2 - Storage

Question 1

What is the DNS name for S3?

Answer 1

https://bucket.s3-region.amazonaws.com/object

Question 2

What is the consistency model for S3?

Answer 2

Read after write for PUTS of new objects

Eventual consistency for overwrite PUTs and DELETEs

Question 3

What do objects in S3 consist of?

Answer 3

Key, value, version ID, metadata, and sub-resources

Sub-resources include bucket policies, ACLs, CORS configurations, and transfer acceleration configurations

Question 4

What is CORS and why is it needed for S3?

Answer 4

By default, the client prevents scripts in one bucket from accessing resources in another

Question 5

What are the S3 storage classes?

Answer 5

Standard

Infrequently Accessed

One zone - Infrequently Accessed

Glacier

Reduced Redundancy Storage

(intelligent tiering)

Question 6

In practical terms, how durable is S3?

Answer 6

Standard, Standard-IA, and Glacier are designed to withstand the loss of an AZ

Question 7

What is the Standard S3 storage class?

Answer 7

11 9’s durability, 99.99% availability

Question 8

What is the Standard-IA S3 storage class?

Answer 8

11 9’s durability, 99.9% availability, request fee

Question 9

What is the One Zone - IA S3 storage class?

Answer 9

11 9’s durability, 99.5% availability, request fee, won’t withstand AZ loss

Question 10

What is the Glacier S3 storage class?

Answer 10

11 9’s durability 99.99% availability, no real-time access

Question 11

What is the RRS S3 storage class?

Answer 11

99.99% durability, 99.99% availability, not reccomended

Question 12

How does intelligent tiering?

Answer 12

It automatically moves objects between two tiers: frequent and infrequent. It remains 11 9’s durability and 99.9% availability but has a small monthly cost

Question 13

What are the ways of managing security in S3?

Answer 13

ACLs, bucket policies and public access settings

Question 14

What are ACLs?

Answer 14

Settings applied at the bucket and object level to control access to accounts, the public, and the log service

Question 15

What are bucket policies?

Answer 15

IAM based policies that provide further control over the bucket

Question 16

What are public access settings?

Answer 16

A feature that prevents accidentally making S3 buckets/objects public by blocking ACL changes that would have this effect

Question 17

How are S3 buckets monitored?

Answer 17

Server access logging - requests logged in another bucket

CloudTrail logs API calls

Question 18

What basic types of encryption does S3 support?

Answer 18

Client-side, server-side and in-transit

Question 19

How does server-side encryption with S3 work?

Answer 19

SSE-S3 - each object has its own key the keys are encrypted by AWS’ master key which they rotate

SSE-KMS - keys are managed for you with KMS, this uses an envelope key

SSE-C - uses KMS but you provide the key

Question 20

How can server-side encryption be enforced?

Answer 20

Set a bucket policy which denies PUT requests that don’t have the x-amz-server-side-encryption header.

Question 21

What does CloudFront consist of?

Answer 21

Distributions (web or RMTP) which are a group of edge locations that serve content from an origin

Question 22

In the context of CloudFront, how do origins work?

Answer 22

They can be on-premises, EC2, ELB or Route53 but are generally just S3 buckets

A single distribution can have multiple distributions by setting a precedence

Question 23

Can CloudFront be used for uploads?

Answer 23

Absolutely. In fact, it is used behind the scenes for S3 acceleration

Question 24

How can S3 performance be optimised?

Answer 24

For GET heavy workloads, use CloudFront

For mixed request workloads, the previous advice was to avoid sequential key names but this is no longer necessary

Question 25

When should multiple-part uploads be used?

Answer 25

They should be used for objects larger than 100MB, and must be used for objects larger than 5GB

Question 26

What values should be used for x-amz-server-side-encryption?

Answer 26

AES256 for SSE-S3 or aws:kms for SSE-KMS

Question 27

How can CloudFront objects be protected?

Answer 27

Using signed URLs, signed cookies or whitelisting/blacklisting countries

Question 28

What is Storage Gateway?

Answer 28

A service to connect on-premises systems to cloud storage

Question 29

What kinds of gateway does Storage Gateway support?

Answer 29

Tape Gateway - uses VTL to store data on S3

File Gateway - provides object based storage on S3 using SMB or NFS

Volume Gateway - uses iSCSI to provide block-based storage. Can operate in two modes:

• Cached - the full volume is stored on S3, and the most recently access data is cached locally
• Stored: the entire volume is available locally, and asynchronously replicated to S3