Chapter 3: Identity and Access Management & S3 Flashcards
Define IAM
IAM - Identity Access Management
Allows you to manage users and their level of access to AWS Console
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What are the different features of IAM?
1) Centralized Control of your AWS Account
2) Shared access to your AWS Account
3) Granular Permissions
4) Identity Federation (Including Active Directory, Facebook, LinkedIn, etc,)
5) Multi-factor Authentication
6) Provide Temporary access for users/devices and services where necessary
7) Allows you to set up your own password rotation policy
8) Integrates with many different AWS Services
9) Supports PCI DSS Compliance
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
One of IAM’s features is Identity Federation. What does that mean?
You can use Facebook, Linkedin, Active Directory, etc. with Identity Access Management. So users could log into the AWS Console with the same credentials as their Windows or Facebook credentials.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
One of IAM’s features is that it can provide temporary access for users/devices and services where necessary. What’s an example of that?
Say if someone is playing a mobile game and their data is being stored on your AWS account, you only want to provide the user with temporary access to your account so they can view their game data.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
One of IAM’s features is that it supports PCI DSS Compliance. What does that mean?
Is a compliance framework, if you’re taking credit card details, you need to be compliant with that framework
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
IAM - Define Users
End users such as people, employees of an organization, etc.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
IAM - Define Groups
A collections of users. Each user in the group will inherit the permissions of the group.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
IAM - Define Policies
Polices are made up of documents called Policy Documents. These documents are in JSON format and they give permissions as to what a User/Group/Role is able to do.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
IAM - Define Roles
defines a set of permissions for making AWS service requests. Roles are not associated with a specific user or group. Instead, trusted roles can be assigned to IAM users, applications, or AWS services such as EC2.
Reference:
https://aws.amazon.com/iam/faqs/#:~:text=An%20IAM%20role%20is%20an,AWS%20services%20such%20as%20EC2.
What is the format of an IAM users sign-in link.
https://CUSTOMNAME.signin.aws.amazon.com/console
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch
What is the IAM users sign-in link.
URL of site where uses can go to and sign into the account associated with URL.
If you change the link you are making a DNS change (it’s a universal name space, not region specific).
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch
Define Root Account
It’s with the email that you sign up with. It gives you “god mode” aka you have all access and permissions available to you.
Generally you don’t want people to have access to your root account so you create users and roles.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch
Is IAM region specific or global?
Global!
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch
What is the most up to date region with the newest features (but also the region that goes down the most)
US East (N. Virginia)
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
How do you get to the IAM page in the AWS Console?
AWS Console Services -> Security, Identity and Compliance -> IAM
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What is MFA?
Multi-factor Authentication. You want to enable MFA to your root account so people can’t log into your account if they get your credentials.
Save the QR code you get from your MFA onto your computer, you’ll be in trouble if you lose it.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What are the 2 different access types a user can have in IAM?
1) Programmatic Access - Enables an access key ID and secret access key for the AWS API, CLI, SDK, and other development tools.
2) AWS Management Console Access - Enables password that allows users to sign-in to the AWS Management Console.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What does the logo for an AWS Managed Policy look like?
https://summitroute.com/img/AWSManagedPolicies.png
After you create a user and are provided with the secret access key and password, what should you do with them?
Save them! You’ll only see the Secret access key and password once after you create your user so you make sure you save them by clicking “Download .csv”
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What format are policies written in?
JSON - Javascript Object Notion.
Ex. { "Version": "2012-10-17", "Statement": [ { "Sid": "FullAccess", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["*"] } ] }
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
Can you log into your AWS account using your secret access key and ID?
NO! Secret access key and id is NOT the same thing as your credentials.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What permissions do users have when they’re first created?
NONE! They have no permissions when first created.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch
What is a billing alarm?
If you are using AWS services outside of the free tier, billing alarms allows you to set an alarm for an amount and if you go over that amount they will send an alarm.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/billing-alarm/watch
How do you get to the Billing Alarm page in AWS Console?
AWS Console Services -> Management & Governance -> CloudWatch -> Billing
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/billing-alarm/watch
What are the 2 components of a billing alarm?
CloudWatch and SNS (Simple Notification Service) topic. SNS is a way of notifying you that your alarm has gone off.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/billing-alarm/watch
What does S3 Stand for?
S3 (Simple Storage Service)
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What does S3 do?
Provides secure, durables, highly scalable object storage. Uses simple web interface to store and/or retrieve any amount of data from anywhere on the web.
- safe place to store your files
- it’s object-bases storage
- data is spread across multiple devices and facilities
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are some basics to know about S3?
- S3 is object based - ie. allows you to upload files
- Files can be from 0 Bytes to 5 TB
- There is unlimited storage
- Files are stored in Buckets (folder)
- S3 is a universal namespace, you can’t have the same bucket name as another bucket even if your bucket is in a different region.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are 2 different formats for the S3 bucket URLS
1) https://BUCKETNAME.s3.amazonaws.com/
2) https://BUCKETNAME.s3.eu-west-1.amazonaws.com/
S3 in the first URL refers to the US East bucket (default bucket), all other regions follow the second convention.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What do you receive when you successfully upload a file to S3.
An HTTP 200 Code
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are objects in S3 and what do they consist of?
Objects are basically files in your bucket (folder).
They consist of:
1) Key - name of the object
2) Value - data made up of sequences of bytes
3) Version ID
4) Metadata - data about data
5) Subresources
- Access Control Lists
- Torrent
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
Define how Data Consistency model work in S3.
1) Read after write consistency for PUTS of new objects
2) Eventual Consistency for overwrite PUTS and DELETES
Re-worded:
1) if you write a new file and read it immediately afterwards, you will be able to view that data.
2) if you update an existing file or delete a file and read it immediately, you may get the older version or you may not basically the changes can take a little bit of time to propagate.
NOTE:
The model has now been updated. Check with S3 FAQ
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are Amazon’s guarantee for S3?
1) Built for 99.99% availability from the S3 platform and Amazon guarantees it
2) 99.(9X9)% (11 9’s in total)durability guarantee (very unlikely it’ll be lost)
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are the features of S3?
1) Tiered Storage Available
2) Lifecycle Management - moving to different storage tiers
3) Versioning
4) Encryption
5) MFA Delete
6) Secure your data using ACL and Bucket Policies
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What are the 6 different storage tiers of S3 Storage classes?
- S3 Standard
- S3 - IA
- S2 One Zone IA
- S3 Intelligent Tering
- S3 Glacier
- S3 Glacier Deep Archive
- S3 Outposts (not mentioned in AcloudGuru)
Reference:
- https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
- https://aws.amazon.com/s3/storage-classes/
S3 Storage Classes - Define S3 Standard
- 99.99% availability
- 99.(9x11)% durability
- Stored redundantly across multiple devices in multiple facilities.
- Designed to sustain the loss of 2 facilities concurrently
- Highly available
- Most expensive
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes - Define S3 IA
IA (Infrequently Accessed)
- Data that is accessed less frequently, but requires rapid access when needed.
- Lower fee than S3 standard but you are charged a retrieval fee
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes - Define S3 One Zone - IA
Lower-cost option for IA and don’t require multiple AZ for data resilience. Data stored in 1 AZ.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes - Define S3 Intelligent Tiering
Using ML it optimizes your costs but automatically moving data to the most cost-effective storage tier without and overhead.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes - Define S3 Glacier
- Secure, durable and low-cost storage class for data archiving (store data for long periods of time)
- Retrieval times configurable from minutes to hours
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes - Define S3 Glacier Deep Archive
- Similar to Glacier, only difference is that retrieval time is 12 hours.
- Cheaper option that S3 Glacier
- Cheapest Storage class option
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
S3 Storage Classes Price comparison
https://jayendrapatil.com/wp-content/uploads/2016/03/S3-Storage-Classes-Performance.png
What aspects are you charged for S3?
- Storage
- Number of requests
- Storage Manage Pricing (Storage Tiers)
- Data Transfer Pricing
- Transfer Acceleration
- Cross Region Replication Pricing
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What is Cross Region Replication?
If you have 2 buckets in 2 different region with cross region replication turned on, then whenever you upload to the main bucket, the replicated bucket will automatically be updated with the same file that was just uploaded.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What is S3 Transfer Acceleration?
- Enables fast, easy and secure transfers of files over long distance between your end users and an S3 bucket.
- Takes advantage of Amazon CloudFront globally distributed Edge Locations (Users actually uploads to the Edge Locations and from there it’s then routed to the S3 buckets)
- As data arrives at an edge location, data is routed to Amazon S3 over an optimized network path (using CloudFront Edge Network).
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
Can I install an operating system in my S3 bucket?
No! S3 buckets are meant for object based storage, block based storage is more suitable for installing an operating system.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
What does ACL stand for and what does it do?
ACL (Access Control List) enable you to manage access to buckets and objects.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl_overview.html
What is the format of an object URL?
https://BUCKETNAME.s3.amazonaws.com/FILENAME.EXT
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/create-bucket/watch
If I make a bucket publicly accessible does that make all objects in the bucket public?
Nope! You need to go to each object you want to make public and turn on that setting.
Unless you’re using a policy, then based on the policy everything can be public. But by default, just because you make the bucket public does not make the objects inside of it public as well.
Reference:
- https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/create-bucket/watch
- https://www.h3xed.com/web-development/how-to-make-all-objects-in-amazon-s3-bucket-public-by-default
- https://learn.cantrill.io/courses/730712/lectures/14041055
Are bucket names global or region specific?
Universal! You can’t have the same bucket name as someone else.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/create-bucket/watch
What are 3 different ways you can Restrict Bucket Access?
1) Bucket Policies - Applies across the whole bucket
2) Object Policies - Applies to individual files
3) IAM Policies to Users & Groups - Applies to Users & Groups
What is the cheapest S3 storage tier?
S3 Glacier Deep Archive
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0df6cf4a-3241-ae45-a869-d1cc886a74fe/watch
What is the most expensive S2 storage tier?
S3 Storage Standard
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0df6cf4a-3241-ae45-a869-d1cc886a74fe/watch
Rank the S3 Storage tiers from most expensive to least expensive (1 - 5)
1) S3 Standard
2) S3 - IA
3) S3 - Intelligent tiering
4) S2 One Zone IA
5) S3 Glacier
6) S3 Glacier Deep Archive
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0df6cf4a-3241-ae45-a869-d1cc886a74fe/watch
All newly created buckets are PRIVATE. You can setup access control to your buckets using…
- Bucket Policies
- Access Control Lists
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch
What are S3 Access Logs?
- You can configure your bucket to have access logs that logs all requests made to the S3 bucket.
- This can be sent to another bucket and even another bucket in another account.
Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch