Cert Notes/ 출퇴근 학습 노트
KOEN
CLF-C02 · FoundationalCloud Practitioner - Foundational
DVA-C02 · AssociateDeveloper - Associate
SAA-C03 · AssociateSolutions Architect - Associate
  • Week 1
    • 1.The Map of AWS Infrastructure: Regions, AZs, and the Promise Called Shared Responsibility
    • 2.IAM Fundamentals: Who Gets to Do What
    • 3.IAM Deep Dive: STS, Permissions Boundaries, and the Shadow of the Confused Deputy
    • 4.AWS Organizations, SCP, Control Tower: The Skeleton of Multi-Account Governance
    • 5.Week 1 Wrap-Up: Fundamentals and IAM Hardened Through Scenarios
  • Week 2
    • 1.VPC Subnet Routing: The Path a Packet Takes to Reach the Internet
    • 2.IGW, NAT Gateway, Bastion: The Bridges Between the Internet and a Private Network
    • 3.Security Groups vs NACLs, and What Flow Logs Tell You
    • 4.VPC Peering, Transit Gateway, VPC Endpoint: Connections Beyond the VPC
    • 5.Week 2 Synthesis: Drawing the Path a Packet Travels One More Time
  • Week 3
    • 1.EC2 Instance Types and Purchase Options: Where Hardware Design Meets Economics
    • 2.EBS vs Instance Store: The Trade Between Persistence and Performance, and Choosing a File System
    • 3.ELB: The Design Philosophy of Per-Layer Load Balancing and How to Choose Between ALB, NLB, and GLB
    • 4.Auto Scaling Groups: Control Theory, Predictive Scaling, and the Art of Graceful Shutdown
    • 5.Week 3 Comprehensive Review: Wiring EC2, Storage, ELB, and ASG into a Single Architecture
  • Week 4
    • 1.S3: The Internal Architecture of Object Storage, the Evolution of Its Consistency Model, and Large-Scale Operational Patterns
    • 2.S3 Storage Classes and Lifecycle: The Economics of Managing Data Temperature
    • 3.S3 Security: The Layered Structure of Access Control, Encryption Key Management, and Data Exfiltration Prevention
    • 4.CloudFront and Storage Gateway: The Internal Structure of a CDN and Hybrid Storage Patterns
    • 5.Week 4 Comprehensive Review: Turning S3, CloudFront, and Storage Patterns into a Single Decision System
  • Week 5
    • 1.RDS: What It Means to Run a Relational Database in the Cloud
    • 2.Aurora: The Relational Database AWS Redesigned From Scratch
    • 3.DynamoDB: What It Means to Design in a Schema-less World
    • 4.ElastiCache and In-Memory Data Stores: The Physics of Speed
    • 5.Week 5 Review: The Art of Choosing a Database
  • Week 6
    • 1.Lambda: What It Really Means to Run Code Without a Server
    • 2.API Gateway: The Broker Between Client and Backend
    • 3.Step Functions and AppSync: Orchestration and GraphQL
    • 4.Containers: ECS, EKS, Fargate, ECR
    • 5.Week 6 Review: Serverless + Containers, Put Together
  • Week 7
    • 1.SQS: How a Message Queue Answers the Questions Distributed Systems Ask
    • 2.SNS: Topics, Fanout, and How 1:N Notifications Get Made
    • 3.EventBridge: How an Event Routing Hub Gathers SaaS, AWS, and Internal Apps in One Place
    • 4.Kinesis: How a Real-Time Stream Solves a Different Problem Than a Queue
    • 5.Week 7 Review: The Four Models of Messaging and Distributed-System Decisions
  • Week 8
    • 1.KMS: Why Key Management Is the Root of Cloud Security
    • 2.Secrets Manager, Parameter Store, and CloudHSM: Three Tools for Handling Secrets and Configuration
    • 3.Cognito: Peeling User Authentication Off Into a Cloud Service
    • 4.WAF, Shield, GuardDuty, Inspector, Macie: The 5 Pillars of Cloud Security Operations
    • 5.Week 8 Wrap-Up: 12 Security Domain Scenarios
  • Week 9
    • 1.CloudWatch: Why Observability Split Into the Three Pillars of Metrics, Logs, and Traces
    • 2.CloudTrail: Why an Audit Log Must Be Tamper-Proof
    • 3.Config and Systems Manager: How Do You Enforce a Desired State
    • 4.X-Ray, Trusted Advisor, Health Dashboard: When One Request Crosses Many Services, How Do You Know Who's Slow?
    • 5.Week 9 Synthesis: Threading Observability and Governance Through "Who / When / What / Why"
  • Week 10
    • 1.Why Compute Cost Splits Along Three Axes: Commitment, Market, and Ownership
    • 2.Why Storage Cost Is a Function Not of "Unit Price" but of "Access Pattern"
    • 3.Why Data Transfer Becomes the Hidden 30% of the Bill
    • 4.Why Cost Governance Splits Into Three Stages: Measure, Account, Automate
    • 5.Week 10 Synthesis: Binding Cost Optimization Into a Single Way of Thinking
  • Week 11
    • 1.Why Availability Zones and Regions Split Along the Cost Called "Physical Distance"
    • 2.Why DR Got Organized into a "Four-Stage Spectrum"
    • 3.How DNS Steers Global Traffic with "One Query for a Name"
    • 4.Why Migration Is Decided by "How You Can't Move It" More Than "What You're Moving"
    • 5.Threading Resilience, DR, and Migration Onto a Single Decision Tree
  • Week 12
    • 1.Why the Security Domain Converges on a Single One-Line Algorithm Called "Policy Evaluation Order"
    • 2.Why the Resilience Domain Reduces to Two Variables: "Blast Radius and Replication Mode"
    • 3.Why the High-Performance Domain Reduces to "How Close You Keep Data to the User"
    • 4.Why the Cost Domain Converges on "a Decision at the Design Stage, Not in Operations"
    • 5.What the Exam Asks to the End Is "the Speed of Translating Keywords into Services"
SOA-C02 · AssociateCloudOps Engineer - Associate
SAP-C02 · ProfessionalSolutions Architect - Professional
DOP-C02 · ProfessionalDevOps Engineer - Professional
SCS-C03 · SpecialtySecurity - Specialty
MLA-C01 · AssociateMachine Learning Engineer - Associate
AIF-C01 · FoundationalAI Practitioner - Foundational
DEA-C01 · AssociateData Engineer - Associate
MLS-C01 · SpecialtyMachine Learning - Specialty
← SAA-C03/Week 4/Day 3
SAA-C03· AssociateWeek 4 · Day 3~34 min read

Day 3 - S3 Security: The Layered Structure of Access Control, Encryption Key Management, and Data Exfiltration Prevention

Most S3 security incidents come from misconfiguration. From 2017 to 2023, dozens of large-scale data breaches were caused by "misconfigured S3 buckets." US military classified documents, a major airline's customer data, and the medical records of millions of people were exposed from S3 buckets left open to the public. In many of these cases, the cause was granting Allow in the bucket policy while turning off Block Public Access.

This article follows the internal logic of how S3's five access-control layers are evaluated, and covers the key-management structure and real differences of each encryption method

여기부터는 Pro 전용입니다

Week 1은 누구나 무료로 볼 수 있어요. Week 2부터의 전체 학습 자료와 모의고사·무제한 복습은 Pro 플랜에서 이용할 수 있습니다.

Pro 알아보기로그인
PreviousS3 Storage Classes and Lifecycle: The Economics of Managing Data TemperatureWeek 4 · Day 2Next CloudFront and Storage Gateway: The Internal Structure of a CDN and Hybrid Storage PatternsWeek 4 · Day 4