Securing and Replicating Critical Data in AWS S3

Extra Security and Redundancy for AWS S3 Bucket

Prev Question Next Question

Question

A company stores critical data in an S3 bucket.

There is a requirement to ensure that an extra level of security is added to the S3 bucket.

In addition, it should be ensured that objects are available in a secondary region if the primary one goes down.

Which of the following can help fulfill these requirements? (Select TWO.)

Answers

A. Enable bucket versioning and also enable Cross-Region Replication.

B. Enable bucket versioning and enable Master Pays.

C. For the Bucket policy add a condition for { "Null": { "aws:MultiFactorAuthAge":true }}.

D. Enable the Bucket ACL and add a condition for { "Null": {"aws:MultiFactorAuthAge": true }}.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A and C.

Option A is CORRECT as this solution meets the requirement of having S3 bucket contents available in the secondary region if the primary one goes down.

Option B is incorrect because AWS requester pays (master pays) does not solve either of the two requirements of security and availability.

With Requester Pays buckets, the requester, instead of the bucket owner, pays the cost of the request and the data download from the bucket.

Option C is CORRECT because adding a bucket policy to require MFA would provide an extra level of security with only authorized and authenticated user's access to the S3 bucket.

Option D is incorrect because MFA on S3 is applied using bucket policy and not by ACL.

The AWS Documentation mentions the following:

You can enforce the MFA authentication requirement using the aws:MultiFactorAuthAge key in a bucket policy.

IAM users can access Amazon S3 resources by using temporary credentials issued by the AWS Security Token Service (STS)

You provide the MFA code at the time of the STS request.

When Amazon S3 receives a request with MFA authentication, the aws:MultiFactorAuthAge key provides a numeric value indicating how long ago (in seconds) the temporary credential was created.

If the temporary credential provided in the request was not created using an MFA device, this key value is null (absent)

You can add a condition to check this value in a bucket policy, as shown in the following example bucket policy.

The policy denies any Amazon S3 operation on the /taxdocuments folder in the examplebucket bucket if the request is not MFA authenticated.

To learn more about MFA authentication, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.

{

"Version": "2012-10-17",

"Id": "123",

"Statement": [

{

"Sid": "",

"Effect": "Deny",

"Principal": "*",

"Action": "s3:*",

"Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",

"Condition": { "Null": { "aws:MultiFactorAuthAge": true }}

}

]

}

For more information on S3 bucket policies, kindly visit the following URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

For more information on Cross-region replication (CRR), kindly visit the following URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html

The requirement is to add an extra level of security to an S3 bucket that stores critical data and ensure that objects are available in a secondary region if the primary one goes down. To fulfill these requirements, we can use the following options:

Option A: Enable bucket versioning and also enable Cross-Region Replication. Bucket versioning allows you to keep multiple versions of an object in the same bucket. This can help you to recover from both unintended user actions and application failures. Cross-Region Replication (CRR) is a feature that enables automatic, asynchronous copying of objects across buckets in different AWS Regions. By enabling CRR, you can have a copy of your critical data in a secondary region. This option fulfills both requirements.

Option B: Enable bucket versioning and enable Master Pays. Master Pays is a feature that allows you to designate a payer account for a bucket that is used to pay for all requests and data transfer. This option is not relevant to the requirements mentioned in the question.

Option C: For the Bucket policy add a condition for { "Null": { "aws:MultiFactorAuthAge":true }}. This option adds a condition to the Bucket policy that requires Multi-Factor Authentication (MFA) to be used with an access key that has not been used for a certain amount of time. This option adds an extra level of security but does not fulfill the requirement of having objects available in a secondary region.

Option D: Enable the Bucket ACL and add a condition for { "Null": {"aws:MultiFactorAuthAge": true }}. This option adds a condition to the Bucket ACL that requires Multi-Factor Authentication (MFA) to be used with an access key that has not been used for a certain amount of time. This option adds an extra level of security but does not fulfill the requirement of having objects available in a secondary region.

Therefore, the correct answer is A: Enable bucket versioning and also enable Cross-Region Replication.

Prev Question Next Question