website URLS

HTPPS is mandatory for which encryption?

SSE - C

-server side encryption using data keys fully managed by the customer outside of AWS - Amazon S3 does not store the encryption key you provide - HTTPS must be used - Encryption key must be provided in Http headers, for every http request made what encryption is this?

SSE-C

encryption method used when you want to manage your own encryption keys

SSE-C

- encryption using keys handled & managed by KMS - advantage is user control +audit trail -object is encrypted server side what type of encryption?

SSE-KMS

encryption method to leverage AWS Key Management Service to manage encryption keys

SSE-KMS

- object is encrypted server side - AES-256 encryption type - must set header "x-amz-server-side-encryption":"AES256" - encryption using keys handled & managed by Amazon S3 what type of encryption?

SSE-S3

encryption method that encrypts S3 objects using keys handled and managed by AWS

SSE-S3

We have an object and it is un-encrypted. We have it written out and we want to upload it into Amazon history and perform some ________ encryption. So for this we're going to upload the objects onto Amazon S3. You can use the HTTP protocol or the HTTPS protocol and you can add the header named ______ ____________ And then Amazon S3 thanks to this header knows that it should apply its own S3 managed data key and using the S3 _______ _________ and the object, some encryption will happen and the object will be stored encrypted into your Amazon S3 buckets. Very simple, but here in this instance the ____ ______ is entirely owned and managed by Amazon S3.

SSE-S3, X-amz-server-side-encryption AES256, S3 managed data key, managed key, data key

encryption in flight is also called _______/________

SSL/TLS

what does SSE stand for?

Server Side Encryption

what are the actions of JSON s3 bucket policies?

Set of API to allow or deny

each object in amazon s3 can have ______ ( unicode / value pair - up to 10), useful for security or lifecycle policies

Tags

True or False: http://www.example.com & http://other.example.com are different origins

True

True or False: when you are in the same origin we can make requests from the web browser from the first URL to the second URL

True

True or False: Amazon S3 is infinitely scaling

True,

True or false: there's no concept of "directories" within buckets

True, although the UI (user interface) will trick you to think otherwise)

if you have EC2 instances in your VPC without internet access they they can access S3 privately through a _____ _______

VPC endpoint

on the networking side of security you can access S3 privately through _____ _____

VPC endpoints

each object in S3 has _______ ID

Versioning

for S3 security with logging and audit you can use S3 ____ ______ and they can be stored in the other S3 buckets

access logs

if you get a 403 error when accessing S3 website url what do you need to do?

allow public reads for bucket policy

what do the bucket settings for Block Public Access do?

block public access to buckets and objects

you visit https://www.example.com and you're asking your web browser to make a request to http://other.example.com what will your web browser do?

block the request unless there are the correct CORS headers

files in Amazon can be versioned at the ______ level

bucket

______ _______ are bucket wide rules from S3 console, allows cross account access to S3 buckets

bucket policies

Amazon S3 allows people to store objects (files) in ________

buckets (directories)

True or False: you can upload all 5 tb of data at once into S3

false, uploading more than 5 gb must use multipart upload"

what are the advantages of using KMS over SSE-S3?

gives you control over who has access to what keys (user control) and also gives you an audit trail

S3 is not a ________ service but a ________ console

global

each bucket in S3 must have a _______ _______ ________

globally unique name

when you re-upload a file version with the same key what will happen?

it will create a new version of that file

S3 is just ______ with very long names that contain slashes ("/")

keys

each object in amazon S3 can have _________, so list of key value pairs that could be system or user ________ to add info on to objects

metadata, metadata

when uploading to S3 object, uploading more than 5 GB must use __________ __________

multi-part upload

s3://my-bucket/my_file.txt s3://my-bucket/my_folder1/my_file.txt what is the key of these object files?

my_file.txt and my_folder1/my_file.txt

- no uppercase - no underscore - 3-36 characters long - not an IP - must start w/ lowercase letter or number these is the ___ ____ for S3 buckets

naming convention

any file that is not versioned prior to enabling versioning will have version ______

null

S3 has files which are called ________

objects

an ______ is a scheme (protocol), host(domain), and port

origin

what types of S3 security do we have?

user based resource based

So as we can see thanks to ___________, every time we re-upload a file, it will keep all its previous versions, as well as the new version and assign a different version ID every single time.

versioning

using CORS ______ _______ based mechanism as soon as you visit a website, you can make requests to other origins if the other origins allow you to make a these requests

web browser

what level are buckets defined at?

region level

s3 bucket policies is a _______ _______ security

resource based

what 3 things make up an origin?

scheme (protocol), host(domain), port

https://www.example.com what is the scheme (protocol)? what is the host (domain)? what is the port?

scheme is https, port is 443, host is www.example.com

when you enable CORS headers you can allow for a ______ _____ or * for _____ ______

specific origin, all origins

S3 can host ______ ______ and have them accessible on the _______

static websites, www

and IAM principle (user,role) can access an S3 object if....

the IAM permissions allow it (so that means you have an Iam principal attached to your principal that allows access to your S3 bucket) OR the resource policy (S3 bucket policy) allows it AND there's no explicit DENY (so if your user through IAM is allowed access your S3 bucket but your bucket policy is explicitly denying your user to access it)

what is the principle of JSON s3 bucket policies?

the account or user to apply the policy to

http://exmaple.com/app1 http://exmaple.com/app2 True or False: these are different origins

false, these are the same origins

So we have the object and we want to have it encrypted in Amazon S3 but we want to provide ourselves the ______ _______ __________ ___________ to perform the encryption. So we send both of these things over HTTPS so it's an encrypted connection between you, the clients and Amazon S3 and the _____ _______ is in the header so therefore Amazon S3 received the exact same object and the ______ ______ ________ _____ And then again, it is server-side encryption so Amazon S3 will perform the encryption using these two things and store the encrypted object into your S3 buckets. If you wanted retrieve that file from Amazon S3 using SSE-C you would need to provide as well the same _______ _______ _____ ______ that was used so it requires a lot more management on your end because you manage to do the data keys and Amazon or AWS in general does not know which data keys you have used.

client side data key, data key, client side data key, client side data key

encryption where you encrypt the objects before uploading it into Amazon S3

client side encryption

in ______ _____ ______ the customer manages the keys and encryption cycle

client side encryption

Amazon S3 this time is just the buckets where it's not doing any encryption for us because it is _______ ______ __________ not _____ _______ _________. And so in the clients we'll use Encryption SDK for example, the S3 Encryption SDK will provide the object and our _______ _______ ______ _____ The encryption will happen _____ ______ so the object is going to be fully encrypted on the _________ _______ and then we are going to just upload that already encrypted object into Amazon S3.

client side encryption, server side encryption, client side data key, client side, client side

what does CORS stand for?

cross-origin resource sharing

the web browser is getting html files from a bucket enabled as a website and there is a second bucket that is going to enabled as a website and is our __________ bucket, also enabled as a website, and contains some files we want, we do GET index.html on first bucket and the file says you need to perform a GET for another file on the other _______ and if the bucket is configured with the right _______ _______ then the web browser will make the request, if it does not have the right ________ _________ it will not be able to make the request (review slide 239)

cross-origin, origin, CORS headers, CORS headers

when receiving data that is encrypted using Client Side Encryption (CSE) then you are solely responsible for ______ the data yourself

decrypting

if you know all S3 buckets in your account should be blocked from public what should you do?

enable Block public access in account settings

So here's our web browser and it visits our first web server. And because this is the first visit we do, it's called the _________. So for example, our web server is at https://www.example.com Okay, great. And there is a second web server called a __________ because it has a different url, which is https://www.other.com. So a web browser visits our first _______ and it's going to be asked for the files that are uploaded from the ______ to make a request to the _________. So what the web browser will do, is that it will do what is called a _______ ________. And this _______ _________ is going to ask the _________ if it is allowed to do a request on it. So it's going to say, "Hey __________, the website https://www.example.com is sending me to you, can I make a request onto your website?" and the origin is saying, "yes, here is what you can do." so the _______________ is saying is this website allowed or not? So yes, it is allowed because now we have the same origin here, the green one, as we had on the left hand side. And the methods that are authorized is GET, PUT, and DELETE. So we can get a file, delete a file, or update the file. Okay, so this is what the ___________ is allowing our web browser to do. So this is the_____ method, and therefore, because our web browser has been authorized to do so, then it can issue, for example, a GET to this url, and it will be allowed because the _________ __________ received previously allowed the web browser to make this request.

origin, cross-origin, origin, origin, cross-origin, pre flight request, preflight request, cross-origin, cross-origin, Access-Control-Allow-Origin, cross-origin, CORS, CORS Headers

and is S3 user security, _______ _______, URLS of files that are valid only for a limited time (ex. premium video service for logged in users)

pre-signed URLS

s3 security that allows access of certain files to certain users for a limited amount of time, think ______ ______

pre-signed urls

Any finally, _________ ________ that we've seen briefly when we were opening that file and there was a very, very long URL, which is a URL that's signed with some credentials from AWS and it's valid only for a limited time. And the use case for it, for example, is to download a premium video from a service if the user is logged in and has purchased that video. So the idea here is that any time of the exam you see the access of certain files to certain users for a limited amount of time, think _______ _________

pre-signed urls, pre-signed urls

a S3 object key is composed of _______ + _______ ____

prefix + object name

s3://my-bucket/my_folder1/another_folder/my_file.txt what is the prefix and what is the object name?

prefix: my_folder1/another_folder object name: my_file.txt

origin sends a ________ ___________ that asks the cross-origin if it is allowed to do a request on it

preflight request

bucket settings for block public access where created to do what?

prevent company data leaks


Set pelajaran terkait

Ch 16 State and local tax ISSUES

View Set

Stability & Range of Motion Practice

View Set

Peds - Exam 4 - Practice Q's w/ rationale

View Set