2 - Storage Flashcards
What is the DNS name for S3?
https://bucket.s3-region.amazonaws.com/object
What is the consistency model for S3?
Read after write for PUTS of new objects
Eventual consistency for overwrite PUTs and DELETEs
What do objects in S3 consist of?
Key, value, version ID, metadata, and sub-resources
Sub-resources include bucket policies, ACLs, CORS configurations, and transfer acceleration configurations
What is CORS and why is it needed for S3?
By default, the client prevents scripts in one bucket from accessing resources in another
What are the S3 storage classes?
Standard
Infrequently Accessed
One zone - Infrequently Accessed
Glacier
Reduced Redundancy Storage
(intelligent tiering)
In practical terms, how durable is S3?
Standard, Standard-IA, and Glacier are designed to withstand the loss of an AZ
What is the Standard S3 storage class?
11 9’s durability, 99.99% availability
What is the Standard-IA S3 storage class?
11 9’s durability, 99.9% availability, request fee
What is the One Zone - IA S3 storage class?
11 9’s durability, 99.5% availability, request fee, won’t withstand AZ loss
What is the Glacier S3 storage class?
11 9’s durability 99.99% availability, no real-time access
What is the RRS S3 storage class?
99.99% durability, 99.99% availability, not reccomended
How does intelligent tiering?
It automatically moves objects between two tiers: frequent and infrequent. It remains 11 9’s durability and 99.9% availability but has a small monthly cost
What are the ways of managing security in S3?
ACLs, bucket policies and public access settings
What are ACLs?
Settings applied at the bucket and object level to control access to accounts, the public, and the log service
What are bucket policies?
IAM based policies that provide further control over the bucket
What are public access settings?
A feature that prevents accidentally making S3 buckets/objects public by blocking ACL changes that would have this effect
How are S3 buckets monitored?
Server access logging - requests logged in another bucket
CloudTrail logs API calls
What basic types of encryption does S3 support?
Client-side, server-side and in-transit
How does server-side encryption with S3 work?
SSE-S3 - each object has its own key the keys are encrypted by AWS’ master key which they rotate
SSE-KMS - keys are managed for you with KMS, this uses an envelope key
SSE-C - uses KMS but you provide the key
How can server-side encryption be enforced?
Set a bucket policy which denies PUT requests that don’t have the x-amz-server-side-encryption header.
What does CloudFront consist of?
Distributions (web or RMTP) which are a group of edge locations that serve content from an origin
In the context of CloudFront, how do origins work?
They can be on-premises, EC2, ELB or Route53 but are generally just S3 buckets
A single distribution can have multiple distributions by setting a precedence
Can CloudFront be used for uploads?
Absolutely. In fact, it is used behind the scenes for S3 acceleration
How can S3 performance be optimised?
For GET heavy workloads, use CloudFront
For mixed request workloads, the previous advice was to avoid sequential key names but this is no longer necessary
When should multiple-part uploads be used?
They should be used for objects larger than 100MB, and must be used for objects larger than 5GB
What values should be used for x-amz-server-side-encryption?
AES256 for SSE-S3 or aws:kms for SSE-KMS
How can CloudFront objects be protected?
Using signed URLs, signed cookies or whitelisting/blacklisting countries
What is Storage Gateway?
A service to connect on-premises systems to cloud storage
What kinds of gateway does Storage Gateway support?
Tape Gateway - uses VTL to store data on S3
File Gateway - provides object based storage on S3 using SMB or NFS
Volume Gateway - uses iSCSI to provide block-based storage. Can operate in two modes:
- Cached - the full volume is stored on S3, and the most recently access data is cached locally
- Stored: the entire volume is available locally, and asynchronously replicated to S3
