AWS S3 Data Protection

• S3 provides S3 data protection using highly durable storage infrastructure designed for mission-critical and primary data storage.
• Objects are redundantly stored on multiple devices across multiple facilities in an S3 region.
• S3 PUT and PUT Object copy operations synchronously store the data across multiple facilities before returning SUCCESS.
• Once the objects are stored, S3 maintains its durability by quickly detecting and repairing any lost redundancy.
• S3 also regularly verifies the integrity of data stored using checksums. If S3 detects data corruption, it is repaired using redundant data.
• In addition, S3 calculates checksums on all network traffic to detect corruption of data packets when storing or retrieving data.
• S3 is designed for 99.999999999% (11 nines) durability and operates to be lossless.
• Data protection against accidental overwrites and deletions can be added by enabling Versioning to preserve, retrieve and restore every version of the object stored.
• S3 also provides the ability to protect data in transit (as it travels to and from S3) and at rest (while it is stored in S3).

S3 Data Integrity Protections

• S3 provides end-to-end data integrity checking using checksums to verify data has not been altered in transit or at rest.
• Starting December 2024, AWS SDKs automatically calculate CRC-based checksums (e.g., CRC32, CRC64NVME) for uploads by default, providing automatic data integrity protection.
• S3 independently verifies these checksums and accepts objects after confirming data integrity was maintained in transit.
• Supported checksum algorithms include:
  • CRC64NVME – Default checksum algorithm for latest SDKs
  • CRC32 – Default for directory buckets (S3 Express One Zone)
  • CRC32C
  • SHA-1
  • SHA-256
• Checksums are stored with the object and can be validated when the object is downloaded.
• S3 continually monitors data durability over time with periodic integrity checks of data at rest.

S3 Conditional Writes

• Launched August 2024, S3 supports conditional writes that help prevent applications from unintentionally overwriting existing objects.
• Conditional writes use HTTP conditional headers:
  • If-None-Match – Prevents overwrites by validating that no object with the same key exists (prevents creating duplicate objects).
  • If-Match – Validates an object is unmodified (by matching ETag) before updating it, helping coordinate simultaneous writes.
• Supported on PutObject and CompleteMultipartUpload API requests.
• November 2024: S3 added enforcement of conditional writes using bucket policies with s3:if-none-match and s3:if-match condition keys.
• October 2025: S3 extended conditional write functionality to copy operations.
• Useful for distributed applications that require coordination to prevent race conditions and duplicate writes.

S3 Versioning

• Versioning is a means of keeping multiple variants of an object in the same bucket.
• Versioning can be used to preserve, retrieve, and restore every version of every object stored in the bucket.
• Once enabled, versioning cannot be disabled — only suspended.
• When an object is deleted in a versioning-enabled bucket, a delete marker is created rather than removing the object permanently.
• Versioning protects against accidental deletes and overwrites.
• MFA Delete adds an additional layer of security by requiring MFA authentication to:
  • Change the versioning state of a bucket
  • Permanently delete an object version
• Only the root account (bucket owner) can enable MFA Delete.

S3 Object Lock

• S3 Object Lock provides Write-Once-Read-Many (WORM) protection for objects, preventing them from being deleted or overwritten for a fixed amount of time or indefinitely.
• Object Lock requires S3 Versioning to be enabled (automatically enabled when Object Lock is activated).
• Object Lock provides two retention modes:
  • Governance Mode – Users with specific IAM permissions (s3:BypassGovernanceRetention) can override or remove the lock. Protects against most users deleting objects.
  • Compliance Mode – No user, including the root account, can overwrite or delete the object during the retention period. The retention period cannot be shortened.
• Legal Hold – Provides the same protection as a retention period but has no expiration date. Remains in place until explicitly removed. Requires s3:PutObjectLegalHold permission.
• Object Lock can be applied at the bucket level (default retention) or individual object level.
• S3 Batch Operations can be used to apply Object Lock retention at scale across petabytes of existing data.
• Object Lock helps meet regulatory compliance requirements (SEC, FINRA, CFTC, etc.).

S3 Encryption

• Starting January 5, 2023, Amazon S3 automatically encrypts ALL new objects at rest with server-side encryption using Amazon S3 managed keys (SSE-S3) as the base level of encryption, at no additional cost and with no impact on performance.
• S3 supports the following encryption options:
  • SSE-S3 (Server-Side Encryption with S3 Managed Keys) – Default encryption for all buckets. Uses AES-256.
  • SSE-KMS (Server-Side Encryption with AWS KMS Keys) – Uses AWS Key Management Service for key management with additional audit trail via CloudTrail.
  • DSSE-KMS (Dual-Layer Server-Side Encryption with AWS KMS Keys) – Launched June 2023. Applies two layers of encryption using different implementations of AES-GCM algorithm. Designed for compliance workloads requiring CNSSP 15 multi-layer encryption.
  • SSE-C (Server-Side Encryption with Customer-Provided Keys) – Customer manages the encryption keys; S3 manages encryption/decryption.
• S3 Bucket Keys reduce the cost of SSE-KMS by up to 99% by decreasing request traffic from S3 to KMS. A bucket-level key is used to create short-lived, bucket-specific keys for encryption.

SSE-C Disabled by Default (April 2026)

• Starting April 6, 2026, Amazon S3 disables SSE-C (server-side encryption with customer-provided keys) by default for all new general purpose buckets.
• For existing buckets in AWS accounts with no SSE-C encrypted objects, S3 also disabled SSE-C for new write requests.
• Accounts with existing SSE-C usage are not affected — their bucket configurations remain unchanged.
• SSE-C can be explicitly re-enabled per bucket if needed.
• This change mitigates the risk of ransomware attacks where malicious actors encrypt objects with their own keys via SSE-C.

Refer blog post @ S3 Encryption

S3 Malware Protection

• Launched June 2024, Amazon GuardDuty Malware Protection for Amazon S3 provides built-in malware and antivirus scanning for objects uploaded to S3 buckets.
• Automatically scans newly uploaded objects using multiple AWS-developed and industry-leading third-party scanning engines.
• GuardDuty automatically updates malware signatures every 15 minutes.
• Can be configured to quarantine or tag potentially malicious objects before they are ingested into downstream processes.
• Helps address compliance requirements for malware scanning without managing additional infrastructure.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content for a web-based property. The customer is storing objects using the Standard Storage class. Where are the customers objects replicated?
   1. A single facility in eu-west-1 and a single facility in eu-central-1
   2. A single facility in eu-west-1 and a single facility in us-east-1
   3. Multiple facilities in eu-west-1
   4. A single facility in eu-west-1
2. A system admin is planning to encrypt all objects being uploaded to S3 from an application. The system admin does not want to implement his own encryption algorithm; instead he is planning to use server side encryption by supplying his own key (SSE-C). Which parameter is not required while making a call for SSE-C?
   1. x-amz-server-side-encryption-customer-key-AES-256
   2. x-amz-server-side-encryption-customer-key
   3. x-amz-server-side-encryption-customer-algorithm
   4. x-amz-server-side-encryption-customer-key-MD5
3. A company needs to ensure that critical data stored in S3 cannot be accidentally or maliciously deleted for 7 years to comply with regulatory requirements. Which S3 feature should they use?
   1. S3 Versioning with MFA Delete
   2. S3 Cross-Region Replication
   3. S3 Object Lock in Compliance Mode
   4. S3 Lifecycle policies
4. An organization wants to prevent applications from accidentally overwriting objects in their S3 bucket during concurrent upload operations. Which recently launched feature addresses this? (Select TWO)
   1. S3 Versioning
   2. S3 Conditional Writes with If-None-Match header
   3. S3 Object Lock in Governance Mode
   4. S3 Conditional Writes with If-Match header
   5. S3 Access Points
5. Starting January 2023, what encryption is automatically applied to ALL new objects uploaded to Amazon S3 by default?
   1. SSE-KMS with AWS managed key
   2. SSE-C with customer-provided key
   3. SSE-S3 with Amazon S3 managed keys (AES-256)
   4. No encryption is applied by default
6. A company requires two independent layers of encryption for their S3 objects to meet CNSSP 15 compliance requirements. Which S3 encryption option should they use?
   1. SSE-S3 with bucket keys enabled
   2. SSE-KMS with customer managed CMK
   3. SSE-C with client-provided encryption key
   4. DSSE-KMS (Dual-Layer Server-Side Encryption with AWS KMS)

References

• AWS S3 Data Protection
• Checking Object Integrity
• S3 Object Lock
• S3 Encryption
• S3 Conditional Writes
• S3 Versioning