IAM & S3

Question 1

Users

Answer 1

End users such as people, employees of an organization, etc.

Question 2

Groups

Answer 2

A collection of users. Each user in the group will inherit the permissions of the groups.

Question 3

Policies

Answer 3

Policies are made up of documents, called Policy documents. These documents are in a format called JSON and they give permissions as to what a User/Group/Role is able to do.

Question 4

Roles

Answer 4

You can create roles and then assign them to AWS Resources.

Question 5

S3 File size

Answer 5

0 to 5 TB

Question 6

What is the HTTP code for a successful upload to to S3?

Answer 6

HTTP 200

Question 7

What do S3 Objects consist of?

Answer 7

1. A key, value pair key = name of the object value = bytes 2. Version ID 3. Metadata - data about data you’re storing 4. Subresources; Access Control Lists Torrent

Question 8

How does data consistense work for S3?

Answer 8

1. Read after Write consistency for PUTS of new Objects. Meaning you can see something immediatly after you post it. 2. Eventual Consistency for overwrite PUTS and DELETES (can take some time to propagate). Meaning changes or deletions can take some time to reflect.

Question 9

S3 Standard

Answer 9

• 99.99% availabliity - 99. 11 9s durability. - stored redundantly across multiple devices in multiple facilities, and is designed to sustain to loss of 2 facilities concurrently. * milliseconds

Question 10

S3 - IA (Infequently Accessed)

Answer 10

For data that is accessed less frequently, but requires rapid access when needed. Lower fee than S3, but you are charged a retrieval fee. * milliseconds

Question 11

S3 - One Zone - IA

Answer 11

For when you want a lower-cost option for infrequently accessed data, but do not require the multiple Availability Zone data resilience. * milliseconds

Question 12

S3 - Intelligent Tiering

Answer 12

Designed to optimize costs by automatically moving data to the most cost effective access tier, without performance impact or operation overhead. * milliseconds

Question 13

S3 Glacier

Answer 13

S3 Glacier is a secure, durable, and low-cost storage class for data archiving. You can reliably store any amount of data at costs that are competative with or cheaper than on-premises solutions. Retrieval times configurable from minutes to hours * minutes to hours retrieval time.

Question 14

S3 Glacier Deep Archive

Answer 14

S3 Glacier Deep Archive is Amazon S3’s lowest-cost storage class where a retrieval time of 12 hours is acceptable. * 12+ hours retrieval times. * hours

Question 15

How are you charged for S3?

Answer 15

• Storage - Requests - Storage Management Pricing - Data Transfer Pricing - Transfer Acceleration - Cross Region Replication

Question 16

True of False. All S3 buckets are private by default.

Answer 16

True

Question 17

How is encryption in transit achieved for S3?

Answer 17

SSL/TLS

Question 18

How is encryption at rest achieved for S3?

Answer 18

• S3 Managed Keys - SSE-S3 (Managed by Amazon) - AWS Key Management Service, Managed Keys - SSE-KMS (Managed by you and Amazon) - Server Side Encryption with Customer Provided Keys - SSE-C 1*. Server Side Encryption-S3 (S3) [Amazon] 2*. Server Side Encryption-KMS (Key Management Service) [Shared - You & Amazon] 3. Server Side Encryption-C (Customer) [You] 4. Client Side Encryption - You upload encrypted files

Question 19

True of False. Once enabled, Versioning cannot be disabled, only suspended.

Answer 19

True

Question 20

What is MFA delete?

Answer 20

MFA delete is a capability that uses multi-factor authentication for deleting objects in S3. This provides an additional layer of security.

Question 21

If you have different version of the same document are they all visible if you make the object public?

Answer 21

No. You’d have to make each version of the document public.

Question 22

Where can you find Lifecycle rules?

Answer 22

In your S3 bucket under management.

Question 23

What is S3 Object Lock?

Answer 23

You can use S3 Object lock to store objects using write once, read many (WORM) model. It can help you prevent objects from being deleted or modified for a fixed amount of time or indefinitely.

Question 24

S3 Object Lock - Governance Mode

Answer 24

In governance mode, users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary.

Question 25

S3 Object Lock - Compliance Mode

Answer 25

In compliance mode, a protected object version can’t be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can’t be changed and its retention period can’t be shortened. Compliance mode ensures an object version can’t be overwritten or deleted for the duration of the retention period.

Question 26

S3 Object Lock - Legal Holds

Answer 26

S3 Object Lock also enables you to place a legal hold on an object version. Like a retention period. a legal hold prevents and object version from being overwritten or deleted. However, a legal hold doesn’t have an associated retention period and remains in effect until removed. Legal holds can be freely place and removed by any user who has the s3:PutObjectLegalHold permission.

Question 27

Glacier Vault Lock

Answer 27

S3 Glacier Vault Lock allows you to easily deploy and enforce compliance controls for individual S3 Glacier vaults with a Vault Lock policy. You can specify controls, such as WORM, in a Vault Lock policy and lock the policy from future edits. Once locked, the policy can no longer be changed.

Question 28

What can you use S3 Object Lock for?

Answer 28

To store objects using a write once, read many (WORM) model.

Question 29

True of False. Object locks can be on individual objects or applied across the bucket as a whole.

Answer 29

True.

Question 30

What are the two modes of governance of Object Lock?

Answer 30

Governance Mode and Compliance Mode.

Question 31

What are S3 prefixes?

Answer 31

directories and sub-directories

Question 32

What is S3 Select?

Answer 32

S3 Select enables applications to retrieve only a subset of data from an object by using simple SQL expressions. By using S3 Select to retrieve only the data needed by your application, you can achieve drastic performance increases – in many cases, you can get as much as 400% improvement.

Question 33

What is Glacier Select?

Answer 33

Some companies in highly regulated industries – e.g. financial services, healthcare, and others – write data directrly to Amazon Glacier to satisfy compliance needs like SEC Rules or HIPPA. Many S3 users have lifecycle policies designed to save on storage costs by moving their data into Glacier when they no longer need to access it on a regular basis.

Question 34

What is AWS Organizations?

Answer 34

AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.

Question 35

What are the advantages of Consolidate Billing?

Answer 35

• One bill per AWS account - Very easy to track charges and allocate costs - Volume pricing discount

Question 36

What are the 3 different ways to share S3 Buckets across accounts?

Answer 36

• Using Bucket Policies & IAM (applies across the entire bucket) Programmatic access only - Using Bucket ACLs & IAM (individual objects). Programmatic Access Only. - Cross-account IAM Roles. Programmatic AND Console access.

Question 37

True or False Versioning must be enabled on both the source and destination buckets for replication to work.

Answer 37

True

Question 38

True or False Files in an existing bucket are not replicated automatically.

Answer 38

True

Question 39

T/F. All subsequent files will be replicated automatically.

Answer 39

True

Question 40

Are delete markers replicated across S3 Buckets?

Answer 40

No.

Question 41

Are deleted individual versions markers replicated?

Answer 41

No.

Question 42

Cross Region Replication is at a ___ level.

Answer 42

high

Question 43

What is S3 Transfer Acceleration

Answer 43

S3 Transfer Acceleration utilises the CloudFront Edge Network to accelerate your uploads to S3.

Question 44

AWS DataSync (THINK: moving data from on premises to AWS)

Answer 44

• used to move large amounts of data from on-premesis to AWS - Used with NFS and SMB compatible file systems. - Replication can be done hourly, daily, weekly - Install the DataSync agent to start the replication - Can be used to replicate EFS to EFS

Question 45

Edge Location

Answer 45

• Where content will be cached.

Question 46

Origin

Answer 46

This is the origin of all the files that the CDN will distribute. This can be either: - an S3 Bucket - an EC2 Instance - Elastic Load Balancer - Route 53

Question 47

Web Distribution

Answer 47

Typically used for Web Sites.

Question 48

RTMP Distribution

Answer 48

Used for media Streaming

Question 49

T or F Edge location are READ ONLY.

Answer 49

False. You can write to edge locations as well.

Question 50

a signed URL is for…

Answer 50

individual files.

Question 51

a signed cookie is for…

Answer 51

multiple files.

Question 52

use signed URLs/Cookies when….

Answer 52

you want to secure content so that only the people you authorize are able to access it.

Question 53

What is snowball

Answer 53

a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of AWS.

Question 54

What is Snowmobile?

Answer 54

an Exabyte-scale data transfer service used to move extremely large amounts of data to AWS. You can transfer up to 100PB per Snowmobile, a 45 goot long ruggedized shipping container, pulled by a semi-trailer truck.

Question 55

What is Storage Gateway

Answer 55

AWS Storage Gateway is a service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization’s on-premises IT environment and AWS’s storage infrastructure. The service enables you to securely store data to the AWS cloud for scalable and cost-effective storage.

Question 56

Name 3 types of Storage Gateways

Answer 56

• File Gateway (NFS & SMB) - Volume Gateway (iSCSI) - store volumes - cached volumes - Tape Gateway - (Virtual Tape Library)

Question 57

File Gateway

Answer 57

Question 58

Volume Gateway

Answer 58

Question 59

Tape Gateway

Answer 59

Question 60

What is Athena

Answer 60

Interactive query service which enables you to analyse and query data located in S3 using standard SQL

• Serverless, nothing to provision, pay per query / per TB scanned.
• No need to set up complex ETL processes
• Works directly with data stored in S3

Question 61

What is Macie

Answer 61

A security service which uses Machine Learning and Natural Language Programming to discover, classify and protect sensitive data stored in S3.