Why This Cheat Sheet Matters for SCS-C02
This cheat sheet covers the most important S3 Security concepts tested on the SCS-C02 (AWS Security Specialty) certification exam. It contains 4 sections with 16 key points that you should memorize before exam day. Practice bucket policies, ACLs, Block Public Access, Object Lock, encryption (SSE-S3/SSE-KMS/SSE-C/CSE), access points, and S3 access logging. Use this as a quick-reference guide during your final review sessions.
4Sections
16Key Points
Block Public Access
- 4 settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, RestrictPublicBuckets
- Can apply at account level (all buckets) or bucket level
- Overrides bucket policies and ACLs that grant public access
- Enable at account level as a preventive control
Encryption Options
- SSE-S3 (AES-256): default, AWS manages keys entirely
- SSE-KMS: CMK for key control, audit via CloudTrail, bucket key for cost
- SSE-C: customer provides key per request (key not stored by AWS)
- Client-side encryption: encrypt before upload (full control)
Object Lock & Versioning
- Object Lock: WORM (Write Once Read Many) — requires versioning
- Governance mode: special permissions can override
- Compliance mode: nobody can delete/overwrite (including root)
- Legal hold: indefinite hold regardless of retention period
Access Control
- Bucket policy: resource-based JSON policy (preferred over ACLs)
- Access points: named network endpoints with custom policies
- S3 Access Grants: map identities to S3 data via Identity Center
- VPC endpoint policy: restrict S3 access from within VPC
Practice S3 Security Questions
Put your knowledge to the test with practice questions.