IAM & S3 Flashcards
Are credentials region centric in IAM, when created?
No, it is universal
Are delete markers replicated
yes
Are deletions (delete markers) replicated in Cross Region Replication Replication?
Yes
Are edge location read only?
No, you can write and it will replicate to origin
Are Edge locations writable?
Yes
Are IAM configurations global or regional?
Global
Are lifecycle rules available only for the current version?
No. Lifecycle rules are also available for previous versions.
Are S3 buckets by default public or private?
By default, all newly created buckets are private (and also all objects stored inside them)
Are the Access Key ID/Secret Access Key like a password?
No, you cannot use the Access Key ID/Secret Access Key to login to the AWS Console. You can use this to access AWS via the APIs and Command Line however.
Are the deletions of delete markers replicated in Region Replication Replication?
No
Are the deletions of individual versions replicated in Region Replication Replication?
No
By default all buckets are public?
No
By default, when you create a new user in the IAM console, what level of access do they have?
No access to any AWS service
Can be versioning on S3 disabled?
No. It can only be suspended
Can Cross Region Replication be used between buckets of the same region?
No
Can Cross Region Replication be used to replicate to multiple buckets or use daisy chaining?
No
Can folders in S3 be tagged?
No. Folders don’t really exist on S3. In Amazon S3, buckets and objects are the primary resources, where objects are stored in buckets. Amazon S3 has a flat structure with no hierarchy like you would see in a file system. However, for the sake of organizational simplicity, the Amazon S3 console supports the folder concept as a means of grouping objects. Amazon S3 does this by using a shared name prefix for objects (that is, objects that have names that begin with a common string). Object names are also referred to as key names. For example, you can create a folder in the console called photos, and store an object named myphoto.jpg in it. The object is then stored with the key name photos/myphoto.jpg, where photos/ is the prefix.
Can lifecycle policies capture versions also?
Yes
Can S3 be used to host static websites?
Yes (serverless, very cheap, scales automatically, no dynamic site hosting)
Can you clear data from edge cache?
Yes, but at a cost
Can you configure multiple bucket replication?
no
Can you create and customize your own password rotation policies?
Yes
Can you have two buckets with the same name?
No. S3 is a universal namespace and names must be globally unique
Can you install a DB in S3?
No. Its object based not block based
Can you log in to the AWS web console using the Access Key Id and Secret Access Key?
No. You must generate a password for the user and supply the user with this password, as well as the unique link to sign in to the AWS console.
Data consistency model of Amazon S3
Amazon S3 buckets in all Regions provide read-after-write consistency for PUTS of new objects and eventual consistency for overwrite PUTS and DELETES.
Describe the S3 consistency model
Read after write consistency for PUTS of new objectsEventual consistency for overwrite PUTS and DELETES
Do I need to know the final object size in advance to use Multipart Upload?
No. With Multipart Upload you can begin an upload before you know the final object size - You can upload an object as you are creating it.
Do objects within the bucket inherit the bucket tags?
No
Do you need versioning enabled to use a lifecycle policy?
No
Does an edge location have to be in a defined region?
No
Does Multipart Upload deliver improved throughput?
Yes. You can upload parts in parallel to improve throughput.
Does Multipart Upload deliver quick recovery from network issues?
Yes. Smaller part size minimizes the impact of restarting a failed upload due to a network error.
Does Multipart Upload deliver the ability to append data into an open data file?
No
Does Multipart Upload deliver the ability to pause and resume object uploads?
“Yes”. You can upload object parts over time. Once you initiate a multipart upload there is no expiry; you must explicitly complete or abort the multipart upload. Then, “pause and resume object uploads” means “pausing in between parts” (but you would need to implement this manually).
Does versioning is required for Lifecycle rules?
No. Lifecycle rules can be used in conjunction with versioning but is not required
Glacier Expedited Retrievals retrieval time
1-5 minutes (for a flat rate of $0.03 per GB retrieved)
Groups
A way to group our users and apply policies to them collectively
How am I charged for accessing Amazon S3 through the AWS Management Console?
Normal Amazon S3 pricing applies when accessing the service through the AWS Management Console.
How am I charged for using Versioning?
Normal Amazon S3 rates apply for every version of an object stored or requested.
How can I delete large numbers of objects?
You can use Multi-Object Delete to delete large numbers of objects from Amazon S3. This feature allows you to send multiple object keys in a single request to speed up your deletes. Amazon does not charge you for using Multi-Object Delete.
How can you audit the access to S3 resources?
S3 buckets can be configured to create access logs which log all requests made to the S3 bucket. This can be done to another bucket (even in another AWS account)
How can you setup access control to a bucket?
Using: - Bucket policies - Access control lists
How do you secure S3 buckets?
Bucket policies and S3
How does Gateway Virtual Tape Library work?
Virtual tape infrastructure to replace physical tapes
How does Volume Gateway/Cached Volumes work?
Entire dataset is stored on S3 and the most frequently accessed data is cached on site
How does Volume Gateway/Stored Volumes work?
Entire dataset is stored on site and is asynchronously backed up to S3
How is distributed the AWS Storage Gateway software?
Is available for download as a VM image that you instal on a host on your datacenter (VMWare ESXi or Microsoft Hyper-V).
How is S3 date encrypted in transit?
SSL/TLS
How many S3 buckets can be created in an account by default?
100
How many times can you view the Access Key ID/Secret Access Key when created?
Once. If you lose them, you have to regenerate them, so save them in a secure location.
How much time is needed to restore from Glacier?
Between 3 and 5 hours
How to control access to buckets?
ACLbucket policy
IAM consists of:
Users, Groups, Roles, Policy Documents
In what language are policy documents written in?
JSON
Is S3 object or block based storage?
Object
Is S3 object or block based?
S3 is object based
Is S3 versioning incremental?
No. Stores all versions of an object.
Is there a hard limit of PUT/POST/DELETE per second in S3? What’s an expected “limit” for PUT/POST/DELETEs and GETs per second in S3?
There’s no hard limit (there was a hard limit of 100 PUTs per second until 2018). Your application can achieve at least 3,500 PUT/POST/DELETE and 5,500 GET requests per second per prefix in a bucket. There are no limits to the number of prefixes in a bucket. It is simple to increase your read or write performance exponentially. For example, if you create 10 prefixes in an Amazon S3 bucket to parallelize reads, you could scale your read performance to 55,000 read requests per second.
Objects in the distribution are cahce for the life of what?
TTL
One way to copy the contents of a bucket to another?
Using the CLI: aws s3 –recursive s3://src s3://dst
Policy documents are written in
JSON, represented by a key-value pair
Power User access allows….
Access to all AWS services except for management of groups and users within IAM.
S3 durability
99.999999999% (11 x 9s) (Legacy S3-RRS was 99.99%)
S3 EC2 instances, ELB or R53 can all be what in relation to Cloudfront?
Origins
S3 min and max files size?
0-5TB
S3 storage class for scenario requiring maximum durability and minimum cost? S3 standard, S3 One Zona-IA or S3 RRS?
S3 One Zona-IA. It has the same durability as S3 standard (but reduced availability) and RRS is deprecated (and more expensive).
S3 storage class for scenario requiring minimum cost and immediate access without mattering if some objects are lost. S3 RRS, S3 IA or Glacier?
S3 IA. Legacy S3-RRS is the most expensive one now and is deprecated. Glacier is not intended for direct access.
Scope of the S3 buckets names
Bucket names must be unique globally.
Should you set up MFA on your root account?
ALWAYS!
Storage limit in S3
There is unlimited storage in S3
True or false. A new bucket is publically available and permissions are wide open.
false
True or False.Newly created buckets are private
True
True or false: You can replicate buckets in the same region
false
Using SAML you can give your federated users SSO access to the AWS Management Console (true or false)
True
What actions can be done with Lifecycle Rules?
Transition to Standard-IA Transition to One Zone-IA Archive to Glacier Permanently delete
What are Amazon S3 event notifications?
Amazon S3 event notifications can be sent in response to actions in Amazon S3 like PUTs, POSTs, COPYs, or DELETEs. Notification messages can be sent through either Amazon SNS, Amazon SQS, or directly to AWS Lambda.
What are IAM groups?
A collection of users under a set of permissions
What are IAM roles?
IAM roles are a secure way to grant permissions to entities that you trust, such as: - IAM user in another account - Application code running on an EC2 instance that needs to perform actions on AWS resources - Etc.
What are new users assigned when first created?
Access Key ID, Secret Access Key
What are the attributes of S3 versioning?
Stores all versionsgreat for backupsversioning cannot be disabled, only suspendedIntegrates with lifecycle rulesMFA delete provides and additional layer of security
What are the characteristics of cached volume gateway service?
caches frequently accessed data on-siteminimizes on-prem storageMax 32 TBiSCSIStored in S3
What are the characteristics of snowball edge
100 TBContains compute as well as storage
What are the characteristics of snowmobile?
45 foot container100 PB storage
What are the characteristics of tape gateway
leverage existing tape backuppreconfigured media changer and tape drives
What are the characteristics of the file gateway service?
VM deployed onsiteFiles stored as objects in S3 bucketsperms are stored in the S3 user-metadata of the objectObjects can be managed like any other S3 object
What are the characteristics of the snowball service?
Disk appliance80 TB max
What are the characteristics of the stored volume volume gateway service?
VM deployed onsiteOnprem virtual disk that backs up to AWSpresents an application with disk volumesISCSI block-based storageUses on-prem storagecan be synchronously backed up with snapshot and stored on EBS
What are the core fundamentals of S3?
key (name)Value (data)version ID (metadata)MetadataSubresources - ACL and torrent
What are the costs associated with S3?
Storage Requests Storage Management Pricing (tags) Data Transfer Pricing (on cross-region replication) Transfer Acceleration (using CloudFront)
What are the file size limits in S3?
Files can be from 0 bytes to 5 TB.
What are the five types of storage gateways?
File gateway (NFS)Volume gateway (iSCSI)-stored volumes-cached volumesVTL gateway (VTL)
What are the key components of cloud front?
Edge locations
OriginDistributions
What are the possible configurations on an S3 object?
Details: - Storage class - Server side encryption Permissions Metadata Tags
What are the S3 object permissions?
OwnerAccountsPublic
What are the S3 tiers?
S3 Standard
S3 - IA
S3 One Zone -IA
S3 - Intelligent Tiering
S3 - Glacier
S3 - Glacier Deep Archive
What are the security features of a snowball?
256 bit encrypt.TPM ensures security and chain of custody
What are the three types of server-side encryption at rest?
S3 managed keys - SS3-S3AWS Key mgmt - SSE-KMSserver-side encryption with customer-provided keys - SSE-CClient-side encryption
What are the three types of snowballs?
snowballsnowball edgesnowmobile
What are the two types of cloudfront distributions?
Web and RTMP
What are the two types of volume gateways?
stored volumes and cached volumes
What are the types of AWS Storage Gateway?
File Gateway
Volume Gateway-Stored Volumes
Volume Gateway-Cached
Volumes Gateway Virtual Tape Library (VTL)
What are the types of distributions?
Web and RTMP
What are the use cases for snowball edge
import/exporttemp storage or support workloads in remote sites
What are you asked when creating a bucket?
Bucket name, region, etc.
What aws service would be best for a static website?
S3
What can versioning integrate with to provide enhanced data protection?
lifecycle rules
What can you use to secure buckets?
Bucket policies and ACLs
What determines a time data will live in the edge location?
TTL
What do I have to take into account if I plan to use S3 static website hosting with Route53?
The bucket name must be equals to the domain name.
What does a CDN do?
It stores and delivers data to users based on geographic location to ensure reduced latency
What does read after write consistency mean?
The file is available immediately after writing
What does S3 stands for?
Simple Storage Service
What encryption does S3 manage keys - SS3-S3use?
AES256
What encryption methods are supported for “in transfer” S3 resources?
SSL/TLS
What encryption methods are supported for the Server Side Encryption (“at rest”) of S3 resources?
SSE-S3 (Managed keys) SSE-KMS (Key Management Service) SSE-C (Customer Provided Keys)
What happens whe an item is written to an edge location?
It is sent to the origin
What import/export destinies/sources are supported by Snowball?
Import to S3 Export from S3
What is a distribution made up of?
Edge locations
What is a distribution?
A collection of edge locations
What is an additional way to secure IAM for both the root login and new users alike?
Implement MFA (multi factor authentication) for all accounts
What is an alternative to upload big objects to S3 apart from a single PUT?
The Multipart Upload API
What is an edge location?
A location where content will be cached?
What is an origin?
Data source, S3 bucket EC2 instance or ELB
What is an S3 lifecycle policy?
A mechanism to transition data to tiered storage.
What is AWS Storage Gateway?
AWS Storage Gateway is a service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between your on-premises IT environment and the AWS storage infrastructure in the cloud.
What is AWS storage GW?
a software service connects on-prem storage to AWS cloud storage
What is client side encryption?
Data is encrypted then uploaded to S3
What is cloudfront?
It is a CDN content delivery network
What is one of the formats of the S3 objects URL?
https://s3-[region].amazonaws.com/[bucketName]
What is required for Cross Region Replication?
Versioning enabled on the source and target buckets
What is required to enable cross region replication?
versioning on both sidesunique regions
What is RTMP used for
media streaming
What is S3 acceleration?
Leverages cloudfront edge locations to accelerate S3 uploads. Distinct URL
What is S3 Transfer Acceleration?
Instead of uploading directly to your S3 bucket, you can use a distinct URL to upload directly to an Edge Location which will then transfer the file to S3
What is s3 versoning?
stores all versions of an object ( including writes and deletes)
What is snowball?
AMS import export service
What is the consistency for overwrite of PUTS and deletes for S3?
Eventual consistency
What is the consistency of puts for S3
read after write consistency
What is the guarantee durability of S3
99.999999999%
What is the HTTP PUT size limit in S3?
5G
What is the max size for cached volume gateway storage?
32 TB
What is the max file min file size eligible for transition?
128Kb
What is the max size of store volumes?
16 TB
What is the proper format for a s3bucket name?
Https://s3-region.amazonaws/bucketname
What is the S3 availability SLA
99.9
What is the S3 bucket url format?
region.amazonaws.com/bucket name
What level of access does the root account has? (Read only, Power user, Administrator or No access)
Administrator access
What S3 class is lowest cost and does not have redundancy?
S3 one zone - IA
What S3 classes changes a retrieval fee?
S3 IA
What serivce will provide an HTTP 200 status code and when?
S3 when uploading files
What service utilizes the edge network to accelerate uploads to S3?
S3 transfer acceleration
What snowball version has compute services?
Snowball edge
What storage solution would you use for data archive?
Glacier
What type of in transit encryption does S3 use?
SSL/TLS
What type of locations cache content in cloudfront
Edge locations
What type of storage gateway would you use for file storage?
File gateway
What type of storage gateway would you use for installing an OS?
Volume gateway (iSCSI)
What types of Snowball exist?
Snowball Snowball Edge (with computing capabilities) Snowmobile (truck)
What was AWS Import/Export Disk? (deprecated)
An Import/Export service where the customer sent his disks to AWS in order to: * Import to EBS * Import to S3 * Import to Glacier * Export from S3
What would you use volume gateway for?
block based storage
What’s an additional security measure to prevent accidental deletions of S3 objects?
Versioning’s MFA delete capability
What’s the HTTP status code for a successful S3 write?
HTTP 200 OK
When can an object be transferred to Glacier with Lifecycle rules?
30 days after IA (Standard or One Zone) or 1 day after created (if not IA)
When can an object be transferred to IA (Standard or One Zone) with Lifecycle rules?
30 days after the creation date
When editing permissions (policies and ACLs), to whom does the concept of the “Owner” refer?
The “Owner” refers to the identity and email address used to create the AWS account.
When is the Root account created and what access does it have?
account created when first setup your AWS account. It has complete Admin access
When performing cross region replication are delete markers replicated?
yes
When performing cross region replication are existing files in the bucket previous to configuration replicated?
no
When users are first created, they have
NO permissions
When would you use file gateway
flat files
When you activate Cross Region Replication, does existing objects are replicated?
No. Existing objects will not be replicated. Cross-Region Replication replicates every future upload of every object to another bucket.
Which is the URL format for S3 static website hosting?
http://s3-[region].amazonaws.com/bucketname
Which storage gateway service retains 100% of all data onsite?
Stored volume gateway
Will deleted individual version or delete markers be replicated?
No
Will you be charged to clear objects in a cloudfront distribution?
Yes
You delete an object in a bucket. Will that deletion marker in versioning be replicated?
Yes
You have an S3 bucket and want to provide an additional layer of protection from accidental deletion?
MFA delete
You have just setup a lifecycle policy. You notice not all files were transitioned to the next tier. Why?
The files creation date must be older than 30 days and the file larger than 128KB
You manually copy over items from one bucket to another. Items at the source were publically available, but are not at the destination. Why?
The object is copied but not permissions.
You need a storage gateway but have limited disk space on-prem, but need to ensure any frequently requested data is readily available. Which storage gateway should you use?
cached volumes
You need to a storage gateway that will ensure all data that may be required is readily available. Which would you choose?
stored volumes
You need to ensure encryption is enabled on your S3 bucket. Governance has indicated its required to capture an audit trail of all encrypts and decrypts with the key. What type of encryption would you recomend
AWS Key mgmt - SSE-KMS
You need to ensure encryption is enabled on your S3 bucket. Governance has indicated its required to capture an audit trail of all encrypts and decrypts with the key. What type of encryption would you recommend
AWS Key mgmt - SSE-KMS
You need to ensure encryption is enabled on your S3 bucket. You want to use an existing key What type of encryption would you recommend
AWS Key mgmt - SSE-KMS
You need to ensure encryption is enabled on your S3 bucket. You want to manage the keys yourself. What type of encryption would you recommend
server side encryption with customer provided keys - SSE-C
You want to ensure auditing of your buckets are enabled but are concerned the logs will take up to much space. Can the logs be redirected to another bucket?
Yes
You’ve deleted an object in your source bucket. You observe this activity replicated to the destination bucket. You then go into versioning and delete the deletion marker. Will this change be replicated?
No
You’ve enabled bucket cross-region replication. There are existing files there and you add some new files. When you check the destination, only the new files are present. Why?
Existing files on sources are not replicated after replication is enabled. Only new or changed files will be present at the destination
You’ve enabled versioning. Can it be disabled?
No. only suspended
You work for a major news network in Europe. They have just released a new mobile app that allows users to post their photos of newsworthy events in real time. Your organization expects this app to grow very quickly, essentially doubling its user base each month. The app uses S3 to store the images, and you are expecting sudden and sizable increases in traffic to S3 when a major news event takes place (as users will be uploading large amounts of content.) You need to keep your storage costs to a minimum, and it does not matter if some objects are lost. With these factors in mind, which storage media should you use to keep costs as low as possible?
S3 - One Zone-Infrequent Access
The key driver here is cost, so an awareness of cost is necessary to answer this. Full S3 is quite expensive at around $0.023 per GB for the lowest band. S3 standard IA is $0.0125 per GB, S3 One-Zone-IA is $0.01 per GB, and Legacy S3-RRS is around $0.024 per GB for the lowest band. Of the offered solutions SS3 One-Zone-IA is the cheapest suitable option. Glacier cannot be considered as it is not intended for direct access, however it comes in at around $0.004 per GB. Of course you spotted that RRS is being deprecated, and there is no such thing as S3 - Provisioned IOPS Further information: https://aws.amazon.com/s3/pricing/https://aws.amazon.com/s3/reduced-redundancy/
You run a meme creation website that stores the original images in S3 and each meme’s meta data in DynamoDB. You need to decide upon a low-cost storage option for the memes, themselves. If a meme object is unavailable or lost, a Lambda function will automatically recreate it using the original file from S3 and the metadata from DynamoDB. Which storage solution should you use to store the non-critical, easily reproducible memes in the most cost effective way?
S3 - OneZone-IA is the recommended storage for when you want cheaper storage for infrequently accessed objects. It has the same durability but less availability. There can be cost implications if you use it frequently or use it for short lived storage. Glacier is cheaper, but has a long retrieval time. RRS has effectively been deprecated. It still exists but is not a service that AWS want to sell anymore. Further information: https://aws.amazon.com/s3/faqs/?nc=sn&loc=6https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html
What is the availability of S3-OneZone-IA?
OneZone-IA is only stored in one Zone. While it has the same Durability, it may be less Available than normal S3 or S3-IA. Further information: https://aws.amazon.com/s3/storage-classes/?nc=sn&loc=3
You work for a health insurance company that amasses a large number of patients’ health records. Each record will be used once when assessing a customer, and will then need to be securely stored for a period of 7 years. In some rare cases, you may need to retrieve this data within 24 hours of a claim being lodged. Given these requirements, which type of AWS storage would deliver the least expensive solution?
The recovery rate is a key decider. The record shortage must be; safe, durable, low cost, and the recovery can be slow. All features of Glacier. Further information: https://aws.amazon.com/s3/faqs/?nc=sn&loc=6https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html
Which of the following options allows users to have secure access to private files located in S3? (Choose 3)
CloudFront Signed URLs
CloudFront Origin Access Identity
CloudFront Signed Cookies
You work for a busy digital marketing company who currently store their data on premise. They are looking to migrate to AWS S3 and to store their data in buckets. Each bucket will be named after their individual customers, followed by a random series of letters and numbers. Once written to S3 the data is rarely changed, as it has already been sent to the end customer for them to use as they see fit. However on some occasions, customers may need certain files updated quickly, and this may be for work that has been done months or even years ago. You would need to be able to access this data immediately to make changes in that case, but you must also keep your storage costs extremely low. The data is not easily reproducible if lost. Which S3 storage class should you choose to minimise costs and to maximize retrieval times?
S3 - IA
he need to immediate access is an important requirement along with cost. Glacier has a long recovery time at a low cost or a shorter recovery time at a high cost, and 1Zone-IA has a lower Availability level which means that it may not be available when needed. Further information: https://aws.amazon.com/s3/storage-classes/?nc=sn&loc=3https://aws.amazon.com/blogs/aws/aws-storage-update-new-lower-cost-s3-storage-option-glacier-price-reduction/http://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html
