Skip to main content
HashnodeJenny laura's blog

Command Palette

Search for a command to run...

Must know things about s3 buckets for AWS Solutions Architect Associate (SAA) exam

Published
4 min read
S
Srinath Thilakarathne

  • to prevent accidental deletion

    • enable versioning

    • enable MFA delete on S3 bucket

  • to prevent modification or deletion

    • enable versioning

    • enable object lock

        1. Governance mode - Only users with special permissions can overwrite, delete, or alter object lock settings

          1. Compliance mode - No user, including the root user in an AWS account, can overwrite, delete, or alter object lock settings

            • Write Once Read Many - in compliance mode there is no restriction in adding but only changing existing objects

  • Legal hold

    • A legal hold provides the same protection as a retention period, but it HAS NO EXPIRATION DATE. Instead, a legal hold remains in place until you explicity remove it. Legal holds are independent from retention periods and are PLACED ON INDIVIDUAL OBJECT VERSIONS.

  • access S3 buckets in 2 different accounts

    • Add the development account as a principal in the trust policy of the role in the production account.

  • storage lens

    • identify buckets that not version enabled

    • report on incomplete multipart uploads

  • ensure that all objects uploaded to an Amazon S3 bucket are encrypted

    • Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.

    • analyze and troubleshoot Access Denied errors and Unauthorized errors that are related to IAM permissions.

      • Search CloudTrail logs with Amazon Athena queries to identify the errors.

  • reduce data transfer cost

    • Configure the Requester Pays feature on the company’s S3 bucket.

    • Configure S3 Cross-Region Replication from the company's S3 bucket to one of the marketing firm’s S3 buckets.

  • storage locations

    • S3 Standard-IA: Data is stored redundantly across multiple Availability Zones (AZs), providing high availability and resilience against zone failures/

    • S3 One Zone-IA: Data is stored in a single Availability Zone, which means it is cheaper but less resilient; if that zone fails, the data is lost.

  • data retrieval

    • Amazon S3 Glacier:

      • Expedited Retrieval: Provides access to data within 1-5 minutes.

      • Standard Retrieval: Provides access to data within 3-5 hours.

      • Bulk Retrieval: Provides access to data within 5-12 hours.

    • Amazon S3 Glacier Deep Archive:

      • Standard Retrieval: Provides access to data within 12 hours.

      • Bulk Retrieval: Provides access to data within 48 hours.

  • reduce data store cost by only keeping last 2 versions

    • Use S3 Lifecycle to delete expired object versions and retain the two most recent versions.

  • cross region replication

  • restrict each application to its specific prefix and to have granular control of the object under each prefix.

    • Create dedicated S3 access points and access point policies for each application.

  • Turn on S3 Transfer Acceleration on the destination S3 bucket. Use multipart uploads to directly upload site data to the destination s3 bucket.

  • Generate Amazon S3 presigned URLs in the application. Upload files directly from the user's browser into an S3 bucket.

  • s3 is cost effective with millieseconds retrieval

  • encrypt all excisting objects + future objects

    • Turn on the default encryption settings for the S3 bucket. Use the S3 Inventory feature to create a .csv file that lists the unencrypted objects. Run an S3 Batch Operations job that uses the copy command to encrypt those objects.

    • via a customer-provided key

      • Create a list of unencrypted objects by filtering an Amazon S3 Inventory report. Configure an S3 Batch Operations job to encrypt the objects from the list with a server-side encryption with a customer-provided key (SSE-C). Configure the S3 default encryption feature to use a server-side encryption with a customer-provided key (SSE-C)

  • each customer must be able to access only their data from their AWS account

    • Provision a separate AWS Key Management Service (AWS KMS) key for each customer. Encrypt the data server-side. In each KMS key policy, deny decryption of data for all principals except an IAM role that the customer provides.

  • connect on premise to s3 without internet

    • direct connections + vpc endpoint(better gateway endpoint)

  • provide secure access to a bucket from the application tier running on Amazon EC2 instances inside a VPC.

    • Configure a VPC gateway endpoint for Amazon S3 within the VPC. - Create a bucket policy that limits access to only the application tier running in the VPC.

  • the S3 bucket metrics show that the number of objects has continued to rise.

    • Configure the S3 Lifecycle policy to delete previous versions as well as current versions.

  • CORS

    • Suppose that you are hosting a website in an Amazon S3 bucket named your-website and your users load the website endpoint http: //your-website.s3-website-us-east-1.amazonaws.com . Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket your-website. s3.amazonaws.com . A browser would normally block JavaScript from allowing those requests, but with CORS you can configure your bucket to explicitly enable cross-origin requests from your-website.s3-website-us-east-1.amazonaws.com
#aws#s3#AWS-Solutions-Architect-Associate-Valid-Exam-Prep

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Jenny laura's blog

3 posts