1. S3 and IAM Flashcards

Question 1

Q

What do S3 objects consist of?

Answer

A

S3 objects consist of:

A key - which is the name of the object.
A value - which is the data and it is made up of a sequence of bytes.
A version id - allows you to have multiple versions of your file.
Metadata - data about the data you are storing.

Question 2

Q

What message notifies you of a successful S3 bucket upload?

Answer

A

When you successfully upload to S3 you get an http 200 message.

Question 3

Q

What can you use to guard against accidental deletions in S3?

Answer

A

You can turn on MFA delete to guard against accidental deletions.

Question 4

Q

When can you read objects in an S3 bucket in relation to when you have added / made changes?

Answer

A

S3 has eventual consistency for overwrite PUTS but read after write consistency for new objects.

Question 5

Q

What is used to secure the data in the buckets?

Answer

A

Access Control Lists and Bucket Policies are used to secure the data in the buckets.

Question 6

Q

To what do Access Control Lists apply?

Answer

A

ACLs apply to individual files

Question 7

Q

To what do bucket policies apply?

Answer

A

Bucket policies apply to all contents of the bucket

Question 8

Q

What are the S3 Storage Classes?

Answer

A

S3 Standard
IA (infrequently accessed)
One zone IA
Intelligent tiering
Glacier instant retrieval
Glacier flexible retrieval
Glacier deep archive

Question 9

Q

When would you use S3 IA?

Answer

A

You would use S3 IA for data you don’t access so often, but requires rapid access when needed. Cheaper than standard but a retrieval fee is charged.

Question 10

Q

What is intelligent about S3 Intelligent Tiering?

Answer

A

S3 Intelligent Tiering uses machine learning to move individual objects around based upon how you use/access your data

Question 11

Q

Should S3 Standard be the default choice?

Answer

A

Try to avoid S3 standard as much as possible. If you are going to use it then it makes sense to use S3 Intelligent tiering instead as no uplift in the cost.

Question 12

Q

What is the benefit of using S3 replication?

Answer

A

S3 replication enables high availability and backups.

Question 13

Q

What is S3 Transfer Acceleration?

Answer

A

S3 Transfer Acceleration enables quick and secure transfer of files over long distances between users and bucket locations.

It takes advantage of AWS CloudFront edge locations. This means it will be utilising AWS own backbone network.

Question 14

Q

What should be used in order to create an audit of requests made to the buckets?

Answer

A

Access logs can be used to create an audit for all requests made to the bucket.

These logs can then be sent to other buckets or buckets in other accounts.

Question 15

Q

In what 3 ways can bucket access be restricted?

Answer

A

Bucket access can be restricted using:

bucket policies - apply across the whole bucket
object policies - apply to individual files
IAM policies to users and groups

Question 16

Q

How is S3 data encryption in transit achieved?

Answer

A

Encryption in transit is achieved using SSL/TLS and HTTPS

Question 17

Q

What Key Management services are used to manage S3 server-side encryption?

Answer

A

Server side encryption (on AWS):

S3 Managed keys - known as SSE-S3
AWS Key Management Service - known as SSE-KMS
Server side encryption with customer keys - known as SSE-C

Question 18

Q

What are S3 Lifecycle Management Rules used for?

Answer

A

Lifecycle Management rules can be set so that S3 objects can be managed according to the defined rules set up.

eg, archiving old versions based on number of days old to different buckets, types of buckets, or tagged versions to different buckets, delete old versions of objects after x days etc etc.

Question 19

Q

What are the 3 different ways to share S3 buckets across accounts?

Answer

A

Using bucket policies & IAM (applies to the entire bucket)
Using bucket ACLs & IAM (individual objects)
Cross-account IAM roles

Question 20

Q

What are S3 object locks used for?

Answer

A

S3 object locks can be used to meet regulatory requirements or to just add an extra layer of protection against object changes and deletion.

Question 21

Q

What are the S3 object lock modes?

Answer

A

Governance mode
Compliance mode

Question 22

Q

What does S3 Glacier Vault Lock allow?

Answer

A

S3 Glacier Vault Lock allows you to deploy and enforce compliance controls for individual Glacier vaults with a vault lock policy.

Question 23

Q

How does making documents public work with versioned objects?

Answer

A

Each version of an object needs to be made public individually. Just because one version of an object is public does not mean that the next version will be.

Question 24

Q

How do deletes work with versioned objects?

Answer

A

If you delete a versioned object it will just be a delete marker on the object, old versions will still exist.

Question 25

Q

How do you disable object versioning?

Answer

A

You cannot disable object versioning, it can only be suspended.

Question 26

Q

What is the scope of lifecycle rules in S3?

Answer

A

Lifecycle rules can be selected to apply to the whole bucket or to files that adhere to one or more filters

Question 27

Q

What do Lifecycle Rules allow?

Answer

A

Lifecycle Rules:

the automating moving your objects between storage tiers
they can be used in conjunction with versioning
they can be applied to both current and previous versions of objects

Question 28

Q

What would you use if you didn’t want anyone to be able to modify or delete an object for a period of time, or indefinitely?

Answer

A

To prevent changes or deletions to an object you would use S3 Object Lock

Question 29

Q

What is the difference between Governance mode and Compliance mode under S3 Object Locks?

Answer

A

In Governance mode users can’t overwrite or delete an object version or alter its lock unless they have been granted explicit permissions.

In Compliance Mode a protected object version can’t be overwritten or deleted by any user.

Question 30

Q

What are Legal Holds?

Answer

A

Legal Holds prevent an object version from being overwritten or deleted.

Unlike Retention Periods however, a legal hold remains in effect until removed.

Question 31

Q

What is WORM in relation to Object Locks?

Answer

A

WORM is Write Once Read Many

Question 32

Q

What are the scope of Object Locks?

Answer

A

Object Locks can be applied to individual objects or across the bucket as a whole

Question 33

Q

What is the difference between S3 Object Lock and S3 Glacier Vault Lock?

Answer

A

S3 Object Lock can be applied to all objects in S3, whereas Glacier Vault Lock is applicable to only vaults within S3 Glacier.

Question 34

Q

How do prefixes affect S3 performance?

Answer

A

The greater number of prefixes you have, the better the performance will be.

You can get 3,500 PUT/COPY/POST/DELETE and 5,000 GET/HEAD requests per second per prefix.

Question 35

Q

What do you need to bear in mind with regards to performance when using KMS?

Answer

A

Uploading and downloading objects encrypted with KMS will count towards your (chargeable) KMS quota

Question 36

Q

What are multi-part uploads?

Answer

A

Multi-part uploads is the splitting of large files into smaller ones to increase the upload speeds.

Recommended for > 100 MB, required for > 5GB

Question 37

Q

What is S3 Select?

Answer

A

S3 Select enables the retrieval of a subset of data using simple SQL expressions. This provides speed and cost savings.

Question 38

Q

What is Glacier Select?

Answer

A

Similar to S3 Select, Glacier Select allows the running of SQL queries against Glacier directly.

Question 39

Q

Why would you use Consolidated Billing?

Answer

A

Consolidated Billing allows you to use economies of scale across all your AWS accounts

Question 40

Q

When using AWS Organisations, what should the Paying account be used for?

Answer

A

When using AWS Organisations, the Paying account should be used for billing purposes only and have no resources deployed into it

Question 41

Q

What are Service Control Policies (SCP) used for?

Answer

A

Used as part of AWS Organisations, SCP is used to restrict accounts or OU’s from doing certain things. For example, stop the accounts account deploying EC2 instances

Question 42

Q

Will a publicly accessible object in a bucket be accessible to the public when it is replicated to another bucket?

Answer

A

No, the object will need to be made public in the replication bucket. Each instance will need to be made public.

Question 43

Q

Is versioning automatically enabled on both source and replicated buckets?

Answer

A

No, versioning needs to be enabled on both source and replication buckets

Question 44

Q

What does S3 Transfer Accelerator allow you to do?

Answer

A

Transfer Accelerator allows you to upload to Edge Locations around the world directly rather than to the S3 bucket and it gives speed improvements

Question 45

Q

What is AWS DataSync?

Answer

A

DataSync is a tool to transfer large amounts of data from an on-premise file system into AWS.

Replication can be done as a one-off activity and/or on a schedule

Question 46

Q

Into what systems can AWS DataSync load data?

Answer

A

DataSync can load data into S3, EFS and FSX

Question 47

Q

What is another use case with AWS Data Sync and EFS?

Answer

A

AWS Data Sync can also be used to replicate data from EFS to EFS using the Data Sync agent installed on an EC2 instance.

Question 48

Q

What is a Distribution?

Answer

A

A Distribution is a collection of Edge Locations

Question 49

Q

Are Edge Locations read-only?

Answer

A

No, you can also write directly to Edge Locations

Question 50

Q

Can you clear cache objects on Edge Locations?

Answer

A

Yes you can clear cached objects but there will be a charge

Question 51

Q

What is the TTL (Time to Live)

Answer

A

The TTL is how long the cached content will remain on the Edge Location before a new version is retrieved and cached

Question 52

Q

To make one file available as part of premium content on your website, what would you use?

Answer

A

To make a single file available to a user you would use a signed url

Question 53

Q

If you wanted to make multiple files available to a user as part of premium content on your website, what would you use?

Answer

A

You would use a signed cookie to make multiple files available to your end users

Question 54

Q

What are attached to signed urls and signed cookies?

Answer

A

Signed urls and cookies have policies attached. These policies include:

url expiration
IP ranges
Trusted signers

Question 55

Q

When would you use a signed CloudFront url vs a signed S3 url?

Answer

A

You would use a signed CloudFront url if your origin was EC2

Question 56

Q

Does Snowball or Snowball Edge have compute as well as storage services?

Answer

A

Snowball Edge has both compute and storage functions

Question 57

Q

What is used to connect an on-premise software appliance with Cloud-based storage and replicate your data to the Cloud?

Answer

A

AWS Storage Gateway is used to connect on-premise software to AWS Cloud-based storage

Question 58

Q

Is AWS Storage Gateway a virtual or physical appliance?

Answer

A

Storage Gateway can be either virtual or physical. Either a piece of hardware to install at your data centre or on a downloadable VM

Question 59

Q

What are the 3 Storage Gateway types?

Answer

A

The 3 Storage Gateway types are:

File Gateways - storing files in S3
Volume Gateways - strong copies of your HDDs
Tape Gateway - a virtual tape library

Question 60

Q

What is File Gateway?

Answer

A

File Gateway is a type of Storage Gateway that enables you to store files as objects in your S3 buckets.

Question 61

Q

What is Volume Gateway?

Answer

A

Volume Gateway is a type of Storage Gateway that allows you to write entire volumes (HDD) to the Cloud.

These can be asynchronously backed up and stored as EBS snapshots

Question 62

Q

What are Snapshots in relation to Volume Gateway?

Answer

A

Snapshots are incremental backups that capture only the changed blocks. All snapshot storage is compressed to minimise storage charges.

Question 63

Q

What are the two different types of Volume Gateways?

Answer

A

The two different types of Volume Gateways are:

Stored Volumes
Cached Volumes

Question 64

Q

What are Stored Volumes?

Answer

A

Stored Volumes are a type of Volume Gateway that let you store your primary data locally while asynchronously backing it up (snapshots) to AWS.

These provide off-site backups of all data.

Answer 65

A

Cached Volumes are a type of Volume Gateway that let you store your data primarily in S3 but retain frequently accessed data locally in your Storage Gateway.

Cached volumes minimise the need to scale your on-premise infrastructure.

Answer 66

A

A Tape Gateway is a type of Storage Gateway to archive your data in the Cloud.

Answer 67

A

Athena is a service that lets you query data inside S3

Answer 68

A

Macie is used to find Personally Identifiable Information stored in S3 using Machine Learning and AI.

Answer 69

A

A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. Most policies are stored in AWS as JSON documents.

Answer 70

A

A Key and Secret Key combination are used to access AWS programmatically you use a Key and Secret Key combination.

To access the console you use an account and password combination.

Answer 71

A

By default new IAM Users have no permissions to AWS services. They must be explicitly granted.

Answer 72

A

Access to all AWS services except the management of groups and users within IAM.

Answer 73

A

Setting up a cross account IAM role is currently the only method that will allow IAM users to access cross account S3 buckets both programmatically and via the AWS console.

Answer 74

A

IAM allows you to manage users, groups, roles, and their corresponding level of access to the AWS Platform.

Answer 75

A

No Permissions

AWS systems are designed to be secure 1st. The system administrator needs to add permissions to allow accounts to take actions.

Answer 76

A

The root account in an AWS account represents the Owner of the account and can do anything including changing billing details and even close the account. The details for this account should be locked away and only used when absolutely necessary.

Answer 77

A

Although both serverless services, the difference between S3 Select and Athena is the scale.

S3 Select supports querying one file at a time. With Amazon Athena, we can perform SQL against any number of objects, or even entire bucket paths. Its not uncommon for folks to perform queries on TERABYTES of data.

Answer 78

A

Both are similar services except KMS provides additional features at a cost.

With SSE-KMS you can create and manage encryption keys yourself or you can use a default CMK key that is unique to your service.

Also as KMS is integrated with Cloudtrail you can also audit the usage of the key like when, by whom, for what purpose the key was used

Answer 79

A

A Legal Hold on an object will remain in place indefinitely whereas a Retention Period will expire after a period of time.

Answer 80

A

The two ways to use S3 Object Locks are:

Setting a Retention Period
Using a Legal Hold

Answer 81

A

Glacier Vault is an archive storage solution independent from AWS S3. It uses storage containers named vaults (opposed to S3 buckets) and its own set of APIs for data uploading and retrieving.

As the storage price is cheaper compared to S3, data retrieval is more expensive and time-consuming.

Answer 82

A

An ARN uniquely identifies any resource in AWS

Answer 83

A

Permission boundaries are used to assign the maximum permissions a user can have. So for example if a user has admin permissions, a permission boundary can be set to restrict access to DynamoDB only.

Answer 84

A

You can secure your data using:

Server-side Encryption
Access Control Lists
Bucket Policies

Answer 85

A

IAM Federation is the combining of your existing user account with your AWS account.

For example using your PC login to login to AWS.

Answer 86

A

No delete markers are not replicated by default

Answer 87

A

No, existing objects do not automatically replicate to the destination bucket?

Only subsequent objects will be automatically replicated.

Answer 88

A

Byte-range fetches:

Parallelise downloads by specifying byte ranges and speeding-up the download time
It can be used to download partial amounts of the file, such as the headers
If there is a failure in the download, it would be for a specific byte range only

Answer 89

A

You can apply server-side encryption using:

the console
bucket policies

Answer 90

A

You can enforce a bucket policy that will not allow any uploads that are not encrypted.

Answer 91

A

After a retention period expires the object can be overwritten or deleted.

Answer 92

A

Glacier Instant Retrieval provides long-term data archiving with instant retrieval time for your data.

Answer 93

A

Glacier Flexible Retrieval is ideal for archive data that does not require immediate access but needs the flexibility to retrieve large sets of data at no cost, such as backup or DR use cases.

Answer 94

A

For Glacier Flexible Retrieval the retrieval time can be between minutes up to 12 hours.

Answer 95

A

Glacier Deep Archive is the cheapest storage class and designed for customers that retain data for 7-10 years or longer to meet regulatory compliance requirements.

Answer 96

A

The standard retrieval time is 12 hours and bulk retrieval is 48 hours.

Answer 97

A

The key properties of object versioning are:

Stores all versions of an object, even if you delete
Is good for backing up data
It cannot be disabled, only suspended once enabled
It integrates with lifecycle rules
And comes with MFA delete capability to ensure against accidental deletion

Answer 98

A

Only the latest version of an object will become public. Older versions will remain hidden.

Answer 99

A

When you delete a versioned object, the versions are still available. If you select “List versions” you can see old versions underneath the top object marked as deleted. You can then go in and permanently delete if desired.

Answer 100

A

If you put a static website on S3 you dont have to worry about scaling, load balancers or anything like that. S3 will take care of it all for you.

Answer 101

A

Files in S3 can be up to 5TB

Answer 102

A

There is unlimited storage in S3

Answer 103

A

All S3 and Glacier data will be stored in at least 3 AZs

Brainscape's Knowledge GenomeTM

1. S3 and IAM Flashcards

Brainscape's Knowledge Genome^TM