AWS: Amazon S3
what header must you set for SSE-KMS?
"x-amz-server-side-encryption" :"aws:kms"
what header must you set for SSE-S3?
"x-amz-server-side-encryption":"AES256"
Amazon S3 exposes what two endpoints?
- Http endpoint: non encrypted -https endpoint: encryption in flight
S3 bucket policies can be applied to what two resources?
- buckets and objects
why is it best practice to version your buckets?
- protect against unintended deletes and ability to restore a version - roll back to previous version
what are the four methods to encrypt objects in S3?
1) SSE-S3 2) SSE-KMS 3) SSE-C 4) Client Side
what are the three resource based policies?
1.) Bucket Policies' 2) Object Access Control 3) Bucket Access Control List
what is the max object size?
5 tb
GET, PUT, DELETE are examples of what in Preflight response and http://www.ex.com is an example of what preflight response?
Access-Control-Allow-Methods, Access-Control-Allow-Origin
what are the effect of JSON s3 bucket policies?
Allow or deny
_____ implies getting resources from a different origin
CORS
a web browser visits our first origin and it's going to be asked from the files uploaded from origin to make a request to the cross-origin, so the web browser will do what is called a preflight request, the preflight request is going to ask the cross origin if it is allowed to do a request on it, if the cross origin will reply with a yes if allowed. The methods that are authorized are GET,PUT, DELETE. This is the _______ method. Because the web browser has been authorized to do so, it can issue for an example a GET to this url, and it is allowed because the CORS Header received previously allowed the web browser to make the request *(review 238
CORS
if a client does a cross-region request on our S3 bucket, we need to enable the correct _____ ______
CORS Headers
the requests of one origin to another will not be fulfilled unless the other origin allows for the requests using _____ _______
CORS headers (ex. Access-Control-Allow-Origin)
a service to log API calls in your accounts
CloudTrail
in S3 security logging and audit API calls can be logged in AWS _________
CloudTrail
True or False: S3 is a region service
False, S3 is a global service but buckets are created for a region
True or False: you need to provision S3 size in advance
False, it is infinitely scaling and does not need to be provisioned in advance
True or False: most clients would use the HTTP endpoint by default
False, most client use the HTTPS: endpoint by default
True or False: suspending version of bucket will delete previous versions
False, suspending versioning does not delete previous versions
True or False: using SSE-C Amazon S3 stores the encryption key you provide
False: Amazon S3 does not store the encryption key you provide
When sending data to S3 using SSE-C you must use _______
HTTPS
_________ is mandatory for SSE-C
HTTPS
what endpoint is recommended for S3?
HTTPS
in S3 security ______ ______ authorize which api calls should be allowed and if our user is authorized through IAM policy how to access our AWS S3 bucket, this is _____ _____ security
IAM policies, user based
S3 bucket policies are _____ based policies
JSON
We have the object we uploaded using HTTP and the header and then using this header. Amazon S3 knows to apply the ____ _______ _______ ______ you have defined on top of it and using this _____ ____ _______ So the key of defined and your object there's some encryption that will happen and the file will be stored in your S3 buckets under the SSE-KMS encryption scheme.
KMS customer master key, customer master key
KMS stands for
Key Managed Service
For S3 user security you can use ____ _____ which requires MFA in versioned buckets to delete objects
MFA delete
what security is resource based and we set the object level the access rule?
Object Access Control List (ACL)
______ _______ _______ is a way to perform that Client Side Encryption
S3 Encryption Client
- grant public access to the bucket - force objects to be encrypted at upload - grant access to another account ( Cross Account these are use cases for ___ ______ _______
S3 bucket policies
<bucket-name>.s3-website-<AWS-region>.amazonaws.com or <bucket-name>.s3-website.<AWS-region>.amazonaws.com these are examples of what?
S3 website URLS
HTPPS is mandatory for which encryption?
SSE - C
-server side encryption using data keys fully managed by the customer outside of AWS - Amazon S3 does not store the encryption key you provide - HTTPS must be used - Encryption key must be provided in Http headers, for every http request made what encryption is this?
SSE-C
encryption method used when you want to manage your own encryption keys
SSE-C
- encryption using keys handled & managed by KMS - advantage is user control +audit trail -object is encrypted server side what type of encryption?
SSE-KMS
encryption method to leverage AWS Key Management Service to manage encryption keys
SSE-KMS
- object is encrypted server side - AES-256 encryption type - must set header "x-amz-server-side-encryption":"AES256" - encryption using keys handled & managed by Amazon S3 what type of encryption?
SSE-S3
encryption method that encrypts S3 objects using keys handled and managed by AWS
SSE-S3
We have an object and it is un-encrypted. We have it written out and we want to upload it into Amazon history and perform some ________ encryption. So for this we're going to upload the objects onto Amazon S3. You can use the HTTP protocol or the HTTPS protocol and you can add the header named ______ ____________ And then Amazon S3 thanks to this header knows that it should apply its own S3 managed data key and using the S3 _______ _________ and the object, some encryption will happen and the object will be stored encrypted into your Amazon S3 buckets. Very simple, but here in this instance the ____ ______ is entirely owned and managed by Amazon S3.
SSE-S3, X-amz-server-side-encryption AES256, S3 managed data key, managed key, data key
encryption in flight is also called _______/________
SSL/TLS
what does SSE stand for?
Server Side Encryption
what are the actions of JSON s3 bucket policies?
Set of API to allow or deny
each object in amazon s3 can have ______ ( unicode / value pair - up to 10), useful for security or lifecycle policies
Tags
True or False: http://www.example.com & http://other.example.com are different origins
True
True or False: when you are in the same origin we can make requests from the web browser from the first URL to the second URL
True
True or False: Amazon S3 is infinitely scaling
True,
True or false: there's no concept of "directories" within buckets
True, although the UI (user interface) will trick you to think otherwise)
if you have EC2 instances in your VPC without internet access they they can access S3 privately through a _____ _______
VPC endpoint
on the networking side of security you can access S3 privately through _____ _____
VPC endpoints
each object in S3 has _______ ID
Versioning
for S3 security with logging and audit you can use S3 ____ ______ and they can be stored in the other S3 buckets
access logs
if you get a 403 error when accessing S3 website url what do you need to do?
allow public reads for bucket policy
what do the bucket settings for Block Public Access do?
block public access to buckets and objects
you visit https://www.example.com and you're asking your web browser to make a request to http://other.example.com what will your web browser do?
block the request unless there are the correct CORS headers
files in Amazon can be versioned at the ______ level
bucket
______ _______ are bucket wide rules from S3 console, allows cross account access to S3 buckets
bucket policies
Amazon S3 allows people to store objects (files) in ________
buckets (directories)
True or False: you can upload all 5 tb of data at once into S3
false, uploading more than 5 gb must use multipart upload"
what are the advantages of using KMS over SSE-S3?
gives you control over who has access to what keys (user control) and also gives you an audit trail
S3 is not a ________ service but a ________ console
global
each bucket in S3 must have a _______ _______ ________
globally unique name
when you re-upload a file version with the same key what will happen?
it will create a new version of that file
S3 is just ______ with very long names that contain slashes ("/")
keys
each object in amazon S3 can have _________, so list of key value pairs that could be system or user ________ to add info on to objects
metadata, metadata
when uploading to S3 object, uploading more than 5 GB must use __________ __________
multi-part upload
s3://my-bucket/my_file.txt s3://my-bucket/my_folder1/my_file.txt what is the key of these object files?
my_file.txt and my_folder1/my_file.txt
- no uppercase - no underscore - 3-36 characters long - not an IP - must start w/ lowercase letter or number these is the ___ ____ for S3 buckets
naming convention
any file that is not versioned prior to enabling versioning will have version ______
null
S3 has files which are called ________
objects
an ______ is a scheme (protocol), host(domain), and port
origin
what types of S3 security do we have?
user based resource based
So as we can see thanks to ___________, every time we re-upload a file, it will keep all its previous versions, as well as the new version and assign a different version ID every single time.
versioning
using CORS ______ _______ based mechanism as soon as you visit a website, you can make requests to other origins if the other origins allow you to make a these requests
web browser
what level are buckets defined at?
region level
s3 bucket policies is a _______ _______ security
resource based
what 3 things make up an origin?
scheme (protocol), host(domain), port
https://www.example.com what is the scheme (protocol)? what is the host (domain)? what is the port?
scheme is https, port is 443, host is www.example.com
when you enable CORS headers you can allow for a ______ _____ or * for _____ ______
specific origin, all origins
S3 can host ______ ______ and have them accessible on the _______
static websites, www
and IAM principle (user,role) can access an S3 object if....
the IAM permissions allow it (so that means you have an Iam principal attached to your principal that allows access to your S3 bucket) OR the resource policy (S3 bucket policy) allows it AND there's no explicit DENY (so if your user through IAM is allowed access your S3 bucket but your bucket policy is explicitly denying your user to access it)
what is the principle of JSON s3 bucket policies?
the account or user to apply the policy to
http://exmaple.com/app1 http://exmaple.com/app2 True or False: these are different origins
false, these are the same origins
So we have the object and we want to have it encrypted in Amazon S3 but we want to provide ourselves the ______ _______ __________ ___________ to perform the encryption. So we send both of these things over HTTPS so it's an encrypted connection between you, the clients and Amazon S3 and the _____ _______ is in the header so therefore Amazon S3 received the exact same object and the ______ ______ ________ _____ And then again, it is server-side encryption so Amazon S3 will perform the encryption using these two things and store the encrypted object into your S3 buckets. If you wanted retrieve that file from Amazon S3 using SSE-C you would need to provide as well the same _______ _______ _____ ______ that was used so it requires a lot more management on your end because you manage to do the data keys and Amazon or AWS in general does not know which data keys you have used.
client side data key, data key, client side data key, client side data key
encryption where you encrypt the objects before uploading it into Amazon S3
client side encryption
in ______ _____ ______ the customer manages the keys and encryption cycle
client side encryption
Amazon S3 this time is just the buckets where it's not doing any encryption for us because it is _______ ______ __________ not _____ _______ _________. And so in the clients we'll use Encryption SDK for example, the S3 Encryption SDK will provide the object and our _______ _______ ______ _____ The encryption will happen _____ ______ so the object is going to be fully encrypted on the _________ _______ and then we are going to just upload that already encrypted object into Amazon S3.
client side encryption, server side encryption, client side data key, client side, client side
what does CORS stand for?
cross-origin resource sharing
the web browser is getting html files from a bucket enabled as a website and there is a second bucket that is going to enabled as a website and is our __________ bucket, also enabled as a website, and contains some files we want, we do GET index.html on first bucket and the file says you need to perform a GET for another file on the other _______ and if the bucket is configured with the right _______ _______ then the web browser will make the request, if it does not have the right ________ _________ it will not be able to make the request (review slide 239)
cross-origin, origin, CORS headers, CORS headers
when receiving data that is encrypted using Client Side Encryption (CSE) then you are solely responsible for ______ the data yourself
decrypting
if you know all S3 buckets in your account should be blocked from public what should you do?
enable Block public access in account settings
So here's our web browser and it visits our first web server. And because this is the first visit we do, it's called the _________. So for example, our web server is at https://www.example.com Okay, great. And there is a second web server called a __________ because it has a different url, which is https://www.other.com. So a web browser visits our first _______ and it's going to be asked for the files that are uploaded from the ______ to make a request to the _________. So what the web browser will do, is that it will do what is called a _______ ________. And this _______ _________ is going to ask the _________ if it is allowed to do a request on it. So it's going to say, "Hey __________, the website https://www.example.com is sending me to you, can I make a request onto your website?" and the origin is saying, "yes, here is what you can do." so the _______________ is saying is this website allowed or not? So yes, it is allowed because now we have the same origin here, the green one, as we had on the left hand side. And the methods that are authorized is GET, PUT, and DELETE. So we can get a file, delete a file, or update the file. Okay, so this is what the ___________ is allowing our web browser to do. So this is the_____ method, and therefore, because our web browser has been authorized to do so, then it can issue, for example, a GET to this url, and it will be allowed because the _________ __________ received previously allowed the web browser to make this request.
origin, cross-origin, origin, origin, cross-origin, pre flight request, preflight request, cross-origin, cross-origin, Access-Control-Allow-Origin, cross-origin, CORS, CORS Headers
and is S3 user security, _______ _______, URLS of files that are valid only for a limited time (ex. premium video service for logged in users)
pre-signed URLS
s3 security that allows access of certain files to certain users for a limited amount of time, think ______ ______
pre-signed urls
Any finally, _________ ________ that we've seen briefly when we were opening that file and there was a very, very long URL, which is a URL that's signed with some credentials from AWS and it's valid only for a limited time. And the use case for it, for example, is to download a premium video from a service if the user is logged in and has purchased that video. So the idea here is that any time of the exam you see the access of certain files to certain users for a limited amount of time, think _______ _________
pre-signed urls, pre-signed urls
a S3 object key is composed of _______ + _______ ____
prefix + object name
s3://my-bucket/my_folder1/another_folder/my_file.txt what is the prefix and what is the object name?
prefix: my_folder1/another_folder object name: my_file.txt
origin sends a ________ ___________ that asks the cross-origin if it is allowed to do a request on it
preflight request
bucket settings for block public access where created to do what?
prevent company data leaks