A. Configure the S3 bucket to allow cross-origin resource sharing (CORS).
B. Host the form on Amazon EC2 rather than Amazon S3.
C. Request a limit increase for API Gateway.
D. Enable cross-origin resource sharing (CORS) in API Gateway.
E. Configure the S3 bucket for web hosting.
Solution
Explanation
CORS must be enabled to keep the browser from generating an error due to sample origin policy, which requires that the dynamic content should come from the same domain as the static content. Since API Gateway is using a domain of the form [restapi-id].execute-api.amazoaws.com, and the S3 bucket using [bucketname].s3.website-[region].amazonaws.com, a CORS header must be sent with the API Gateway response for the browser to relax the restriction. E is required for the HTML form to be served using a website endpoint. A is incorrect because the CORS header must be configured to be returned by the dynamic response from the API endpoint. Configuring CORS for the S3 bucket does not help. B is incorrect because there is no advantage to serving a static webpage from a web server running on EC2 versus an S3 bucket. C is incorrect because API Gateway has a default per AWS Region limit of 10,000 requests per second. If required for production, this limit can be increased.
A. Redeploy the application to use Amazon S3 multipart upload.
B. Configure the S3 bucket to use S3 Transfer Acceleration.
C. Create an Amazon CloudFront distribution with the S3 bucket as an origin.
D. Configure the client application to use byte-range fetches.
E. Modify the Amazon S3 bucket to use Intelligent Tiering.
Solution
Explanation
Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between a client and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront globally distributed edge locations. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.Transfer Acceleration is a good solution for the following use cases:You have customers that upload to a centralized bucket from all over the world.You transfer gigabytes to terabytes of data on a regular basis across continents.You are unable to utilize all of your available bandwidth over the Internet when uploading to Amazon S3.Multipart upload transfers parts of the file in parallel and can speed up performance. This should definitely be built into the application code. Multipart upload also handles the failure of any parts gracefully, allowing for those parts to be retransmitted.Transfer Acceleration in combination with multipart upload will offer significant speed improvements when uploading data.Create an Amazon CloudFront distribution with the S3 bucket as an origin is incorrect. CloudFront can offer performance improvements for downloading data but to improve upload transfer times, Transfer Acceleration should be used.Configure the client application to use byte-range fetches is incorrect. This is a technique that is used when reading not writing data to fetch only the parts of the file that are required.
A. Configure server access logging and monitor the log files to check for unauthorized access.
B. Use Amazon CloudWatch to create a billing alarm that notifies managers when a billing threshold is reached or exceeded.
C. Use the Block Public Access feature in Amazon S3 to set the BlockPublicPolicy option to TRUE on the bucket.
D. Use the Block Public Access feature in Amazon S3 to set the IgnorePublicAcls option to TRUE on the bucket.
E. Modify the settings on the S3 bucket to enable default encryption for all objects.
Solution
Explanation
The S3 bucket is allowing public access and this must be immediately disabled. Setting the IgnorePublicAcls option to TRUE causes Amazon S3 to ignore all public ACLs on a bucket and any objects that it contains. The other settings you can configure with the Block Public Access Feature are: BlockPublicAcls – PUT bucket ACL and PUT objects requests are blocked if granting public access. BlockPublicPolicy – Rejects requests to PUT a bucket policy if granting public access. RestrictPublicBuckets – Restricts access to principles in the bucket owners’ AWS account. “Use the Block Public Access feature in Amazon S3 to set the BlockPublicPolicy option to TRUE on the bucket” is incorrect. This option will only reject requests to PUT a bucket policy that grants public access which is not relevant to the workflow in this scenario. “Configure server access logging and monitor the log files to check for unauthorized access” is incorrect. This will only identify unauthorized access; it does not block it. “Modify the settings on the S3 bucket to enable default encryption for all objects” is incorrect. Encryption will not prevent public access; it just encrypts the data at rest in the S3 bucket.
A. Identify the IP addresses in Amazon S3 requests with Amazon S3 access logs and Amazon Athena. Use AWS Config with Auto Remediation to remediate any changes to S3 bucket policies. Configure alerting with AWS Config and Amazon SNS.
B. Create an AWS CloudTrail trail and log management events. Use CloudWatch Events rules with AWS Lambda to automatically remediate S3 bucket policy changes. Configure alerting with Amazon SNS.
C. Use Amazon Macie to identify the IP addresses in Amazon S3 requests. Use AWS Lambda with Macie to automatically remediate S3 bucket policy changes. Use Macie automatic alerting capabilities for alerts.
D. Use Amazon CloudWatch Logs with the Amazon Athena connector to identify the IP addresses in Amazon S3 requests. Use CloudWatch Events rules with AWS Lambda to automatically remediate S3 bucket policy changes. Configure alerting with Amazon SNS.
Solution
Explanation
Amazon S3 server access logging provides detailed records for the requests that are made to a bucket. This includes the IP addresses that issued the requests. S3 stores server access logs as objects in an S3 bucket. Athena can then be used to query Amazon S3 access logs using SQL queries. The AWS Config Auto Remediation feature automatically remediates non-compliant resources evaluated by AWS Config rules. You can associate remediation actions with AWS Config rules and choose to execute them automatically to address non-compliant resources without manual intervention. An AWS Config rule can be applied to identify and remediate any unauthorized changes to the policy associated with the S3 bucket. Amazon SNS can be integrated as a destination for alerts. CloudWatch Logs will not contain information about the IP addresses that issued requests to Amazon S3, AWS CloudTrail should be used instead. Macie is used to identify personally identifiable information rather than IP addresses. CloudTrail can be used to identify object-level actions but you must enable object-level events, not management events.
A. The object ACL does not allow write permissions for the IAM user account.
B. The bucket has the BlockPublicAcls setting set to TRUE.
C. The bucket has the BlockPublicPolicy setting set to TRUE.
D. The object has a policy assigned that blocks all public access.
Solution
Explanation
The Amazon S3 Block Public Access feature provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects don’t allow public access. IgnorePublicAcls – causes Amazon S3 to ignore all public ACLs on a bucket and any objects that it contains. BlockPublicAcls – PUT bucket ACL and PUT objects requests are blocked if granting public access. BlockPublicPolicy – Rejects requests to PUT a bucket policy if granting public access. RestrictPublicBuckets – Restricts access to principles in the bucket owners’ AWS account.