MCQs on S3 Object Lock and Security Features | Amazon AWS S3

Amazon S3 is a highly secure cloud storage service offering robust features like Object Lock for data retention, various encryption methods (SSE, KMS, and client-side encryption), and comprehensive audit trails. These capabilities ensure compliance, protect sensitive data, and provide tools for legal holds and data security in the cloud.

AWS S3 MCQs

Object Lock: Retention and Legal Holds

1. What is the purpose of S3 Object Lock?
   a) Increase upload speeds
   b) Prevent object deletion for a defined retention period
   c) Enhance bucket logging
   d) Reduce storage costs
2. Which of the following is a mode of S3 Object Lock?
   a) Transit mode
   b) Governance mode
   c) Admin mode
   d) Replication mode
3. In Governance mode, who can delete objects?
   a) No one can delete objects
   b) Only IAM users with special permissions
   c) Any authenticated user
   d) Only root users
4. What is the alternative to Governance mode in S3 Object Lock?
   a) Compliance mode
   b) Standard mode
   c) Temporary mode
   d) Lifecycle mode
5. Which S3 feature is used for legal hold on objects?
   a) Access control lists
   b) Object Lock legal hold
   c) Bucket policies
   d) Object tagging
6. Can S3 Object Lock be disabled once applied to a bucket?
   a) Yes, by an admin
   b) Yes, if no objects exist in the bucket
   c) No, it is permanent
   d) No, but retention can be reduced
7. What API operation is used to apply a legal hold on an object?
   a) PutLegalHold
   b) SetObjectRetention
   c) PutObjectLock
   d) ApplyRetentionPolicy
8. Which of the following is true about Object Lock retention periods?
   a) They can only be set at the bucket level
   b) They override bucket lifecycle rules
   c) They apply globally to all AWS regions
   d) They cannot be modified once set
9. What is a valid use case for S3 Object Lock?
   a) Temporary file storage
   b) Compliance with regulatory requirements
   c) Hosting dynamic websites
   d) API throttling
10. How does Object Lock protect data from accidental deletion?
    a) By enabling encryption
    b) By ensuring objects are immutable during the retention period
    c) By restricting bucket policies
    d) By setting up an additional bucket replication rule

S3 Encryption: SSE, KMS, and Client-Side Encryption

11. What is SSE in S3 encryption?
    a) Secure Socket Encryption
    b) Server-Side Encryption
    c) Storage Security Enhancement
    d) Simple Security Encryption
12. Which SSE option uses AWS KMS to manage encryption keys?
    a) SSE-KMS
    b) SSE-S3
    c) SSE-C
    d) Client-Side Encryption
13. What does SSE-S3 use to encrypt data?
    a) Customer-provided keys
    b) AWS-managed keys
    c) Local system-generated keys
    d) RSA algorithms
14. Which encryption option gives full control of keys to the user?
    a) SSE-S3
    b) SSE-KMS
    c) SSE-C
    d) Client-Side Encryption
15. How is data encrypted in Client-Side Encryption?
    a) By using AWS KMS
    b) Before uploading it to S3
    c) After uploading it to S3
    d) Using default AWS keys
16. Which encryption option is suitable for compliance with strict regulations?
    a) SSE-KMS
    b) SSE-S3
    c) SSE-C
    d) No encryption
17. What is the role of AWS KMS in S3 encryption?
    a) Encrypts bucket policies
    b) Manages encryption keys
    c) Generates IAM roles
    d) Monitors bucket replication
18. Which encryption type requires the customer to provide encryption keys?
    a) SSE-KMS
    b) SSE-S3
    c) SSE-C
    d) Serverless encryption
19. Can S3 automatically encrypt objects upon upload?
    a) Yes, using bucket policies
    b) Yes, using SSE settings
    c) No, encryption is always manual
    d) Only for public buckets
20. What happens if a client-side encryption key is lost?
    a) AWS will recover the key
    b) Objects become inaccessible
    c) Objects remain accessible without encryption
    d) Objects are automatically decrypted

Audit Trails and Compliance Considerations

21. Which AWS service provides audit trails for S3 access?
    a) AWS CloudTrail
    b) AWS Config
    c) Amazon GuardDuty
    d) AWS Inspector
22. What information does CloudTrail capture for S3 operations?
    a) Object metadata only
    b) Bucket-level events only
    c) API calls, user details, and object changes
    d) Region-based metrics
23. How can you monitor compliance with encryption policies in S3?
    a) Using CloudTrail logs
    b) Using S3 Inventory reports
    c) Through bucket policies
    d) By enabling versioning
24. Which feature supports GDPR compliance in S3?
    a) Encryption at rest and in transit
    b) Object versioning
    c) Static website hosting
    d) Object tagging
25. What is the role of AWS Config in S3 compliance?
    a) Automates bucket replication
    b) Tracks configuration changes in S3 resources
    c) Encrypts objects on upload
    d) Monitors API throttling
26. Which of these can help detect unauthorized S3 access?
    a) IAM roles
    b) CloudTrail logs
    c) Bucket versioning
    d) Static website hosting
27. What is a key compliance feature of S3 for audit purposes?
    a) Object tagging
    b) Access logging
    c) Bucket replication
    d) Multi-factor authentication
28. Can CloudTrail be used to track failed S3 access attempts?
    a) Yes, it logs both successful and failed attempts
    b) No, it only logs successful operations
    c) Yes, but only with premium accounts
    d) No, it requires a separate service
29. What compliance certifications does S3 meet?
    a) ISO 27001 and HIPAA
    b) PCI DSS only
    c) GDPR only
    d) None
30. Which service helps monitor object-level changes in S3?
    a) Amazon Macie
    b) AWS Config
    c) AWS CloudTrail
    d) Amazon GuardDuty

Answers