Amazon AWS Certified SysOps Administrator Associate – S3 Storage and Data Management – For SysOps

1. [SAA/DVA] S3 MFA Delete

All right, you are going to talk about MFA delete in depth. So MFA delete is to use MFA so multifactor authentication. And that will force our users to generate a code on device. Could be your mobile phone or your hardware key to do important operations on S three. So to use MFA delete, we have to first enable versioning on an S three bucket. But you already know this. And when we need Nfmfa will be to permit eminently delete an object version and suspend versioning on the bucket. So these are like the most important destructive action that we’ll need MFA for.

But if we just enable versioning or list deleted versions, or just delete a version by just adding a marker, this is fine. We don’t need MFA for that. The one important thing to know is that MFA delete must be enabled or disabled only by the bucket owner, which is the root account. So even if you have an administrator account, you cannot enable MFA delete. You’ll have to use the root account and on top of it, because it’s really not easy, we have to use MFA delete only using the CLI for now. So it’s really, really hard to set up. But I’ll show you how to do it.

And for this you need to use root credentials. And there’s no way of doing it in the console right now. It only has to be done through the CLI. So let’s go ahead and walk through this. But you don’t have to do the hands on with me. You can just watch me because it’s really clunky and painful. But the idea, understand, is that only the buck, the root account can enable and disable MFA delete. And that you’ll need MFA only to permanently delete an object version or suspend versioning on the buckets. So let’s get started with the hands on.

2. [SAA/DVA] S3 MFA Delete Hands On

Okay, so let’s demonstrate. MFA deletes. So I’m going to create a bucket and I’ll call it Demo stefan MFA Deletes 2020 in EUs One. And I’m going to enable bucket versioning and click on Create Buckets. Okay good. Now if we go to this bucket, the MFA buckets and go to Properties and Bucket versioning and click on Edits. As you can see, multifactor authentication MFA deletes is currently disabled. And you cannot change this through the UI of Amazon console for some reason.

So maybe someday they will allow us to enable it. But for now, what you have to do is to enable it directly using the AWS CLI. So a prerequisite of this hands on is to make sure that under IAM you have already set up an MFA device for your root account. So I’m using my root account right now. As you can see, I’m logged in as root. And what I need to do is click on it and click on my security credentials.

This is taking me to the security credentials I have in Im and under multifactor authentication MFA. As you can see, I’ve set up already a virtual device for my MFA. And the ARN is right here. Okay, so this is good. Next we have to go ahead and actually configure the AWS CLI to use this route account.

Now this is something I don’t recommend on doing except for enabling MFA delete on your SV buckets. So what I’m going to do is to create new access keys. And I will download the key file and then show the access keys as well. I will remove them so don’t worry about seeing mine. But you should never share your root access key with anyone as well as your secret access key. And so what I need to do now is to set up the CLI with these two little settings. So I’m going to configure my command line so it is configure. And then I’m going to create a profile. And I’ve called this profile. Root MFA delete demo. And this file you can find under Sree. Advanced MFA delete. Sh.

So we’re using the commands from there. So I’m going to set up this profile. And then I have to enter my access key ID, which is right here. So I’ll just go ahead and paste this, my secret access key which is all the way here. Paste it default version name EOS one. And we’re good to go. Now if I do a list s three LS, does it work? And do it with my profile that I’ve just created which is called by the way, root MFA delete demo. Yes. This gives me my three buckets that I have so my profile is correctly set up.

Next, what I have to do is to enable the MFA delete. So for this, there is this full setting right here that I’m going to copy and then edit with you. So I paste it and I need to first change the bucket name. So the buckets right now is called MFA demo stiffan. But I’m going to change it by demo Stefan MFA delete 2020 which is good. Versioning configuration status enabled. MFA deletes equals enabled. So we are good to go here.

And then we need to specify the ARN of the MFA device. And this I can find. So let’s find it right here. This is the ARN of the MFA device. So I’m going to paste it. And finally the MFA code. This is something that I’m going to get directly from my application that gives me my MFA code. So 710343, press enter. And apparently this is not correct. So let’s wait another one and we’re good to go.

Okay, so this was set up. So now how do I know if it worked? Well if I go into my bucket versioning and refresh, as we can see now bucket versioning, it says bucket versioning is enabled as well as multifactor authentication MFA delete is enabled. And so how do we know if it worked? Well let’s say I’m going to my objects and I’m going to upload an object. So let me upload for example a coffee JPEG file.

I will upload it. So this is working. Now if I go back to my bucket, take that object and delete it. Okay, we’re going to delete it. But we have enabled versioning. So this is just going to add a delete marker. This is working as well. So all in all, so far so good. And if I list my bucket versions now I have two versions for my file. But now if I wanted to, for example, delete this specific version ID.

Okay, so this one is called a permanent delete. It says you cannot delete object because multifactor authentication MFA delete is enabled for these buckets. And so to do so we need to use the CLI command to delete this file or disable MFA deletes. So we can just go ahead and disable MFA delete. So for this the command is right here. So it’s the same command but this time we do MFA delete equals disabled. So I’m going to take the command from before and I’m going to edit it out.

So here we go. MFA delete equals disabled. And obviously the MFA code I need to change. So let me wait for the next MFA code to appear on my screen. Hopefully it will work. Press enter and here we go. This works. So now if I try another time to delete, for example, delete the delete marker. Yes it is working because I have disabled MFA delete. So let’s confirm it by typing in this text. And then finally going back to my buckets, going to my properties and under bucket versioning. Yes we can see that MFA delete is disabled. So that’s it for this lecture. I hope you liked it. And obviously at the end of the lecture I almost forgot. But no I didn’t forget. Please delete your root access key. This is really, really bad to have them. So I will deactivate them, and we’re good to go. And then finally, I can probably delete them at some point. Okay, so that’s it. Thank you so much, and I will see you in the next lecture.

3. [SAA/DVA] S3 Default Encryption

Okay, so now let’s have a look at S Three default encryption. So if you wanted to push an object into an S Three bucket and wanted to make sure that that object was encrypted, then you could force encryption using a bucket policy. And the bucket policy that if the encryption headers are not specified in the API call made to Amazon sree, then you deny the request. And therefore the effect of that is that every object that is uploaded into your Svocet has to be encrypted. Now, that’s one way of doing it, but there is another way, and it is to use the default encryption option in Amazon is free.

So the idea is that if you upload an unencrypted object into Amazon is free, it will be encrypted using the default encryption options. But if you already uploaded encrypted and it will not be reencrypted. Now, something should note is that bucket policies will be evaluated before default encryption. So, for example, if you want to force an encryption mechanism of SSCs Three, for example, you would need to use a bucket policy.

But if your requirement is just to make sure that every single object in your bucket is encrypted for this, you could use default encryption. So let’s create a bucket named Sree, default encryption demo, and then we’re going to create this bucket. So under the bucket itself, as you can see for properties, you have a look at default encryption. And here we can automatically encrypt new objects stored in this bucket. So we’ll enable it and we select the type of encryption key we want. Do you want Amazon SSCs Three or you want SSD Kms?

And then you specify your key. So I’ll use SSCs Three for this example and I will save my changes. And now, as you can expect, if I add a file, and this file, for example, is Coffee JPEG, and then as you can see, I do not specify any encryption mechanism. And click on close. Now, if I go back to my object and have a look at the encryption field in here, then we can see that, yes, server side encryption setting is enabled for this object, and it was using the server side encryption Amazon SSC S Three.

Okay, if we try to upload another object now, so let’s upload beach JPEG. But this time in terms of properties, I’m going to specify an encryption key. And here we can use either the default encryption bucket settings or we can override them. And so if we overwrite them and for example, use Kms using the Manage key, Alice s rate Kms key and click on Upload. And now we have a look at the file itself.

So let’s click on it and scroll down to the encryption block. Here we go. As you can see now, even though default encryption is enabled, this file was encrypted using Ssdkms miss and the Kms key that we specified. So remember that default encryption is not applying the same encryption to all files. It is just making sure that if you upload the object in an unencrypted way, then it will automatically be encrypted using the default encryption mechanism. So that’s it for this lecture. I hope you liked it and I will see you in the next lecture.

• Category: Uncategorized