Chapter 3: Identity and Access Management & S3 Flashcards

1
Q

Define IAM

A

IAM - Identity Access Management

Allows you to manage users and their level of access to AWS Console

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the different features of IAM?

A

1) Centralized Control of your AWS Account
2) Shared access to your AWS Account
3) Granular Permissions
4) Identity Federation (Including Active Directory, Facebook, LinkedIn, etc,)
5) Multi-factor Authentication
6) Provide Temporary access for users/devices and services where necessary
7) Allows you to set up your own password rotation policy
8) Integrates with many different AWS Services
9) Supports PCI DSS Compliance

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

One of IAM’s features is Identity Federation. What does that mean?

A

You can use Facebook, Linkedin, Active Directory, etc. with Identity Access Management. So users could log into the AWS Console with the same credentials as their Windows or Facebook credentials.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

One of IAM’s features is that it can provide temporary access for users/devices and services where necessary. What’s an example of that?

A

Say if someone is playing a mobile game and their data is being stored on your AWS account, you only want to provide the user with temporary access to your account so they can view their game data.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

One of IAM’s features is that it supports PCI DSS Compliance. What does that mean?

A

Is a compliance framework, if you’re taking credit card details, you need to be compliant with that framework

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

IAM - Define Users

A

End users such as people, employees of an organization, etc.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

IAM - Define Groups

A

A collections of users. Each user in the group will inherit the permissions of the group.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IAM - Define Policies

A

Polices are made up of documents called Policy Documents. These documents are in JSON format and they give permissions as to what a User/Group/Role is able to do.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

IAM - Define Roles

A

defines a set of permissions for making AWS service requests. Roles are not associated with a specific user or group. Instead, trusted roles can be assigned to IAM users, applications, or AWS services such as EC2.

Reference:
https://aws.amazon.com/iam/faqs/#:~:text=An%20IAM%20role%20is%20an,AWS%20services%20such%20as%20EC2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the format of an IAM users sign-in link.

A

https://CUSTOMNAME.signin.aws.amazon.com/console

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the IAM users sign-in link.

A

URL of site where uses can go to and sign into the account associated with URL.

If you change the link you are making a DNS change (it’s a universal name space, not region specific).

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define Root Account

A

It’s with the email that you sign up with. It gives you “god mode” aka you have all access and permissions available to you.

Generally you don’t want people to have access to your root account so you create users and roles.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Is IAM region specific or global?

A

Global!

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-lab/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the most up to date region with the newest features (but also the region that goes down the most)

A

US East (N. Virginia)

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How do you get to the IAM page in the AWS Console?

A

AWS Console Services -> Security, Identity and Compliance -> IAM

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is MFA?

A

Multi-factor Authentication. You want to enable MFA to your root account so people can’t log into your account if they get your credentials.

Save the QR code you get from your MFA onto your computer, you’ll be in trouble if you lose it.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the 2 different access types a user can have in IAM?

A

1) Programmatic Access - Enables an access key ID and secret access key for the AWS API, CLI, SDK, and other development tools.
2) AWS Management Console Access - Enables password that allows users to sign-in to the AWS Management Console.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does the logo for an AWS Managed Policy look like?

A

https://summitroute.com/img/AWSManagedPolicies.png

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

After you create a user and are provided with the secret access key and password, what should you do with them?

A

Save them! You’ll only see the Secret access key and password once after you create your user so you make sure you save them by clicking “Download .csv”

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What format are policies written in?

A

JSON - Javascript Object Notion.

Ex. 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FullAccess",
            "Effect": "Allow",
            "Action": ["s3:*"],
            "Resource": ["*"]
        }
    ]
}

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Can you log into your AWS account using your secret access key and ID?

A

NO! Secret access key and id is NOT the same thing as your credentials.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What permissions do users have when they’re first created?

A

NONE! They have no permissions when first created.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/iam-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is a billing alarm?

A

If you are using AWS services outside of the free tier, billing alarms allows you to set an alarm for an amount and if you go over that amount they will send an alarm.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/billing-alarm/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How do you get to the Billing Alarm page in AWS Console?

A

AWS Console Services -> Management & Governance -> CloudWatch -> Billing

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/billing-alarm/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the 2 components of a billing alarm?

A

CloudWatch and SNS (Simple Notification Service) topic. SNS is a way of notifying you that your alarm has gone off.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/billing-alarm/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What does S3 Stand for?

A

S3 (Simple Storage Service)

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What does S3 do?

A

Provides secure, durables, highly scalable object storage. Uses simple web interface to store and/or retrieve any amount of data from anywhere on the web.

  • safe place to store your files
  • it’s object-bases storage
  • data is spread across multiple devices and facilities

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What are some basics to know about S3?

A
  • S3 is object based - ie. allows you to upload files
  • Files can be from 0 Bytes to 5 TB
  • There is unlimited storage
  • Files are stored in Buckets (folder)
  • S3 is a universal namespace, you can’t have the same bucket name as another bucket even if your bucket is in a different region.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What are 2 different formats for the S3 bucket URLS

A

1) https://BUCKETNAME.s3.amazonaws.com/
2) https://BUCKETNAME.s3.eu-west-1.amazonaws.com/

S3 in the first URL refers to the US East bucket (default bucket), all other regions follow the second convention.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What do you receive when you successfully upload a file to S3.

A

An HTTP 200 Code

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are objects in S3 and what do they consist of?

A

Objects are basically files in your bucket (folder).

They consist of:

1) Key - name of the object
2) Value - data made up of sequences of bytes
3) Version ID
4) Metadata - data about data
5) Subresources
- Access Control Lists
- Torrent

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Define how Data Consistency model work in S3.

A

1) Read after write consistency for PUTS of new objects
2) Eventual Consistency for overwrite PUTS and DELETES

Re-worded:

1) if you write a new file and read it immediately afterwards, you will be able to view that data.
2) if you update an existing file or delete a file and read it immediately, you may get the older version or you may not basically the changes can take a little bit of time to propagate.

NOTE:
The model has now been updated. Check with S3 FAQ

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What are Amazon’s guarantee for S3?

A

1) Built for 99.99% availability from the S3 platform and Amazon guarantees it
2) 99.(9X9)% (11 9’s in total)durability guarantee (very unlikely it’ll be lost)

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What are the features of S3?

A

1) Tiered Storage Available
2) Lifecycle Management - moving to different storage tiers
3) Versioning
4) Encryption
5) MFA Delete
6) Secure your data using ACL and Bucket Policies

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What are the 6 different storage tiers of S3 Storage classes?

A
  • S3 Standard
  • S3 - IA
  • S2 One Zone IA
  • S3 Intelligent Tering
  • S3 Glacier
  • S3 Glacier Deep Archive
  • S3 Outposts (not mentioned in AcloudGuru)

Reference:

  • https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch
  • https://aws.amazon.com/s3/storage-classes/
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

S3 Storage Classes - Define S3 Standard

A
  • 99.99% availability
  • 99.(9x11)% durability
  • Stored redundantly across multiple devices in multiple facilities.
  • Designed to sustain the loss of 2 facilities concurrently
  • Highly available
  • Most expensive

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

S3 Storage Classes - Define S3 IA

A

IA (Infrequently Accessed)

  • Data that is accessed less frequently, but requires rapid access when needed.
  • Lower fee than S3 standard but you are charged a retrieval fee

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

S3 Storage Classes - Define S3 One Zone - IA

A

Lower-cost option for IA and don’t require multiple AZ for data resilience. Data stored in 1 AZ.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

S3 Storage Classes - Define S3 Intelligent Tiering

A

Using ML it optimizes your costs but automatically moving data to the most cost-effective storage tier without and overhead.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

S3 Storage Classes - Define S3 Glacier

A
  • Secure, durable and low-cost storage class for data archiving (store data for long periods of time)
  • Retrieval times configurable from minutes to hours

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

S3 Storage Classes - Define S3 Glacier Deep Archive

A
  • Similar to Glacier, only difference is that retrieval time is 12 hours.
  • Cheaper option that S3 Glacier
  • Cheapest Storage class option

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

S3 Storage Classes Price comparison

A

https://jayendrapatil.com/wp-content/uploads/2016/03/S3-Storage-Classes-Performance.png

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What aspects are you charged for S3?

A
  • Storage
  • Number of requests
  • Storage Manage Pricing (Storage Tiers)
  • Data Transfer Pricing
  • Transfer Acceleration
  • Cross Region Replication Pricing

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is Cross Region Replication?

A

If you have 2 buckets in 2 different region with cross region replication turned on, then whenever you upload to the main bucket, the replicated bucket will automatically be updated with the same file that was just uploaded.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is S3 Transfer Acceleration?

A
  • Enables fast, easy and secure transfers of files over long distance between your end users and an S3 bucket.
  • Takes advantage of Amazon CloudFront globally distributed Edge Locations (Users actually uploads to the Edge Locations and from there it’s then routed to the S3 buckets)
  • As data arrives at an edge location, data is routed to Amazon S3 over an optimized network path (using CloudFront Edge Network).

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Can I install an operating system in my S3 bucket?

A

No! S3 buckets are meant for object based storage, block based storage is more suitable for installing an operating system.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-101/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What does ACL stand for and what does it do?

A

ACL (Access Control List) enable you to manage access to buckets and objects.

Reference:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl_overview.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What is the format of an object URL?

A

https://BUCKETNAME.s3.amazonaws.com/FILENAME.EXT

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/create-bucket/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

If I make a bucket publicly accessible does that make all objects in the bucket public?

A

Nope! You need to go to each object you want to make public and turn on that setting.

Unless you’re using a policy, then based on the policy everything can be public. But by default, just because you make the bucket public does not make the objects inside of it public as well.

Reference:

  • https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/create-bucket/watch
  • https://www.h3xed.com/web-development/how-to-make-all-objects-in-amazon-s3-bucket-public-by-default
  • https://learn.cantrill.io/courses/730712/lectures/14041055
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Are bucket names global or region specific?

A

Universal! You can’t have the same bucket name as someone else.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/create-bucket/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What are 3 different ways you can Restrict Bucket Access?

A

1) Bucket Policies - Applies across the whole bucket
2) Object Policies - Applies to individual files
3) IAM Policies to Users & Groups - Applies to Users & Groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What is the cheapest S3 storage tier?

A

S3 Glacier Deep Archive

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0df6cf4a-3241-ae45-a869-d1cc886a74fe/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What is the most expensive S2 storage tier?

A

S3 Storage Standard

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0df6cf4a-3241-ae45-a869-d1cc886a74fe/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Rank the S3 Storage tiers from most expensive to least expensive (1 - 5)

A

1) S3 Standard
2) S3 - IA
3) S3 - Intelligent tiering
4) S2 One Zone IA
5) S3 Glacier
6) S3 Glacier Deep Archive

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0df6cf4a-3241-ae45-a869-d1cc886a74fe/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

All newly created buckets are PRIVATE. You can setup access control to your buckets using…

A
  • Bucket Policies
  • Access Control Lists

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What are S3 Access Logs?

A
  • You can configure your bucket to have access logs that logs all requests made to the S3 bucket.
  • This can be sent to another bucket and even another bucket in another account.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

How is Encryption by Transit achieved?

A

It’s achieved by SSL/TLS, used when you’re accessing website through HTTPS.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch

58
Q

How is Encryption at Rest (Server Side) achieved?

A

Encryption at Rest data where we encrypt data where it’s being stored.

2 ways/side:

1) Server side - where amazon helps you encrypt object (There’s 3 different types, SSE-S3, SSE-KMS, SSE-C)
2) Client side - where user encrypts the object and uploads it onto AWS.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch

59
Q

What are the 2 Encryption methods in S3?

A

1) Encryption by Transit
2) Encryption by at Rest

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch

60
Q

What are the 4 different ways you can achieve server side encryption for Encryption at Rest ?

A

1) S3 Managed Keys - SSE - S3
2) AWS Key Management Service, Managed Keys - SSE-KMS
3) Server Side Encryption With Customer Provided Keys - SSE-C
4) Client Side Encryption

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch

61
Q

Define S3 Managed Keys - SSE - S3 (Encryption at Rest for S3 - Server Side)

A

Amazon manages all your keys for you.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch

62
Q

Define AWS Key Management Service, Managed Keys - SSE-KMS (Encryption at Rest for S3 - Server Side)

A

User and Amazon manage the keys together

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch

63
Q

Define Server Side Encryption With Customer Provided Keys - SSE-C (Encryption at Rest for S3 - Server Side)

A

User provides amazon with their own managed keys

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch

64
Q

How does Client Side Encryption work for Encryption at Rest?

A

Encrypt object yourself on your PC and then upload it to S3.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-security/watch

65
Q

What is versioning in S3?

A
  • Stores all versions of a file
  • Great backup tool
  • Once enabled, versioning cannot be disabled, only suspended
  • Integrates with Lifecycle rules
  • Versioning’s MFA Delete capability can be used to provide an additional layer of security.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-versioning/watch

66
Q

If you make an object public in a bucket, does that mean all its version will be public?

A

Nope! You need to make each version public individually.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-versioning/watch

67
Q

What happens when you delete an object and version is turned on?

A

A delete marker is placed. If you delete the delete marker it restores the file.

https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-versioning/watch

68
Q

What happens when you suspends versioning in S3?

A

Any new files you created or update will not have versions however existing versions will be preserved. You can only suspend versioning, can’t disabled/remove.

https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-versioning/watch

69
Q

What are lifecycle management?

A

Automates moving your objects between different storage tiers.

Can be used with versioning.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-lifecycle/watch

70
Q

What is the WORM model? What does it stand for?

A
  • WORM (Write Once, Read Many) is used for S3 Object Lock.

- Helps to prevent objects from being deleted or modified for a fixed amount of time or indefinitely.

71
Q

What are the 2 different Object Lock Mode?

A
  • Governance Mode
  • Compliance Mode

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-lifecycle/watch

72
Q

Define Governance Mode for S3 Object Lock.

A
  • Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions.
  • This mode protect objects against being deleted by most users, but user can still grant some users permission to alter the retention settings or delete the object if necessary.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-lifecycle/watch

73
Q

Define Compliance Mode for S3 Object Lock.

A
  • A protected object version can’t be overwritten or deleted by any user, including the root user in your AWS account
  • The retention period can’t be changed either
  • This mode ensures that an object version can’t be overwritten or deleted for the duration of the retention period

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/e04a6021-789d-4fb5-a890-337a0c0cda66/watch

74
Q

Define retention period (term used with S3 Object Lock and Glacier Vault)

A
  • It protects an object version for a fixed amount of time.
  • Amazon timestamps in the object version’s metadata to indicate when the retention period expires
  • After the retention period expires, the object version can be overwritten or deleted unless the user also places a legal hold on the object version

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/e04a6021-789d-4fb5-a890-337a0c0cda66/watch

75
Q

Define what a Legal Hold is (this term is used with S3 Object Lock and Glacier Vault)

A
  • It prevents an object version from being overwritten or deleted.
  • Is not associated with retention period and remans in effect until removed
  • They can be freely placed and/or removed by any user who has s3:PutObjectLegalHold permission

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/e04a6021-789d-4fb5-a890-337a0c0cda66/watch

76
Q

Define Glacier Vault Lock.

A
  • Allows you to easily deploy and enforce compliance controls for individual S3 Glacier vaults with a vault lock policy
  • Can specify controls, such as WORM, in a vault lock policy and lock the policy from future edits
  • Once Locked, the policy can no longer be changed
  • Locking objects inside Glacier

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/e04a6021-789d-4fb5-a890-337a0c0cda66/watch

77
Q

What’s the difference between S3 Object Lock and Glacier Vault?

A
  • S3 Object Lock is for S3 Objects
  • S3 have 2 different lock modes
  • Glacier Vault is for objects in Glacier

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/e04a6021-789d-4fb5-a890-337a0c0cda66/watch

78
Q

What is a prefix in this S3 example?

mybucketname/folder1/subfolder1/myfile.jpg

A

/folder1/subfolder1

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch

79
Q

What’s a prefix in S3?

A

The folder names between the bucket name and file name

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch

80
Q

S3 Performance, Does S3 have low or high latency?

A

low latency. You can get first byte out of S3 within 100-200 milliseconds

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch

81
Q

How many requests can you achieve due to S3’s low latency?

A

3,500 PUT/COPY/POST/DELETE requests per second per prefix.

5,500 GET/HEAD requests per second per prefix.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch

82
Q

How can you achieve better performance with S3 prefixes?

A

By spreading reads across different prefixes.

Ex. you are using 2 prefixes, you can achieve 11,000 requests per second.
If use 4 prefixes in last example, you would achieve 22,000 requests per second.

More prefixes, the better performance is achieved.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch

83
Q

What are the limitations of using KMS with S3 Performance?

A

1) Uploading/Downloading will count towards KMS quote
2) Currently, you cannot request a quota increate for KMS
3) Region-specific, however it’s either 5,500, 10,000, 30,000 requests per second

  • You currently can’t ask for a quota increase
  • When you upload a file, you will call GenerateDataKey in the KMS API
  • When you download a file, you will call Decrypt in the KMS API

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch

84
Q

What is a way to improve performance of S3 Uploads?

A

Multipart Uploads:

  • Recommended for files over 100 MB
  • Required for files over 5 GB
  • Parallelize uploads (increases efficiency)
85
Q

Can you improve S3 upload and download performance? If so, then how?

A

Yes!

Upload uses Multipart Uploads whereas Downloading uses S3 Byte-Range Fetches

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch

86
Q

What is a way to improve performance of S3 downloads.

A

S3 Byte-Range Fetches

  • Parallelize downloads by specifying byte ranges
  • if failures in the download, it’s only for a specific byte range
  • Can be used to to just download a partial part of a file

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch

87
Q

What should I use S3 Multipart upload?

A

When the file is over 100MB, has to be used on files over 5GB.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/9db943dd-768b-47c8-98e6-283ade36836a/watch

88
Q

What is S3 Select?

A
  • Enables application to retrieve only a subset of data from an object by using simple SQL expressions.
  • It drastically increases the performance, sometimes as much as 400%

Ex. CSV in Zip file in S3. Need to download the zip, decompress and then extract data. With S3 Select write a query to only extract and download the data you need.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/91703a6e-55d0-4fce-93f8-9ed2ce43651b/watch

89
Q

What is Glacier Select?

A

Allows you to run the same queries you could write with S3 Select against glacier directly.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/91703a6e-55d0-4fce-93f8-9ed2ce43651b/watch

90
Q

What is AWS Organizations?

A

An account management services that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.

  • You create Organizational Units (OU)
  • Need at-least 2 different AWS accounts

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch

91
Q

What is Consolidated Billing?

A
  • Have a paying account, and link multiple independent accounts and all the costs of the independent accounts as consolidated into 1 bill.
  • The more you use, the less you pay, so use Consolidated Billing to your advantage and link accounts.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch

92
Q

What are the advantages of Consolidated Billing?

A
  • 1 Bill for AWS accounts in an organization (paid for by 1 account)
  • very easy to track chargers and allocate costs
  • volume pricing discounts

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch

93
Q

What are Service Control Policies?

A

In AWS Organizations Service Control Policies offers central control over the maximum available permissions for all accounts in your organization, allowing you to ensure accounts stay with your organizations access control guidelines.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch

94
Q

What are some best practices with AWS Organizations?

A
  • always enable multi-factor authentication on root account
  • always use strong and complex password on all accounts (especially the root account)
  • Paying account should be used for billing purposes only. Do not deploy resources into the paying account
  • Enable/Disable AWS services using Service Control Policies (SCP) either an OU or on individual accounts

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch

95
Q

What does SCP stand for?

A

Service Control Policy

https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/0c2fb2ff-57cf-69a1-c419-5560d36e6e85/watch

96
Q

What are 3 different ways to share S3 buckets across accounts?

A

1) Using Bucket Policies and IAM (across the entire bucket). Programmatic Access only
2) Using Bucket ACLs and IAM (Individual Objects). Programmatic Access Only
3) Cross-account IAM Roles. Programmatic and Console Access

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/77de80db-187a-d61c-d8eb-5f643f3dbc6d/watch

97
Q

Out of the 3 different ways to share S3 buckets across accounts, which way allows for both Programmatic AND console access?

A

Cross-account IAM roles.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/77de80db-187a-d61c-d8eb-5f643f3dbc6d/watch

98
Q

Say you have a bucket A, with 5 items in it. Then turn on Cross Region Replication for another bucket B in another region. Will the 5 existing objects be replicated in the new bucket (B)?

A

Nope. New files that are added will be replicated but not existing objects.

Same logic applies

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-crr/watch

99
Q

If a bucket has versioning turned on and you use Cross Region Replication, will the new bucket need versioning turned on?

A

Yes! For Cross Region Replication, versioning NEEDS to be turned on in both source AND destination.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-crr/watch

100
Q

If you change permission in 1 source bucket, does it change the permission of the destination bucket (Cross Region Replication)?

A

Nope. If items in the source bucket are public, but by default the destination bucket is private then the destination’s objects will also be private unless the configuration is changed.

Reference
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-crr/watch

101
Q

Can you Cross Region Replicate in different buckets in different accounts?

A

Yes!

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/s3-crr/watch

102
Q

What is the URL format of S3 Transfer Acceleration.

A

BUCKETNAME.s3-accelerate.amazonaws.com

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/c2ac330d-708e-4fd1-89af-cd116f73c00f/watch

103
Q

What is AWS Datasync?

A
  • Used to move large amounts of data from on-premises to AWS
  • Used with NFS and SMB compatible file systems
  • Replication can be done hourly, daily, or weekly,
  • Install the DataSync agent to start replication
  • Can be used to replicate EFS to EFS

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/c2ac330d-708e-4fd1-89af-cd116f73c00f/watch

104
Q

How can you move on-premises data onto AWS?

A

Using Datasync!

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/c2ac330d-708e-4fd1-89af-cd116f73c00f/watch

105
Q

What is CloudFront?

A

Content Delivery Network (CDN) is a system of distributed serves that deliver webpages and other web content to a user based on their geographical locations, origin of webpage and the content delivery server.

Can be used to deliver your entire website, including dynamic, static, streaming, etc.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch

106
Q

What is an Edge Location?

A

Location where content will be cached? Separate from Region/AZ

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch

107
Q

What is an Origin?

A

Origin of all the files that the CDN will distribute. this can be S3 Bucket, an EC2 Instance, an Elastic Load Balancer, or Route53

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch

108
Q

What is a Distribution?

A

Name given to the CDN which consists of a collection of Edge Locations

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch

109
Q

What are the 2 types of distributions.

A

1) Web(site) Distribution
2) RTMP - For media streaming

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch

110
Q

Can you only read to an Edge Location?

A

Nope! You can both read and write to an Edge Location.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch

111
Q

What does TTL stand for?

A

TTL (Time to Live).

Objects are cached for the life TTL (Time to live).

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront/watch

112
Q

What happens if you push out some data and you find out something is wrong with it, you do an update but it doesn’t work. What can you do?

A

Create an Invalidation. If you invalidate an object, you will be charged for it though.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/cloudfront-lab/watch

113
Q

Say you have secure content that only people authorized are able to access it (Ex. If they need a subscription/premium membership or need to pay to view) How can you restrict people from accessing a premium/members on site?

A

By using signed URL and/or signed cookies!

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch

114
Q

What is the difference between a Signed URL and Signed Cookie?

A

1) Signed URL is for an individual file, 1 file = 1 URL
2) A Signed Cookie is for multiple files, 1 cookie = multiple files

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch

115
Q

When you created a signed URL or signed cookie, a policy is attached. What does the policy include?

A
  • URL expiration
  • IP Ranges
  • Trusted Signer (which AWS accounts can create signed URLS)

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch

116
Q

What does OAI stand for?

A

Origin Access Identity

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch

117
Q

How do you get to the IAM page in the AWS Console?

A

AWS Console Services -> Networking & Content Delivery -> CloudFront

118
Q

What are some features of CloudFront Signed URL?

A
  • Can have different origins. Does not have to be EC2
  • Key-pair is account wide and managed by root user
  • Can utilize caching features
  • Can filter by date, path IP address, expiration, etc

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch

119
Q

What are features of S3 Signed URL?

A
  • Not using CloudFront, direct access to S3
  • Issues a request as the IAM user who creates the pre-signed URL
  • Limited lifetime
120
Q

What’s the difference between CloudFront Signed URL and S3 Signed URL?

A

1) If OAI is used through to get to S3 then CloudFront URL
2) if directly accessing a file in S3 then S3 Signed URL

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch

121
Q

Use CloudFront is my origin is ______?

A

EC2

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/317376a7-6e57-4e4b-91e4-018855dcc861/watch

122
Q

What is snowball?

A

petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of the AWS cloud. Using Snowball addresses common challenges with large-scale data transfers including high network costs, long transfer times, and security concerns.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/snowball/watch

123
Q

What different levels are security does Snowball come with?

A
  • tamper-resistant enclosures
  • 256-bit encryption
  • industry standard Trusted Platform Module (TPM)
  • Once transfer done AWS performs erasure or snowball (data can’t be restored once erased)

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/snowball/watch

124
Q

What are the 2 sizes a Snowball comes in?

A

50TB and 80TB

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/snowball/watch

125
Q

What is a Snowball Edge?

A

type of Snowball device with on-board storage and compute power for select AWS capabilities. You can use Snowball Edge to move large amounts of data into and out of AWS, as temporary storage tier for large local datasets, or to support local workloads in remote or offline locations.

Gives compute and storage. Like having a mini, portable AWS.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/snowball/watch

126
Q

What is a Snowmobile?

A

Exabyte-scale data transfer service used to move extremely large amounts of data to AWS. You can transfer up to 100PB per Snowmobile, a 45-foot long ruggedized shipping container, pulled by a semi-trailer truck.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/snowball/watch

127
Q

What is AWS Storage Gateway?

A

Service that connects and on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization’s on-premises IT environment and AWS’s storage.

Physical or Virtual Device.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch

128
Q

What am I downloading when I download the Storage Gateway application?

A

It’s a software that’s available to download as a virtual machine image, which you install on host in data centre.

Once downloaded and linked with AWS account, you can use AWS management console to create storage gateway option that is right for you.

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch

129
Q

What are the 3 different types of Storage Gateway?

A

1) File Gateway (NFS & SMB)
2) Volume Gateway (iSCSI)
- Stored Volumes
- Cached Volumes
3) Tape Gateway (VTL)

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch

130
Q

What are the 2 different types of Volume Gateways (iSCSI)

A
  • Stored Volumes
  • Cached Volumes

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch

131
Q

Define File Gateways (NFS and SMB)

A
  • Files stored as objects in your S3 bucket, accessed through Network File System (NFS) mount point
  • Ownership, permissions, and timestamps are durably stored in S3 in user-metadata of object associated with file
  • once objects are transferred to S3, they are managed as native S3 Objects (versioning, lifecycle management, etc. can be applied)

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch

132
Q

What does NFS Stand for?

A

Network File System

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch

133
Q

Define Volume Gateway

A
  • Volume interface presents your application with disk volumes using the iSCSI block protocol
  • Data written to these volumes can be asynchronously backed up as point-in-time snapshots of your volumes and stored in cloud as Amazon EBS
  • Snapshots are incremental backups that capture only changed blocks. All snapshot storage is also compressed to minimize your storage charges

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch

134
Q

Define what Stored Volumes are in Volume Gateway.

A

Entire dataset is stored onsite and is asynchronously backed to S3

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch

135
Q

Define what Cache Volumes are in Volume Gateway.

A

Entire dataset is stored on S3 and the most frequently access data is cached on site

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch

136
Q

Define Gateway Virtual Tape Library.

A
  • Offers durable, cost-effective solution to archive your data in AWS Cloud
  • enables you to replace using physical tapes on premises with virtual tapes in AWS without changing existing backup workflows.

Reference:

  • https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/storage-gateway/watch
  • https://aws.amazon.com/storagegateway/vtl/#:~:text=Tape%20Gateway%20enables%20you%20to,for%20low%2Dlatency%20data%20access.
137
Q

What is Athena?

A

Interactive query service which enables you to analyze and query data located in S3 using standard SQL

Reference:
https://learn.acloud.guru/course/aws-certified-solutions-architect-associate/learn/iam-s3/34d254f3-2bf7-7672-266d-8728b9b1b1fd/watch

138
Q

What can Athena be used for?

A
  • used to query log files stored in S3. Eg. ELB Logs, S3, access logs, etc.
  • Generate business reports on data stored in S3
  • Analyze AWS cost and usage reports
  • Run queries on click-stream data
139
Q

What does PII Stand for? What is is?

A

PII (Personally Identifiable Information), personal data used to establish an individual identity
Eg. home address, email address, SSN, DOB, etc.

140
Q

What is Macie?

A
  • Security service which uses Machine Learning and NLP (Natural Language Processing) (so AI stuff) to discover, classify and protect sensitive data stored in S3 such as PII.
  • Can give you reports, alerts, dashboards
  • Great for PCI-DSS and preventing ID Theft