Chapter 3: Identity and Access Management & S3 Flashcards
Define IAM
IAM - Identity Access Management
Allows you to manage users and their level of access to AWS Console
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What are the different features of IAM?
1) Centralized Control of your AWS Account
2) Shared access to your AWS Account
3) Granular Permissions
4) Identity Federation (Including Active Directory, Facebook, LinkedIn, etc,)
5) Multi-factor Authentication
6) Provide Temporary access for users/devices and services where necessary
7) Allows you to set up your own password rotation policy
8) Integrates with many different AWS Services
9) Supports PCI DSS Compliance
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
One of IAM’s features is Identity Federation. What does that mean?
You can use Facebook, Linkedin, Active Directory, etc. with Identity Access Management. So users could log into the AWS Console with the same credentials as their Windows or Facebook credentials.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
One of IAM’s features is that it can provide temporary access for users/devices and services where necessary. What’s an example of that?
Say if someone is playing a mobile game and their data is being stored on your AWS account, you only want to provide the user with temporary access to your account so they can view their game data.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
One of IAM’s features is that it supports PCI DSS Compliance. What does that mean?
Is a compliance framework, if you’re taking credit card details, you need to be compliant with that framework
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
IAM - Define Users
End users such as people, employees of an organization, etc.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
IAM - Define Groups
A collections of users. Each user in the group will inherit the permissions of the group.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
IAM - Define Policies
Polices are made up of documents called Policy Documents. These documents are in JSON format and they give permissions as to what a User/Group/Role is able to do.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
IAM - Define Roles
defines a set of permissions for making AWS service requests. Roles are not associated with a specific user or group. Instead, trusted roles can be assigned to IAM users, applications, or AWS services such as EC2.
Reference:
https://aws.amazon.com/iam/faqs/#:~:text=An%20IAM%20role%20is%20an,AWS%20services%20such%20as%20EC2.
What is the format of an IAM users sign-in link.
https://CUSTOMNAME.signin.aws.amazon.com/console
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch
What is the IAM users sign-in link.
URL of site where uses can go to and sign into the account associated with URL.
If you change the link you are making a DNS change (it’s a universal name space, not region specific).
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch
Define Root Account
It’s with the email that you sign up with. It gives you “god mode” aka you have all access and permissions available to you.
Generally you don’t want people to have access to your root account so you create users and roles.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch
Is IAM region specific or global?
Global!
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch
What is the most up to date region with the newest features (but also the region that goes down the most)
US East (N. Virginia)
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
How do you get to the IAM page in the AWS Console?
AWS Console Services -> Security, Identity and Compliance -> IAM
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What is MFA?
Multi-factor Authentication. You want to enable MFA to your root account so people can’t log into your account if they get your credentials.
Save the QR code you get from your MFA onto your computer, you’ll be in trouble if you lose it.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What are the 2 different access types a user can have in IAM?
1) Programmatic Access - Enables an access key ID and secret access key for the AWS API, CLI, SDK, and other development tools.
2) AWS Management Console Access - Enables password that allows users to sign-in to the AWS Management Console.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What does the logo for an AWS Managed Policy look like?
https://summitroute.com/img/AWSManagedPolicies.png
After you create a user and are provided with the secret access key and password, what should you do with them?
Save them! You’ll only see the Secret access key and password once after you create your user so you make sure you save them by clicking “Download .csv”
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What format are policies written in?
JSON - Javascript Object Notion.
Ex.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["*"]
}
]
}
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
Can you log into your AWS account using your secret access key and ID?
NO! Secret access key and id is NOT the same thing as your credentials.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What permissions do users have when they’re first created?
NONE! They have no permissions when first created.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What is a billing alarm?
If you are using AWS services outside of the free tier, billing alarms allows you to set an alarm for an amount and if you go over that amount they will send an alarm.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/billing-alarm/watch
How do you get to the Billing Alarm page in AWS Console?
AWS Console Services -> Management & Governance -> CloudWatch -> Billing
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/billing-alarm/watch
What are the 2 components of a billing alarm?
CloudWatch and SNS (Simple Notification Service) topic. SNS is a way of notifying you that your alarm has gone off.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/billing-alarm/watch
What does S3 Stand for?
S3 (Simple Storage Service)
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What does S3 do?
Provides secure, durables, highly scalable object storage. Uses simple web interface to store and/or retrieve any amount of data from anywhere on the web.
- safe place to store your files
- it’s object-bases storage
- data is spread across multiple devices and facilities
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are some basics to know about S3?
- S3 is object based - ie. allows you to upload files
- Files can be from 0 Bytes to 5 TB
- There is unlimited storage
- Files are stored in Buckets (folder)
- S3 is a universal namespace, you can’t have the same bucket name as another bucket even if your bucket is in a different region.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are 2 different formats for the S3 bucket URLS
1) https://BUCKETNAME.s3.amazonaws.com/
2) https://BUCKETNAME.s3.eu-west-1.amazonaws.com/
S3 in the first URL refers to the US East bucket (default bucket), all other regions follow the second convention.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What do you receive when you successfully upload a file to S3.
An HTTP 200 Code
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are objects in S3 and what do they consist of?
Objects are basically files in your bucket (folder).
They consist of:
1) Key - name of the object
2) Value - data made up of sequences of bytes
3) Version ID
4) Metadata - data about data
5) Subresources
- Access Control Lists
- Torrent
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
Define how Data Consistency model work in S3.
1) Read after write consistency for PUTS of new objects
2) Eventual Consistency for overwrite PUTS and DELETES
Re-worded:
1) if you write a new file and read it immediately afterwards, you will be able to view that data.
2) if you update an existing file or delete a file and read it immediately, you may get the older version or you may not basically the changes can take a little bit of time to propagate.
NOTE:
The model has now been updated. Check with S3 FAQ
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are Amazon’s guarantee for S3?
1) Built for 99.99% availability from the S3 platform and Amazon guarantees it
2) 99.(9X9)% (11 9’s in total)durability guarantee (very unlikely it’ll be lost)
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are the features of S3?
1) Tiered Storage Available
2) Lifecycle Management - moving to different storage tiers
3) Versioning
4) Encryption
5) MFA Delete
6) Secure your data using ACL and Bucket Policies
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are the 6 different storage tiers of S3 Storage classes?
- S3 Standard
- S3 - IA
- S2 One Zone IA
- S3 Intelligent Tering
- S3 Glacier
- S3 Glacier Deep Archive
- S3 Outposts (not mentioned in AcloudGuru)
Reference:
- https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
- https://aws.amazon.com/s3/storage-classes/
S3 Storage Classes - Define S3 Standard
- 99.99% availability
- 99.(9x11)% durability
- Stored redundantly across multiple devices in multiple facilities.
- Designed to sustain the loss of 2 facilities concurrently
- Highly available
- Most expensive
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes - Define S3 IA
IA (Infrequently Accessed)
- Data that is accessed less frequently, but requires rapid access when needed.
- Lower fee than S3 standard but you are charged a retrieval fee
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes - Define S3 One Zone - IA
Lower-cost option for IA and don’t require multiple AZ for data resilience. Data stored in 1 AZ.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes - Define S3 Intelligent Tiering
Using ML it optimizes your costs but automatically moving data to the most cost-effective storage tier without and overhead.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes - Define S3 Glacier
- Secure, durable and low-cost storage class for data archiving (store data for long periods of time)
- Retrieval times configurable from minutes to hours
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes - Define S3 Glacier Deep Archive
- Similar to Glacier, only difference is that retrieval time is 12 hours.
- Cheaper option that S3 Glacier
- Cheapest Storage class option
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes Price comparison
https://jayendrapatil.com/wp-content/uploads/2016/03/S3-Storage-Classes-Performance.png
What aspects are you charged for S3?
- Storage
- Number of requests
- Storage Manage Pricing (Storage Tiers)
- Data Transfer Pricing
- Transfer Acceleration
- Cross Region Replication Pricing
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What is Cross Region Replication?
If you have 2 buckets in 2 different region with cross region replication turned on, then whenever you upload to the main bucket, the replicated bucket will automatically be updated with the same file that was just uploaded.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What is S3 Transfer Acceleration?
- Enables fast, easy and secure transfers of files over long distance between your end users and an S3 bucket.
- Takes advantage of Amazon CloudFront globally distributed Edge Locations (Users actually uploads to the Edge Locations and from there it’s then routed to the S3 buckets)
- As data arrives at an edge location, data is routed to Amazon S3 over an optimized network path (using CloudFront Edge Network).
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
Can I install an operating system in my S3 bucket?
No! S3 buckets are meant for object based storage, block based storage is more suitable for installing an operating system.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What does ACL stand for and what does it do?
ACL (Access Control List) enable you to manage access to buckets and objects.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl_overview.html
What is the format of an object URL?
https://BUCKETNAME.s3.amazonaws.com/FILENAME.EXT
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/create-bucket/watch
If I make a bucket publicly accessible does that make all objects in the bucket public?
Nope! You need to go to each object you want to make public and turn on that setting.
Unless you’re using a policy, then based on the policy everything can be public. But by default, just because you make the bucket public does not make the objects inside of it public as well.
Reference:
- https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/create-bucket/watch
- https://www.h3xed.com/web-development/how-to-make-all-objects-in-amazon-s3-bucket-public-by-default
- https://learn.cantrill.io/courses/730712/lectures/14041055
Are bucket names global or region specific?
Universal! You can’t have the same bucket name as someone else.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/create-bucket/watch
What are 3 different ways you can Restrict Bucket Access?
1) Bucket Policies - Applies across the whole bucket
2) Object Policies - Applies to individual files
3) IAM Policies to Users & Groups - Applies to Users & Groups
What is the cheapest S3 storage tier?
S3 Glacier Deep Archive
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0df6cf4a-3241-ae45-a869-d1cc886a74fe/watch
What is the most expensive S2 storage tier?
S3 Storage Standard
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0df6cf4a-3241-ae45-a869-d1cc886a74fe/watch
Rank the S3 Storage tiers from most expensive to least expensive (1 - 5)
1) S3 Standard
2) S3 - IA
3) S3 - Intelligent tiering
4) S2 One Zone IA
5) S3 Glacier
6) S3 Glacier Deep Archive
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0df6cf4a-3241-ae45-a869-d1cc886a74fe/watch
All newly created buckets are PRIVATE. You can setup access control to your buckets using…
- Bucket Policies
- Access Control Lists
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch
What are S3 Access Logs?
- You can configure your bucket to have access logs that logs all requests made to the S3 bucket.
- This can be sent to another bucket and even another bucket in another account.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch
How is Encryption by Transit achieved?
It’s achieved by SSL/TLS, used when you’re accessing website through HTTPS.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch
How is Encryption at Rest (Server Side) achieved?
Encryption at Rest data where we encrypt data where it’s being stored.
2 ways/side:
1) Server side - where amazon helps you encrypt object (There’s 3 different types, SSE-S3, SSE-KMS, SSE-C)
2) Client side - where user encrypts the object and uploads it onto AWS.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch
What are the 2 Encryption methods in S3?
1) Encryption by Transit
2) Encryption by at Rest
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch
What are the 4 different ways you can achieve server side encryption for Encryption at Rest ?
1) S3 Managed Keys - SSE - S3
2) AWS Key Management Service, Managed Keys - SSE-KMS
3) Server Side Encryption With Customer Provided Keys - SSE-C
4) Client Side Encryption
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch
Define S3 Managed Keys - SSE - S3 (Encryption at Rest for S3 - Server Side)
Amazon manages all your keys for you.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch
Define AWS Key Management Service, Managed Keys - SSE-KMS (Encryption at Rest for S3 - Server Side)
User and Amazon manage the keys together
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch
Define Server Side Encryption With Customer Provided Keys - SSE-C (Encryption at Rest for S3 - Server Side)
User provides amazon with their own managed keys
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch
How does Client Side Encryption work for Encryption at Rest?
Encrypt object yourself on your PC and then upload it to S3.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch
What is versioning in S3?
- Stores all versions of a file
- Great backup tool
- Once enabled, versioning cannot be disabled, only suspended
- Integrates with Lifecycle rules
- Versioning’s MFA Delete capability can be used to provide an additional layer of security.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-versioning/watch
If you make an object public in a bucket, does that mean all its version will be public?
Nope! You need to make each version public individually.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-versioning/watch
What happens when you delete an object and version is turned on?
A delete marker is placed. If you delete the delete marker it restores the file.
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-versioning/watch
What happens when you suspends versioning in S3?
Any new files you created or update will not have versions however existing versions will be preserved. You can only suspend versioning, can’t disabled/remove.
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-versioning/watch
What are lifecycle management?
Automates moving your objects between different storage tiers.
Can be used with versioning.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-lifecycle/watch
What is the WORM model? What does it stand for?
- WORM (Write Once, Read Many) is used for S3 Object Lock.
- Helps to prevent objects from being deleted or modified for a fixed amount of time or indefinitely.
What are the 2 different Object Lock Mode?
- Governance Mode
- Compliance Mode
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-lifecycle/watch
Define Governance Mode for S3 Object Lock.
- Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions.
- This mode protect objects against being deleted by most users, but user can still grant some users permission to alter the retention settings or delete the object if necessary.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-lifecycle/watch
Define Compliance Mode for S3 Object Lock.
- A protected object version can’t be overwritten or deleted by any user, including the root user in your AWS account
- The retention period can’t be changed either
- This mode ensures that an object version can’t be overwritten or deleted for the duration of the retention period
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/e04a6021-789d-4fb5-a890-337a0c0cda66/watch
Define retention period (term used with S3 Object Lock and Glacier Vault)
- It protects an object version for a fixed amount of time.
- Amazon timestamps in the object version’s metadata to indicate when the retention period expires
- After the retention period expires, the object version can be overwritten or deleted unless the user also places a legal hold on the object version
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/e04a6021-789d-4fb5-a890-337a0c0cda66/watch
Define what a Legal Hold is (this term is used with S3 Object Lock and Glacier Vault)
- It prevents an object version from being overwritten or deleted.
- Is not associated with retention period and remans in effect until removed
- They can be freely placed and/or removed by any user who has s3:PutObjectLegalHold permission
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/e04a6021-789d-4fb5-a890-337a0c0cda66/watch
Define Glacier Vault Lock.
- Allows you to easily deploy and enforce compliance controls for individual S3 Glacier vaults with a vault lock policy
- Can specify controls, such as WORM, in a vault lock policy and lock the policy from future edits
- Once Locked, the policy can no longer be changed
- Locking objects inside Glacier
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/e04a6021-789d-4fb5-a890-337a0c0cda66/watch
What’s the difference between S3 Object Lock and Glacier Vault?
- S3 Object Lock is for S3 Objects
- S3 have 2 different lock modes
- Glacier Vault is for objects in Glacier
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/e04a6021-789d-4fb5-a890-337a0c0cda66/watch
What is a prefix in this S3 example?
mybucketname/folder1/subfolder1/myfile.jpg
/folder1/subfolder1
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch
What’s a prefix in S3?
The folder names between the bucket name and file name
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch
S3 Performance, Does S3 have low or high latency?
low latency. You can get first byte out of S3 within 100-200 milliseconds
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch
How many requests can you achieve due to S3’s low latency?
3,500 PUT/COPY/POST/DELETE requests per second per prefix.
5,500 GET/HEAD requests per second per prefix.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch
How can you achieve better performance with S3 prefixes?
By spreading reads across different prefixes.
Ex. you are using 2 prefixes, you can achieve 11,000 requests per second.
If use 4 prefixes in last example, you would achieve 22,000 requests per second.
More prefixes, the better performance is achieved.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch
What are the limitations of using KMS with S3 Performance?
1) Uploading/Downloading will count towards KMS quote
2) Currently, you cannot request a quota increate for KMS
3) Region-specific, however it’s either 5,500, 10,000, 30,000 requests per second
- You currently can’t ask for a quota increase
- When you upload a file, you will call GenerateDataKey in the KMS API
- When you download a file, you will call Decrypt in the KMS API
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch
What is a way to improve performance of S3 Uploads?
Multipart Uploads:
- Recommended for files over 100 MB
- Required for files over 5 GB
- Parallelize uploads (increases efficiency)
Can you improve S3 upload and download performance? If so, then how?
Yes!
Upload uses Multipart Uploads whereas Downloading uses S3 Byte-Range Fetches
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch
What is a way to improve performance of S3 downloads.
S3 Byte-Range Fetches
- Parallelize downloads by specifying byte ranges
- if failures in the download, it’s only for a specific byte range
- Can be used to to just download a partial part of a file
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch
What should I use S3 Multipart upload?
When the file is over 100MB, has to be used on files over 5GB.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch
What is S3 Select?
- Enables application to retrieve only a subset of data from an object by using simple SQL expressions.
- It drastically increases the performance, sometimes as much as 400%
Ex. CSV in Zip file in S3. Need to download the zip, decompress and then extract data. With S3 Select write a query to only extract and download the data you need.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/91703a6e-55d0-4fce-93f8-9ed2ce43651b/watch
What is Glacier Select?
Allows you to run the same queries you could write with S3 Select against glacier directly.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/91703a6e-55d0-4fce-93f8-9ed2ce43651b/watch
What is AWS Organizations?
An account management services that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
- You create Organizational Units (OU)
- Need at-least 2 different AWS accounts
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch
What is Consolidated Billing?
- Have a paying account, and link multiple independent accounts and all the costs of the independent accounts as consolidated into 1 bill.
- The more you use, the less you pay, so use Consolidated Billing to your advantage and link accounts.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch
What are the advantages of Consolidated Billing?
- 1 Bill for AWS accounts in an organization (paid for by 1 account)
- very easy to track chargers and allocate costs
- volume pricing discounts
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch
What are Service Control Policies?
In AWS Organizations Service Control Policies offers central control over the maximum available permissions for all accounts in your organization, allowing you to ensure accounts stay with your organizations access control guidelines.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch
What are some best practices with AWS Organizations?
- always enable multi-factor authentication on root account
- always use strong and complex password on all accounts (especially the root account)
- Paying account should be used for billing purposes only. Do not deploy resources into the paying account
- Enable/Disable AWS services using Service Control Policies (SCP) either an OU or on individual accounts
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch
What does SCP stand for?
Service Control Policy
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch
What are 3 different ways to share S3 buckets across accounts?
1) Using Bucket Policies and IAM (across the entire bucket). Programmatic Access only
2) Using Bucket ACLs and IAM (Individual Objects). Programmatic Access Only
3) Cross-account IAM Roles. Programmatic and Console Access
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/77de80db-187a-d61c-d8eb-5f643f3dbc6d/watch
Out of the 3 different ways to share S3 buckets across accounts, which way allows for both Programmatic AND console access?
Cross-account IAM roles.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/77de80db-187a-d61c-d8eb-5f643f3dbc6d/watch
Say you have a bucket A, with 5 items in it. Then turn on Cross Region Replication for another bucket B in another region. Will the 5 existing objects be replicated in the new bucket (B)?
Nope. New files that are added will be replicated but not existing objects.
Same logic applies
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-crr/watch
If a bucket has versioning turned on and you use Cross Region Replication, will the new bucket need versioning turned on?
Yes! For Cross Region Replication, versioning NEEDS to be turned on in both source AND destination.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-crr/watch
If you change permission in 1 source bucket, does it change the permission of the destination bucket (Cross Region Replication)?
Nope. If items in the source bucket are public, but by default the destination bucket is private then the destination’s objects will also be private unless the configuration is changed.
Reference
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-crr/watch
Can you Cross Region Replicate in different buckets in different accounts?
Yes!
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-crr/watch
What is the URL format of S3 Transfer Acceleration.
BUCKETNAME.s3-accelerate.amazonaws.com
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/c2ac330d-708e-4fd1-89af-cd116f73c00f/watch
What is AWS Datasync?
- Used to move large amounts of data from on-premises to AWS
- Used with NFS and SMB compatible file systems
- Replication can be done hourly, daily, or weekly,
- Install the DataSync agent to start replication
- Can be used to replicate EFS to EFS
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/c2ac330d-708e-4fd1-89af-cd116f73c00f/watch
How can you move on-premises data onto AWS?
Using Datasync!
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/c2ac330d-708e-4fd1-89af-cd116f73c00f/watch
What is CloudFront?
Content Delivery Network (CDN) is a system of distributed serves that deliver webpages and other web content to a user based on their geographical locations, origin of webpage and the content delivery server.
Can be used to deliver your entire website, including dynamic, static, streaming, etc.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch
What is an Edge Location?
Location where content will be cached? Separate from Region/AZ
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch
What is an Origin?
Origin of all the files that the CDN will distribute. this can be S3 Bucket, an EC2 Instance, an Elastic Load Balancer, or Route53
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch
What is a Distribution?
Name given to the CDN which consists of a collection of Edge Locations
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch
What are the 2 types of distributions.
1) Web(site) Distribution
2) RTMP - For media streaming
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch
Can you only read to an Edge Location?
Nope! You can both read and write to an Edge Location.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch
What does TTL stand for?
TTL (Time to Live).
Objects are cached for the life TTL (Time to live).
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch
What happens if you push out some data and you find out something is wrong with it, you do an update but it doesn’t work. What can you do?
Create an Invalidation. If you invalidate an object, you will be charged for it though.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront-lab/watch
Say you have secure content that only people authorized are able to access it (Ex. If they need a subscription/premium membership or need to pay to view) How can you restrict people from accessing a premium/members on site?
By using signed URL and/or signed cookies!
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch
What is the difference between a Signed URL and Signed Cookie?
1) Signed URL is for an individual file, 1 file = 1 URL
2) A Signed Cookie is for multiple files, 1 cookie = multiple files
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch
When you created a signed URL or signed cookie, a policy is attached. What does the policy include?
- URL expiration
- IP Ranges
- Trusted Signer (which AWS accounts can create signed URLS)
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch
What does OAI stand for?
Origin Access Identity
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch
How do you get to the IAM page in the AWS Console?
AWS Console Services -> Networking & Content Delivery -> CloudFront
What are some features of CloudFront Signed URL?
- Can have different origins. Does not have to be EC2
- Key-pair is account wide and managed by root user
- Can utilize caching features
- Can filter by date, path IP address, expiration, etc
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch
What are features of S3 Signed URL?
- Not using CloudFront, direct access to S3
- Issues a request as the IAM user who creates the pre-signed URL
- Limited lifetime
What’s the difference between CloudFront Signed URL and S3 Signed URL?
1) If OAI is used through to get to S3 then CloudFront URL
2) if directly accessing a file in S3 then S3 Signed URL
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch
Use CloudFront is my origin is ______?
EC2
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch
What is snowball?
petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of the AWS cloud. Using Snowball addresses common challenges with large-scale data transfers including high network costs, long transfer times, and security concerns.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/snowball/watch
What different levels are security does Snowball come with?
- tamper-resistant enclosures
- 256-bit encryption
- industry standard Trusted Platform Module (TPM)
- Once transfer done AWS performs erasure or snowball (data can’t be restored once erased)
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/snowball/watch
What are the 2 sizes a Snowball comes in?
50TB and 80TB
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/snowball/watch
What is a Snowball Edge?
type of Snowball device with on-board storage and compute power for select AWS capabilities. You can use Snowball Edge to move large amounts of data into and out of AWS, as temporary storage tier for large local datasets, or to support local workloads in remote or offline locations.
Gives compute and storage. Like having a mini, portable AWS.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/snowball/watch
What is a Snowmobile?
Exabyte-scale data transfer service used to move extremely large amounts of data to AWS. You can transfer up to 100PB per Snowmobile, a 45-foot long ruggedized shipping container, pulled by a semi-trailer truck.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/snowball/watch
What is AWS Storage Gateway?
Service that connects and on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization’s on-premises IT environment and AWS’s storage.
Physical or Virtual Device.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch
What am I downloading when I download the Storage Gateway application?
It’s a software that’s available to download as a virtual machine image, which you install on host in data centre.
Once downloaded and linked with AWS account, you can use AWS management console to create storage gateway option that is right for you.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch
What are the 3 different types of Storage Gateway?
1) File Gateway (NFS & SMB)
2) Volume Gateway (iSCSI)
- Stored Volumes
- Cached Volumes
3) Tape Gateway (VTL)
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch
What are the 2 different types of Volume Gateways (iSCSI)
- Stored Volumes
- Cached Volumes
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch
Define File Gateways (NFS and SMB)
- Files stored as objects in your S3 bucket, accessed through Network File System (NFS) mount point
- Ownership, permissions, and timestamps are durably stored in S3 in user-metadata of object associated with file
- once objects are transferred to S3, they are managed as native S3 Objects (versioning, lifecycle management, etc. can be applied)
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch
What does NFS Stand for?
Network File System
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch
Define Volume Gateway
- Volume interface presents your application with disk volumes using the iSCSI block protocol
- Data written to these volumes can be asynchronously backed up as point-in-time snapshots of your volumes and stored in cloud as Amazon EBS
- Snapshots are incremental backups that capture only changed blocks. All snapshot storage is also compressed to minimize your storage charges
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch
Define what Stored Volumes are in Volume Gateway.
Entire dataset is stored onsite and is asynchronously backed to S3
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch
Define what Cache Volumes are in Volume Gateway.
Entire dataset is stored on S3 and the most frequently access data is cached on site
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch
Define Gateway Virtual Tape Library.
- Offers durable, cost-effective solution to archive your data in AWS Cloud
- enables you to replace using physical tapes on premises with virtual tapes in AWS without changing existing backup workflows.
Reference:
- https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch
- https://aws.amazon.com/storagegateway/vtl/#:~:text=Tape%20Gateway%20enables%20you%20to,for%20low%2Dlatency%20data%20access.
What is Athena?
Interactive query service which enables you to analyze and query data located in S3 using standard SQL
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/34d254f3-2bf7-7672-266d-8728b9b1b1fd/watch
What can Athena be used for?
- used to query log files stored in S3. Eg. ELB Logs, S3, access logs, etc.
- Generate business reports on data stored in S3
- Analyze AWS cost and usage reports
- Run queries on click-stream data
What does PII Stand for? What is is?
PII (Personally Identifiable Information), personal data used to establish an individual identity
Eg. home address, email address, SSN, DOB, etc.
What is Macie?
- Security service which uses Machine Learning and NLP (Natural Language Processing) (so AI stuff) to discover, classify and protect sensitive data stored in S3 such as PII.
- Can give you reports, alerts, dashboards
- Great for PCI-DSS and preventing ID Theft
