1 - Access Control

Question 1

What are the basic concepts of IAM?

Answer 1

Users are people

Groups are a set of users with the same permissions.

Roles are permissions assigned to one or more resources, not people

Permissions are applied to users, groups and roles

Question 2

What credentials are used for programmatic access?

Answer 2

An access key ID and a secret access key.

The latter can’t be retrieved again but can be regenerated.

These credentials cannot be used for console access

Question 3

Is IAM region based?

Answer 3

No, it’s global

Question 4

What is cross-account access?

Answer 4

A feature of the console for ease of use when working in multi-account or multi-role environments

Question 5

What is STS generally used for?

Answer 5

• Federation using SAML i.e. from AD
• Federation from mobile apps using OpenID via Cognito
• Cross-account access

Question 6

What are the key concepts of STS?

Answer 6

Federation is the process of joining users from one domain to another

An identity broker performs the matching (federation) from A to B

Identity stores are services like AD or Facebook that store the identities

Identities are users of that service

Question 7

What is the general for federation against AD?

Answer 7

Ther users enters their username and password into an application, which forwards them to the identity broker

The identity broker forwards the credentials to the identity store which validates them.

If the credentials are valid, the identity broker calls STS to generate a token and returns it to the application

Question 8

What fields fo tokens returned from STS have?

Answer 8

An access key, secret access key, session token, and a duration

Question 9

What range of durations does STS support?

Answer 9

1 to 36 hours

Question 10

What does an object in S3 consists of?

Answer 10

The key, value (actual data), version ID, metadata (tags) and sub-resources.

Sub-resources include the ACL, a torrent file, and transfer acceleration configuration

Question 11

What are the size limits for S3?

Answer 11

Individual objects can be 0 bytes to 5 terabytes

There is no limit on total bucket size

Question 12

What are the restrictions of bucket names in S3?

Answer 12

Bucket names must be globally unique. They can’t contain underscores, spaces, or capital letters

Question 13

What is the DNS name for an object?

Answer 13

https://s3-region.amazonaws.com/bucket/object

Question 14

What is the data consistency model for S3?

Answer 14

Read after write for PUTs of new objects

Eventual consistency for overwrite PUTs and DELETEs

Question 15

How can an application tell if an upload to S3 was successful?

Answer 15

Successful PUTs return a status code of 200

Question 16

Do objects inherit tags from their buckets?

Answer 16

No

Question 17

Can buckets be synchronised across regions?

Answer 17

Yes, using the Cross Region Replication (CRR) feature

Question 18

What are the requirements for CRR to be set up?

Answer 18

Both buckets must have versioning enabled.

The target bucket may be in another account and could have a different storage class

Replication can only be between two buckets - daisy chaining is not supported

Question 19

What are the rules for CRR?

Answer 19

Existing objects are not synchronised when CRR is first set up - only new ones

Filtering can limit the objects replicated by prefix

Once set up:

• Delete markers are propagated
• Deleting delete markers does not propagate - objects must be restored from both buckets
• Changes to the ACL are not replicated
• Permanently deleting an old version does not replicate

Question 20

What are the basic storage classes for S3?

Answer 20

S3 Standard has 99.99% availability (SLA guarantees 99.9%) and 11 nines durability.

S3 - IA has a lower storage fee but higher request fees. It maintains 11 nines durability but is slightly less available.

S3 - IA - One Zone has an even lower cost but is stored in only one AZ. It still has 11 nines durability.

Note: objects smaller than 128kb in either IA tier are charged as though they were 128kb

Question 21

How is access to S3 controlled?

Answer 21

ACLs which are per object and per bucket

Bucket policies and public access settings are per bucket

Question 22

What forms of encryption does S3 support?

Answer 22

Encryption in transit as uploads and downloads are over SSL/TLS

Client-side encryption involves manually encrypting it before uploading

Amazon S3 Managed Keys (SSE-S3) - each object is given its own key which is in turn encrypted by Amazon’s master key

Amazon Key Management Service (SSE-KMS) adds a separate envelope key which is either provided by AWS or the customer. In the latter case, it is unique per user x region x service

SSE-C uses as customer key

Question 23

In the context of S3, what is versioning?

Answer 23

An option to keep all previous version of objects. Deleting them merely adds a delete marker.

Once enabled, it cannot be disabled. It can be suspended in which case existing versions are retained but new ones won’t be added

Question 24

What is MFA delete?

Answer 24

An optional feature for S3 which requires an MFA code to delete a version or disable versioning.

It only works on versioned buckets.

Question 25

What is lifecycle management?

Answer 25

A service to manage the ageing of objects. Objects can be transitioned to other storage classes (i.e. Glacier) or expired, after a certain period of time

It also allows failed multi-part uploads to be automatically deleted

Question 26

How does lifecycle management apply if the bucket is versioned?

Answer 26

Two sets of rules apply:

• current versions are managed based on when they were created
• previous versions are managed based on when they became previous

Question 27

How can S3 performance be increased?

Answer 27

With Transfer Acceleration, which makes use of CloudFront Edge locations.

In this case, the DNS name becomes https://bucket.s3-accelerate.amazonaws.com/object

Large uploads can be sped up through multi-part uploads

Question 28

How can S3 be used for web hosting?

Answer 28

Buckets can be configured as static websites by configuring an index page, error page, and redirect rules.

By default, the domain is bucket.s3-website-region.amazonaws.com. Custom domains can be configured with Route53 if the bucket name matches the domain, including the “www”

Question 29

What is Glacier?

Answer 29

Low-cost archival storage that maintains 11 9’s durability as it’s spread across multiple AZs.

There are three retrieval options: standard (3-5 hours), expedited (a few minutes) and bulk (12+ hours)

Question 30

What are the basic concepts of CloudFront?

Answer 30

It is a global CDN service.

A distribution (web or RMTP) consists of multiple edge locations and origin(s)

Question 31

How do CloudFront origins work?

Answer 31

These can be S3 buckets, EC2 instances, ELB, Route53 or an on-premises server

A single distribution can have multiple origins by setting precedence and ensuring that each has an Origin ID that is unique within that distribution

Question 32

How can access to CloudFront content be restricted?

Answer 32

With signed cookies or signed URLs

Question 33

How does Snowball work?

Answer 33

There are three devices - Standard Snowballs have 50 or 80 TB of storage. Snowball Edges have 100 TB of storage plus compute capability to run Lambda.

Snowmobiles allow for petabyte-scale data transfer using container trucks.

Once filled, Snowballs are returned to Amazon and ingested directly into an S3 bucket

Question 34

What is the predecessor to Snowball?

Answer 34

Import/Export was a service in which customers mailed in their own external drives to ingest or receive data

Question 35

How can on-premise servers be connected to S3/Glacier?

Answer 35

With Storage Gateway. An agent is stored on the servers but managed through the AWS console

Question 36

What types of gateway does Storage Gateway support?

Answer 36

• File Gateways use NFS to store flat-files on S3; it is an object-based storage system
• Volume Gateways use iSCSI for block-based storage. There are two sub-types
• — Stored volumes store an entire copy on site. They are matched with S3 in the cloud and can store from 1 GB to 16 TB [uses EBS to access?]
• — Cached Volumes keep only the most commonly used data on premises; the full copy is on the cloud. They use S3 and can be from 1 GB to 32 TB
• Tape Gateways provide a virtual tape drive using the VTL interface

Question 37

What is EFS?

Answer 37

A managed service for mountable storage akin to using a NAS.

It uses the NFSv4 protocol, has elastic capacity (you only pay for what you use) and is stored across multiple AZs.

It can be mounted to many instances at once.

It is block-based storage and has read-after-write consistency