AWS S3 Flashcards
1
Q
What are the storage classes available in AWS?
A
S3 standard
S3 standard IA
Zone IA
Intelligent tiering
Glacier
Glacier Deep Archive
2
Q
What type of storage is S3?
A
Object storage
3
Q
What is the availability of S3?
A
4 x 9s
4
Q
What is the durability of S3?
A
11 X 9s
5
Q
How many availability zones is S3 data replicated to?
A
3 AZ
6
Q
What is the min size of data you can put in S3?
A
1 byte
7
Q
What is the max size of data you can place in S3?
A
5 TB
8
Q
Is encryption at the object level or the bucket level?
A
Encryption is enabled and applied at the bucket
9
Q
If one tenant has a bucket called ‘dog’ can you have a bucket called ‘dog’?
A
No buckets has to be unique with in a region.
10
Q
What are the two types of encryption available to S3?
A
Server side and Client side.
11
Q
What is the encryption used on server side encryption for S3?
A
AES-256
12
Q
Who holds the master key for S3 encryption?
A
AWS- in KMS
13
Q
Are all objects encrypted using the same master key? (are the keys changed over time)
A
No the keys are rotated each month.
14
Q
The master keys is used in the process to encrypt a object, is this the only key?
A
No there is a per object key.
15
Q
Is the per object key encrypted?
A
Yes it is encrypted by the master key.
16
Q
Is the object data encrypted at rest?
A
Yes
17
Q
Where is the per object stored?
A
In a hidden S3 bucket.
18
Q
Is there other options available to encrypt a object?
A
Client side encryption using the SDK.
19
Q
If you put data in a single region is that data/objects replicated to other regions?
A
No data stays with in a region.
20
Q
Can you copy data and objects to other regions?
A
???
21
Q
Would you make a html page available to people on the internet?
A
Use static web hosting.
22
Q
How can you delete a object after a week (period of time)
A
Use life cycle policies.
23
Q
Can life cycle policies be applied to just one object with in a bucket?
A
Yes using the prefix parameter.
24
Q
How would you apply life cycle policies to a entire bucket?
A
Use the ‘Apply to Entire Bucket’ parameter.
25
If you do not need S3 data available on demand, how can you lower the cost of storage?
Use AWS Glacier.
26
How can you move data into glacier storage?
Use life cycle policies.
27
How can we ensure that when a object is updated or deleted that we can get the old data?
Use S3 versioning.
28
Can versioning and life cycle policies be used at the same time?
No.
29
Can versioning be removed easily?
No.
30
What is the minimum number of copies in availability zones of the S3 object are kept with in a region?
3
31
What is WORM architecture?
Write one read many times.
32
Is S3 a WORM architecture?
Yes.
33
What is eventual consistency?
When a object is update in S3 by many users across the availability zones, the object that is wrote last will be the one that all other copies become.
34
When you write a object to S3 will all availability zones have a consistent copied of the object?
Yes new objects are synced across all availability zones before you get a ask back to say the write was OK.
35
Is there any region that dose not support read after write?
US-Standard
36
Do you get a sync write across all availability zones during a update?
No object is async wrote to the other availability zones with in the region.
37
When you delete a object are all objects dated before you get a ack to say the operations was successful?
No much like update the objects in the other availability zones are async deleted.
38
What is read after write?
Data is available to read in all availability zones after a ack is returned.
39
Is data replicated across regions?
No data is not replicated across regions.
40
What stops you data having bitrot (bitrot is where you data at rest get corrupt)?
AWS is checking objects on a regular basis to make sure there check sum is correct.
41
When bitrot is detected what will AWS do about it?
AWS will restore the corrupt date using the redundant copies.
42
Will all incoming object request be sent to the same availability zone?
No requests are load balanced across all availability zones.
43
What is S3 RRS?
Reduced redundancy storage.
44
How durable is RRS storage?
4 x 9s.
45
What happens when a object is lost from RRS?
A ReduceRedundacyLostObject event is triggered.
46
What is the max UTF-8 name size of a bucket?
1024 bytes.
47
S3 will partition based on key prefix, why is it important to not have the object name sequence?
Sequence naming of objects mean that the objects are clustered to gather and not spread out over the entire S3 cluster.
48
Do you need to manage the server side encryption?
No it is automatically taken care by AWS.
49
What are the 3 ways for access control on S3
Policies, ACL's, IAM.
50
How could you store some extra data like the object date, use name with the object?
Use metadata.
51
How can you get visibility in to the incoming S3 requests for you objects?
Logs when turned on will save each request and response.
52
When are S3 logs kept?
You define a bucket for the logs?
53
Are S3 logs automatically deleted?
No you have to take care of this your self, you can set up a life cycle policy to delete the objects.
54
Why is glacier called write once read never?
This is because when you write it is take some time to retrieve that data when needed?
55
With glacier how long dose it take to retrieve data to S3?
2 - 6hrs
56
What is the cost of glacier storage?
1c per GB.
57
What is the cost of S3 storage?
8.5c per GB.
58
What is the cost of RRS?
6.8c per GB.
59
If a object in S3 has a life cycle policy to delete the object after 30days and the object moves to glacier with will glacier do after the 30days?
Glacier will observe the S3 policy and delete the object after 30days.
60
When a object is retrieved from glacier when is it put (a)S3 (b)RRS
(b) RRS
61
What AWS functionality is used to move S3 data from one storage class to anither
Life cycle policies
62
Can I remove versioning from bucket once applied?
No but you can disable it.
63
What is the max upload in s single put?
5GB
64
I need to upload a single file that is 500GB in size, what is my best option for uploading the file?
Ensure you are using multipart upload
65
When files are larger than 100MB what is the recommended option for upload?
Multi-part upload
66
For PUT (new objects), can I read it and will it be consistent?
Yes, for S3 you have read after write consistency.
67
For HEAD and GET
Eventual
68
For PUT and DELETES, what is the consistency model?
Eventual
69
Updates to a single key are?
Atomic, only one person can update the object at a time.
70
Where is my object stored?
In a min of 3 AZ in a single region.
71
Is encryption automatically enabled?
No
72
I need to transition objects to Glacier from s3, do I have to manually copy?
No, you can set up a life cycle policy and have objects transitioned to Glacier. You get an option for previous or new objects.
73
When I am uploading objects to s3, I would like to have the objects move direct to Glacier, do I have to set up a life cycle policy to move objects to Glacier?
No there is an option in the upload API to select the storage class.
74
I need to log access to my S3 bucket, can I use CloudWatch for this?
A better option is to enable the server access logs by pointing as a bucket where the logs will be stored.
75
I am storing data on S3 and I want it to be secure, what should I consider?
- Security for transport in and out of S3: HTTPS - Encryption at REST: SSE - Access, who has access to the data: IAM
76
I am using the API to send an object to S3, I want this object to be encrypted using SSE, what is the header I send?
x-amz-server-side-encryption
77
What is the consistency model for S3?
- PUTS for new objects are strong consistent (you can read after write)
- PUT (Updates) and Deletes are eventually consistent.
-
78
I have an object in S3 called Keith, I update it with a PUT and then call GET, am I guaranteed to get the object latest version?
No, updates on the existing object are eventually consistent.
79
What are the access methods available to restrict or grant permissions on objects and buckets in s3?
- IAM
- ACL
- Bucket and User policies
-
80
In S3 I have to ensure objects are not deleted for 4 years due to regulatory requirements, how can I achieve this?
S3 has a lock on object feature then enable s you to lock the objects put in a bucket for a period of time.
81
I provide files to my customers but I do not want to pay for the cost when my customer access the files. what is my best option for solving this?
Use requester pays feature of S3..
82
When I have version control enabled on S3 bucket and I delete an object, what will happen?
The object will not be deleted but will assume a version ID
83
I need to create a pre-shared key to enable users to upload data to S3, what do I need to be able to do to ensure the user I give the key to can upload the data?
Ensure I have upload permissions in the bucket
84
There is a server on-prem that wants ot to connect to S3 using the most efficient way possible, minimizing latency and not using the internet,, the on-prem is using direct connect?
Create a public endpoint to connect to S3.
85
When working with S3, can I use IAM policies to give web users access to the bucket?
No, IAM policies are used only in the context of IAM users and Roles. To give internet users access to a bucket or object in the bucket, you have to use a bucket policy, this will enable you to give access to Internet-based users.
86
I want to ensure that only a certain IP can access a bucket, how can I do this?
Set up a bucket policy to allow access the bucket but with a condition of "IpAddress"
87
I what to access an S3 bucket form another account, the account iD is 12345678, how cna I do this?
Create a bucket policy, in the bucket policy set the principal to the account name that needs to access the bucket.
"Principal" : "arn::aws:;iam::12345678:\*"
88
What is the difference between arn::aws::s3::keith-bucket and arn :: aws ::s3:: keith -bucket/\*?
The first on refers to the bucket, the second one refers to the content of the bucket.
89
When you create a bucket or an object, by default what ACL's are granted?
The owner is granted full permissions.
90
For S3 ACL's what are the access domains?
Root user gets full permissions (list objects, write objects, read bucket permissions, write bucket permissions.
Access to other accounts
Public access
S3 log
91
What is x-amz-acl?
it is the header when you upload an object to set the ACL to Private, public-0read, bucket-owner-read, bucket-owner-full-control
92
Do ACL give you control over the object in a bucket?
Yes but only for predefined groups, accounts and public.
93
What is a pre-signed URL?
A presigned URL can be used to give someone times limited access to download or upload a file to a bucket.
94
I have a web application that enables users to download a ZIP file after they pay a fee, I wnat to ensure that only this user can download the file and for a time limited period like 24hrs, what option do I have?
I can have my application create a signed URL that the user can use to download a file, the signed URL is time limited for the required 24hrs.
95
I have a requirement to provide a user with a secure upload for a file they have, what are by S3 options?
Create a signed URL, this way the user cna only upload the required file, the user will not have full access to the bucket or other files in the bucket. The signed URL expires after 24hrs.
96
Can I use signed URLs with S3?
No a signed URL is a CloudFront function, S3 used signed URLs to secure and time limit the of upload and download of files
97
Where can I use s3 storage?
- Static content (S3 Standard)
- Static website (S3 Standard)
- The origin for CloudFront (S3 Standard)
- Archive (Glacier)
- Backup
- Storage GW
98
If I have a bucket called Keith and a directory called Cathy and an object in the Cathy directory what will the S3 key look like.
It will be s3://keith/Cathy/object name. The reason for this is S3 has a flat file structure, no directories just a key that is mead up by joining the object/prefix/buckenetname together.
99
If I add ?torrent on the end of an amazones3 bucket URL, what am I doing?
I am requesting the file using torretc.
100
Can I use ipv6 with s3?
Yes but not for torrent or for static website hosting.
101
I wnat to use static web site hosting with IPv6 how cna I configure this with s3?
You cant as s3 static web site does not support IPv6
102
What are S3 events?
They are a set of events theat occur in S3 thet can call external service like,
- SNS
- SQS
Lambda functions
103
What sort of events can be generated by S3?
- PUT
- POST
- COPY
Multi-part upload complete
All objects created
Object lost
Permanently deleted
All object delete events
Restore from glacier
104
How can I calculate the cost of putting 10TB of object data in S3?
S3 is free to ingest data.
105
Do I pay for data out to the internet for of s3?
Yes (approx 0.09 pm GB)
106
107
Do I pay for data out to the DirectCoonnet for s3?
Yes
108
With S3 what do I pay for?
- Storage GB per month, this depends on the tier of storage
- Transfer of day out
- Transfer of data between regions
- Transfer of data over Direct connect or VPN
- API calls like pouts/gets, etc.
109
I have a requirement to replicate data from one bucket in us-east-1 to eu-west-1, what is my bets option?
You can use s3 replication to replicate the data.
110
I have 20TB of CVS files and I need to query the data, the files are stored in s3, how can I query the data?
Atena
111
I need to get a list of every object in by 20TB S3 bucket, what is my best option, call API or something else?
Use the S3 bucket inventory process, this will run and create an OCR Apache optimized row columnar set of files, you can use atena to query this data.
112
How can I monitor the S3 as part of my global monitoring solution?
You cna use cloudwatch to monitor bucket metrics.
113
What are the public access settings?
They enable you to stop people making the bucket public by accident.
114
What is first-byte latency and how does it apply to s3 storage tiers?
S3 standard, IA, Zone IA, Intelligent tier first byte latency is millisecond. Glacier and Glacier Deep Archive is much larger latency to first byte.
115
What is the durability of all the storage classes?
11x9%
116
For all s3 storage classed how my zones are data stored in?
3, except for Zone IA thet is 1.
117
What storage tier should you use for hot backup?
S3-IA.
118
For Glacier deep archive, what is the minimum number of days an object must be kept for?
180-day minimum
119
For Glacier deep archive, is the retreval time the same or shorter then Glacier?
It is longer
120
How long will it take to get an object form Glacier Archive Storage?
Several hours
121
For both Glacier and Glacier deep archive, what is the min storage charge?
40KB
122
I am a hospital and I currently store 100TB of x-ray images on s3, I want to improve on my cost of storage, how can I do this? Xrays are looked at frequently for the first 90 days and then maybe once a year and after a year just if the patient comes back.
Set up a lifecycle policy to move to Standard IA after 90 days. Set up LCP to move to the glacier after a year.
123
What is the minimum time I can store an object for in Standard IA
90dyas, deleting before this period and you are charged.
124
What is the minimum storage charge for an object in Standard IA?
128KB
125
What is the minimum storage charge for an object in Zone IA?
128KB
126
What is the availability of Standard IA?
99.5%
127
What is the availability of ZoneIA?
99%
128
What is the availability of Standard ?
99.99%
129
I am storing data that is reproducible for analysis, what storage class are bets to store it on for cost?
Zone IA, if the data fails or the zone is not available, you
can recreate the dat and process at another time, for this reason, Zone, IA is a good choice.
130
For Glacier, how fast can I retrieve my storage and is there a cost?
You can retrieve storage form min to hrs and the cost is low to high.
131
What is intilligent-tiering?
This is a tier of storage that will monitor your objects and if they are not used will move the objects to the Standard IA tier, if the object becomes used again, it will be moved back to Standard tier.
132
I need to delete my objects after 60days, how can I do this?
Lifecycle policies.
133
Is object versioning on the bucket or object level?
it is applied at the bucket level.
134
When I have object versioning enabled and I upload a new object with the same key, what happens?
Both versions of the file will exist and each has a unique ID
135
Where bucket version is enabled and I retrieve an object, what will happen?
You will get the most current version as you did not give a version ID.
136
Where is have bucket versioning enabled, can I have two different versions of an object in different tiers of storage?
Yes.
137
I have bucket version-enabled, I delete an object, what happens?
You get a delete marker.
138
I have an object that is deleted and I wnat to retrieve it, how cna I do this?
You delete the delete marker and the bucket will reappear.
139
I have a bucket with the object version-enabled, I wnat to get a previous version, how cna I do this?
Specify a version ID.
140
When I delete an object in a bucket with versioning enables what will happen?
You get a delete marker and the object is still present, you can delete the delete marker to get the object back or you can request the object or any of its version by ID.
141
Is it possible to delete a version of an object that is in a bucket with version control enabled?
Yes, just specify the version iD of the object.
142
I wnat to set up cross-region replication, what do I need to do?
Enable version control.
143
I have a requirement from my organization that legal document is retained for 3years after which they must be deleted, how can I do this?
This can be done by using objects locking and setting the period for 3years
144
If object locking is enabled can you use regional replication?
No
145
When you create a bucket who has access?
By default the resource owner (an account created) has access but no one else.
146
What types of access control exists for s3?
- You have IAM, this is where the bucket oners account is trusted by the bucket, with this you can use AWS IAM to gran users, roles or other accounts access t the bucket.
- You also have bucket policies, this is where you can give users, accounts or even anonymous user access to the bucket, bucket policies can even use a condition like tags on buckets or the caller IP.
- Access control lists (ACLs): can be used to grant users in another account. You cna also gran anonymous user access.
147
When I generate a pre-signed URL and a user used the pre-signed URL to access the object, how ide is the pre-signed URL accessing the object under?
Under the ID of the user who created the pre-signed URL.
148
If I do not have access to an s3 bucket and I generate a pre-signed URL, will the users of the pre-signed URL have access tot he objects?
No, the creator of the pre-signed URL must have access to the object as it is this user access key from STS that is been used to access the object.
149
I have just enabled cross-region replication, I go to my another bucket in the other region and non of the objects are present, why?
Because cross-region replication is not retrospective.
150
I have objects that are encrypted by client-side encryption, can I cross-region replication?
No, you can only use unencrypted objects or server-side encrypted objects.
151
Can I use cross-region replication to another account?
Yes.
152
We are storing our data on Amazon Simple Storage Service (S3). Our orgs security policy mandates that data is encrypted at rest. What options do I have?
- Server-side encryption (AWS managed keys)
- Server-side encryption (Client managed keys)
- Client-side encryption
153
Is it possible to have different encryptions keys for different versions of the same object?
Yes as each object is encrypted using different keys. The reason for this is each key is encrypted using the selected key and this can be different from object to object.
154
When uploading an object to s3, how cna I get the s3 to encrypt using SSE?
You should send the encryption key and x-amz-server-side-encryption-customer-key-AES-256, x-amz-server-side-encryption in each API call.
155
I have set up two buckets in us-east-1 and I wnat to replicate from one bucket to another, can I use cross-region replication?
No, the dest bucket has to be in a different region, it can be even in a different region in a sperate account.
156
I am going to use cross-region replication between two buckets, I am using customer-managed keys, what is my configuration?
You cna use customer-managed keys, you can only use unencrypted dor AWSmanaged keys.
157
When I create a cross-region replication, what is required by the s3 service for both the source and dest buckets?
S3 needs permissions and this is done in a role with two actions, one action allowing s3 access the source, one action allowing s3 access the dest.
158
I need the ability to provide my global customer with access to static content in my s3 bucket in us-east-1, I am concerned about latency for a customer in Asia, should I replication using regional replication to another bucket for the asian customer or is there other options?
You could use s3 as an origin endpoint and use CloudFront to distribute your static files to global regions reducing the latency for your customers.
159
I require backup for my on-prem files, these files are accessed once every 6mts as part of our disaster recovery, access to the data quickly is not needed, what s3 storage tier should I use?
- Not s3 standard because it is the high price of the tiers and also is a hot tier.
- Not s3 standard IA as this is hot storage, you could use it but you are paying a premium for it being hot.
- No S3 Zone IA as it is hot also.
- Glacier is a good option as it offers the ability to retrieve the data when needed and offers a lower price, as we are OK with retrieving data in hours Glacier is a good choice.
160
I require backup for my on-prem files, these files are accessed once every 12mts as part of our disaster recovery, access to the data quickly needs to be in min, what s3 storage tier should I use?
Glacier as it offers the ability to retrieve data in the minutes and because it is only accessed once a year the cost of retrieval is less than a year of storage and retrieval cost of other storage tiers.
161
I am backing up files and the software requires immediate access to the dat when needed, what s3 storage tier should I use?
zone in offers 11x9 but it is in a single zone (risk), Standard IA offers 11x9 and is lower prices then s3 standard.
162
What are the options I have to encrypt object data in s3?
Server-side encryption with AWS keys
Server-side encryption with customer-provided keys
Customer encrypted data (where customer encrypts the data before it is sent to AWS S3)
163
I wnat to use customer provided key and I am calling the API what do I need to pass in the API call?
You need to pass the x-amz-server-side-encryption-customer-key
164
What is the difference between SSE-s3 (S3 managed keys) and SSE-KMS (KMS managed keys)?
With SSE-S3, keys are managed by S3, S3 encrypts the object with a key and stores it with the object.
With SSE-KMS, S3 asks KMS for a key and KMS return bot plane and encrypted keys under the CMK, the plane test key is used to encrypt the object and is then discarded, the encrypted keys are stored with her object.
165
I wnat to ensure that only uploads to a bucket will be encrypted and use AES256, how cna I do this?
Bucket policy, you can create a policy with two statements, one for checking the header x-amz-server-side--encryption for AES256 and one for checking x-amz-server-side-encryption true.
166
I have to upload 1TB of data to s3, I have a VPN and a DirectConect as a primary, I also am using endpoints in my VPC to connect with s3, how can I get the shortest time to upload the data when using the CLI?
use multipart upload as it enables parallel upload of sperate chunks of the data.
167
I have a bucket in east-us-1 and I get uploads all the time from Asia, I want to improve the upload time, how cna I do this?
You can enable transfer acceleration on the bucket, this enables you to get new CloudFront endpoints that will be used to upload to and the CloudFront will send the data over the AWS network. TransferAccelerator dose does not require you to set up CloudFront, but you get to take advantage of it.
168
I have a customer in Asia that is migrating its on-prem application to the us-east-1 region on AWS, we have a short window to transfer the 1TB of the file to s3 us-east-1, how cna I ensure the transfer happen as quickly as possible?
You cna use multi-part upload and transfer accelerator.
169
I need a shared file system, how cna I set this up on s3?
You can, s3 is an object store, you could use EFS or FSx depending on the requirement for SMB(FSx) or NFS(EFS)
170
I want to have s3 SSE encrypt my data when I make an API call, what is the header I need to set in the API call?
x-amz-server-sideencryption
171
If I have a file in s3 and version is turned off, what will the version id be?
Null as the version id only starts when the versioning is turned on
172
I have an s3 bucket with version disabled,
- I upload file 1
- I turn on version
- I upload file 2 and 3
- I upload file 2 again
What will be the state of the versions on the files?
- File 1: null as it was created before a version was enabled
- File 2: has two versions as it was uploaded and changed after a version was enabled
- File 3: has one version as it was uploaded once after a version was turned on
173
