IAM and S3

Question 1

What is IAM and what does it offer?

Answer 1

Identity Access Management

- allows many security features such as MFA, Temporary Access, and Granular Permissions

Question 2

Key terms for IAM: Users, Groups, Policies, Roles

Answer 2

Users - individual end user ex. employee
Groups - Collection of users, each user in group inherits group perms.
Policies - JSON documents that give perms to users, groups, and roles
Roles - roles are like permissions for AWS resources (i.e. you might give a VM in AWS to write files to S3)

Question 3

Is IAM functionality regional or global?

Answer 3

Global

Question 4

What is the root account

Answer 4

Main AWS account created at first setup. Has complete Admin Access (God mode)

Question 5

Do new users have permissions when first created?

Answer 5

NO

Question 6

What are the two types of access given to new users?

Answer 6

Console and Programmatic

Question 7

Which service would you use to collect and monitor metrics such as billing information, and set alarms that watch those metrics?

Answer 7

CloudWatch

Question 8

What does S3 Stand for?

Hint: SSS

Answer 8

Simple Storage Service

Question 9

What kind of storage does S3 use?

Answer 9

Object based storage

Question 10

Is S3 global? Can you create 2 buckets with the same name?

Answer 10

Yes. No.

Question 11

In S3 what makes up an object?

Answer 11

Key(name), Value(data), Version ID, Metadata, Subresources(Access Control Lists, Torrents)

Question 12

How does data consistency work for S3?

Answer 12

• Read after Write consistency for PUTS of new Objects (Can read objects right after saving them)
• Eventual Consistency for overwrite PUTS and DELETES (Takes some time for the object to be updated or deleted)

Question 13

What are the S3 Storage Tiers and a brief description?

Answer 13

S3 Standard - standard tier with high availability and durability
S3 IA (Infrequently Accessed) - Cheaper than Standard but has a retrieval fee. Good for objects that need immediate access but rarely
S3 One Zone IA - Like IA but even cheaper because it is stored in only one availability zone and thus slightly less resilient
S3 Intelligent Tiering - Uses machine learning to move data to different tiers based on users use
S3 Glacier - Used for archiving. Very cheap with higher retrieval times.
S3 Glacier Deep Archive - Cheapest storage tier, also for archiving. Retrieval times of up to 12 hours.

Question 14

Video: S3 Security and Encryption

Question: How does access control work for S3?

Answer 14

By default buckets are private.

You can create bucket policies as well as ACL’s for buckets and individual objects.

Question 15

Video: S3 Security and Encryption

Question: What kinds of encryption at rest does S3 offer?

Answer 15

SSE-S3: S3 Managed Keys - Encryption keys are provided by AWS
SSE-KMS: AWS Key Management Service - Manage keys inside AWS
SSE-C: Customer Provided Keys - Encryption keys are provided by the user
Client Side Encryption - Upload already encrypted objects
NOTE: You can encrypt an entire S3 bucket

Question 16

Video: 15. S3 Version Control

Question: Does S3 continue to store versions even after deleting an object?

Answer 16

Yes. It just creates a delete marker that acts as the most recent version.
NOTE: You can undo a delete by deleting the delete marker

Question 17

Video: 15. S3 Version Control

Question: Can versioning be disabled?

Answer 17

No. Versioning can only be suspended so that versioning doesn’t continue for future objects.

Question 18

Video: 15. S3 Version Control

Question: Can you require MFA to delete a file/version?

Answer 18

Yes, S3 offers the capability to require MFA for delete capability.

Question 19

Video: S3 Lifecycle Management and Glacier

Questions: What is the point of Lifecycle Management?
Does it apply to versioning?

Answer 19

Lifecycle Management allows you to automate the movement S3 objects to different storage tiers.
YES. Can be applied to previous AND current versions.

Question 20

Video: S3 Lock Policies & Glacier Vault Lock [SAA-C02]

Question: What does S3 Object lock allow a user to do and what does WORM mean?

Answer 20

Object lock allows a user to lock an object for a fixed period of time or indefinitely. WORM stand for Write Once Read Many, meaning an object can be freely read but not updated after its been written.

Question 21

Video: S3 Lock Policies & Glacier Vault Lock [SAA-C02]

Questions: Is Object Lock only for objects or can they be applied bucket wide?
What is Glacier Vault Lock?

Answer 21

They can be applied to both buckets and objects.

Like Object Lock but for Glacier.

Question 22

Video: S3 Lock Policies & Glacier Vault Lock [SAA-C02]

Question: What are the two modes for Object Lock and what do they do?

Answer 22

Governance Mode - Only users with special permissions can edit, delete or alter the Object Lock settings of an object or bucket.
Compliance Mode - No one, not even the root user, can edit, delete or alter the Object Lock settings of an object or bucket until the retention period is over.

Question 23

Video: S3 Performance [SAA-C02]

Question: What is an S3 Prefix?

Answer 23

An S3 prefix is the part in the object path between the object name and bucket name.
Example: For mybucketname/folder1/subfolder3/myfile.jpg the prefix is folder1/subfolder3

Question 24

Video: S3 Performance [SAA-C02]

Question: How can you increase S3 performance?

Answer 24

Spread files out through multiple prefixes. S3 allows 3,500 PUT/COPY/POST/DELETE and 5,500 GET/HEAD requests per second per prefix. So more prefixes = more requests.

Question 25

Video: S3 Performance [SAA-C02]

Question: How does SSE-KMS affect S3 performance?

Answer 25

Uploading and downloading when using SSE-KMS is restricted by a quota. (Depending on region the quota is 5,500, 10,000, or 30,000 requests per second)

Question 26

Video: S3 Performance [SAA-C02]

Question: What is multipart upload and download?

Answer 26

Multipart upload splits the file into pieces and uploads them in parallel.
S3 allows this for files over 100MB and requires it for files over 5 GB.
Downloads are more granular and uses byte-range fetches to achieve multi-part download.

Question 27

Video: 19. S3 Select and Glacier Select [SAA-C02]

Question: What is S3 Select and Glacier Select

Answer 27

S3 Select is a feature of S3 that allows a user to retrieve data from an object without having to download it by using SQL expressions.
You can get the data by rows and columns and S3 Select will save money and time on data transfer.
S3 Glacier Select is the same thing but for Glacier.

Question 28

Video: 20. AWS Organizations [SAA-C02]

Question: What is AWS Organizations?

Answer 28

AWS Organizations allows a user to connect multiple AWS accounts under one root organizational account. So if you want finance/accounting as part of AWS you can restrict their access to something like EC2 using Service Control Policies.

Question 29

Video: 20. AWS Organizations [SAA-C02]

Question: In organizations what should be the paying account?
What is an organizational unit?

Answer 29

The root account; also the root account should not have resources deployed.
An organizational unit is like a group for AWS Organizations that you can apply Service Control Policies (SCP) to (give and take access)

Question 30

Video: 21. Sharing S3 Buckets Between Accounts [SAA-C02]

Question: What are the 3 different ways to share a bucket?

Answer 30

1. Using Bucket Policies and IAM. (Only allows programmatic access)
2. Using Bucket ACL’s and IAM. (Only allows programmatic access)
3. Using Cross Account IAM Roles. (Allows programmatic AND console access)

Question 31

Video: Cross Region Replication

Questions: What is cross region replication?
Are existing objects replicated when its turned on?

Answer 31

Cross region replication allows you to replicate objects from one bucket into another as they’re created.
Existing objects are NOT replicated, only subsequently updated files and new files are replicated automatically.

Question 32

Video: Cross Region Replication

Questions: Does versioning have to be enabled?
Are delete markers and deleting individual versions replicated?

Answer 32

Yes, on both buckets.

No.

Question 33

Video: 23. S3 Transfer Acceleration

Question: What is S3 transfer acceleration?

Answer 33

S3 transfer acceleration provides users with faster upload times for S3 buckets (in other regions) by utilizing the CloudFront Edge Network.
Example URL: yourbucketname.s3-accelerate.amazonaws.com

Question 34

Video: 24. DataSync Overview [SAA-C02]

Question: What is DataSync and some facts about it?

Answer 34

DataSync allows a user to move large amounts of data to and from AWS resources (usually from on-premises to AWS).

• Used with NFS- and SMB-compatible file systems
• Replication can be done hourly, daily, or weekly
• You Install the DataSync Agent to start the replication
• Can be used to replicate from EFS to EFS (completely within AWS)

Question 35

Video: 25. CloudFront Overview

Question: Define/explain the following terms:
CDN, Edge Location, Origin, Distribution, Web Distribution, RTMP

Answer 35

CDN - content delivery network (what CloudFront is)
Edge Location - A server closer to a user where content will be cached
Origin - Origin of the files that the CDN will distribute from AWS resources (i.e. S3, EC2, etc.)
Distribution - A CDN that consists of a collection of Edge Locations
Web distribution - Typically used for Websites
RTMP - Used for Media Streaming

Question 36

Video: 25. CloudFront Overview

Questions: How long will cached objects last in an edge location?
Can you INVALIDATE(clear) cached objects?

Answer 36

NOTE: Edge Locations are not READ only, you can write to them (like we did with transfer acceleration)

Cached objects will remain cached for the TTL (time to live) set by the person delivering the content.
Cached objects CAN be INVALIDATED(cleared) but you will be charged.
EXAMPLE: You want to upload a new video but an old video is cached, you can clear the cache so users get the new video BUT you WILL BE CHARGED.

Question 37

Video: CloudFront Signed URL’s and Cookies [SAA-C02]

Questions: When would you use a signed URL/cookie?
What is the difference between a signed URL and cookie?
What is the difference between CloudFront and S3 signed URL?

Answer 37

Use a signed URL/cookie when you want to secure content so that only authorized users are able to access it.

Signed URL = access to 1 individual file
Signed cookie = access to multiple files

Very simplified just issues a request as the IAM user who creates the URL (have all their permissions) and it lasts for a limited lifetime. (In cases where you’re not using CloudFront and people have direct access to S3)

Question 38

Video: 28. Snowball Overview

Questions: What is Snowball?
What is Snowball Edge?
What is Snowmobile?

Answer 38

Snowball [50TB or 80TB] is physical data transport solution, AWS sends a snowball and the user uploads to the snowball instead of directly to S3 and the snowball will get sent back to AWS for the data to be uploaded. (Snowball can upload AND download to and from S3)

Snowball Edge [100TB] is the same thing as snowball but it also has compute capabilities.

Snowmobile [100PB] is the same thing as snowball but is a massive trailer pulled by a semi-truck.