1 - Access Control Flashcards
What are the basic concepts of IAM?
Users are people
Groups are a set of users with the same permissions.
Roles are permissions assigned to one or more resources, not people
Permissions are applied to users, groups and roles
What credentials are used for programmatic access?
An access key ID and a secret access key.
The latter can’t be retrieved again but can be regenerated.
These credentials cannot be used for console access
Is IAM region based?
No, it’s global
What is cross-account access?
A feature of the console for ease of use when working in multi-account or multi-role environments
What is STS generally used for?
- Federation using SAML i.e. from AD
- Federation from mobile apps using OpenID via Cognito
- Cross-account access
What are the key concepts of STS?
Federation is the process of joining users from one domain to another
An identity broker performs the matching (federation) from A to B
Identity stores are services like AD or Facebook that store the identities
Identities are users of that service
What is the general for federation against AD?
Ther users enters their username and password into an application, which forwards them to the identity broker
The identity broker forwards the credentials to the identity store which validates them.
If the credentials are valid, the identity broker calls STS to generate a token and returns it to the application
What fields fo tokens returned from STS have?
An access key, secret access key, session token, and a duration
What range of durations does STS support?
1 to 36 hours
What does an object in S3 consists of?
The key, value (actual data), version ID, metadata (tags) and sub-resources.
Sub-resources include the ACL, a torrent file, and transfer acceleration configuration
What are the size limits for S3?
Individual objects can be 0 bytes to 5 terabytes
There is no limit on total bucket size
What are the restrictions of bucket names in S3?
Bucket names must be globally unique. They can’t contain underscores, spaces, or capital letters
What is the DNS name for an object?
https://s3-region.amazonaws.com/bucket/object
What is the data consistency model for S3?
Read after write for PUTs of new objects
Eventual consistency for overwrite PUTs and DELETEs
How can an application tell if an upload to S3 was successful?
Successful PUTs return a status code of 200
Do objects inherit tags from their buckets?
No
Can buckets be synchronised across regions?
Yes, using the Cross Region Replication (CRR) feature
What are the requirements for CRR to be set up?
Both buckets must have versioning enabled.
The target bucket may be in another account and could have a different storage class
Replication can only be between two buckets - daisy chaining is not supported
What are the rules for CRR?
Existing objects are not synchronised when CRR is first set up - only new ones
Filtering can limit the objects replicated by prefix
Once set up:
- Delete markers are propagated
- Deleting delete markers does not propagate - objects must be restored from both buckets
- Changes to the ACL are not replicated
- Permanently deleting an old version does not replicate
What are the basic storage classes for S3?
S3 Standard has 99.99% availability (SLA guarantees 99.9%) and 11 nines durability.
S3 - IA has a lower storage fee but higher request fees. It maintains 11 nines durability but is slightly less available.
S3 - IA - One Zone has an even lower cost but is stored in only one AZ. It still has 11 nines durability.
Note: objects smaller than 128kb in either IA tier are charged as though they were 128kb
How is access to S3 controlled?
ACLs which are per object and per bucket
Bucket policies and public access settings are per bucket
What forms of encryption does S3 support?
Encryption in transit as uploads and downloads are over SSL/TLS
Client-side encryption involves manually encrypting it before uploading
Amazon S3 Managed Keys (SSE-S3) - each object is given its own key which is in turn encrypted by Amazon’s master key
Amazon Key Management Service (SSE-KMS) adds a separate envelope key which is either provided by AWS or the customer. In the latter case, it is unique per user x region x service
SSE-C uses as customer key
In the context of S3, what is versioning?
An option to keep all previous version of objects. Deleting them merely adds a delete marker.
Once enabled, it cannot be disabled. It can be suspended in which case existing versions are retained but new ones won’t be added
What is MFA delete?
An optional feature for S3 which requires an MFA code to delete a version or disable versioning.
It only works on versioned buckets.
What is lifecycle management?
A service to manage the ageing of objects. Objects can be transitioned to other storage classes (i.e. Glacier) or expired, after a certain period of time
It also allows failed multi-part uploads to be automatically deleted
How does lifecycle management apply if the bucket is versioned?
Two sets of rules apply:
- current versions are managed based on when they were created
- previous versions are managed based on when they became previous
How can S3 performance be increased?
With Transfer Acceleration, which makes use of CloudFront Edge locations.
In this case, the DNS name becomes https://bucket.s3-accelerate.amazonaws.com/object
Large uploads can be sped up through multi-part uploads
How can S3 be used for web hosting?
Buckets can be configured as static websites by configuring an index page, error page, and redirect rules.
By default, the domain is bucket.s3-website-region.amazonaws.com. Custom domains can be configured with Route53 if the bucket name matches the domain, including the “www”
What is Glacier?
Low-cost archival storage that maintains 11 9’s durability as it’s spread across multiple AZs.
There are three retrieval options: standard (3-5 hours), expedited (a few minutes) and bulk (12+ hours)
What are the basic concepts of CloudFront?
It is a global CDN service.
A distribution (web or RMTP) consists of multiple edge locations and origin(s)
How do CloudFront origins work?
These can be S3 buckets, EC2 instances, ELB, Route53 or an on-premises server
A single distribution can have multiple origins by setting precedence and ensuring that each has an Origin ID that is unique within that distribution
How can access to CloudFront content be restricted?
With signed cookies or signed URLs
How does Snowball work?
There are three devices - Standard Snowballs have 50 or 80 TB of storage. Snowball Edges have 100 TB of storage plus compute capability to run Lambda.
Snowmobiles allow for petabyte-scale data transfer using container trucks.
Once filled, Snowballs are returned to Amazon and ingested directly into an S3 bucket
What is the predecessor to Snowball?
Import/Export was a service in which customers mailed in their own external drives to ingest or receive data
How can on-premise servers be connected to S3/Glacier?
With Storage Gateway. An agent is stored on the servers but managed through the AWS console
What types of gateway does Storage Gateway support?
- File Gateways use NFS to store flat-files on S3; it is an object-based storage system
- Volume Gateways use iSCSI for block-based storage. There are two sub-types
- — Stored volumes store an entire copy on site. They are matched with S3 in the cloud and can store from 1 GB to 16 TB [uses EBS to access?]
- — Cached Volumes keep only the most commonly used data on premises; the full copy is on the cloud. They use S3 and can be from 1 GB to 32 TB
- Tape Gateways provide a virtual tape drive using the VTL interface
What is EFS?
A managed service for mountable storage akin to using a NAS.
It uses the NFSv4 protocol, has elastic capacity (you only pay for what you use) and is stored across multiple AZs.
It can be mounted to many instances at once.
It is block-based storage and has read-after-write consistency