Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS PRO > Question5 > Flashcards

Question5 Flashcards

1
Q

A company needs to close a data center and must migrate data to AWS urgently. The data center has a 1 Gbps internet connection and a 500 Mbps AWS Direct Connect link. The company must transfer 25 TB of data from the data center to an Amazon S3 bucket.
What is the FASTEST method of transferring the data?
• ​
Upload the data to the S3 bucket using S3 Transfer Acceleration.

• ​
Copy the data to an 80 TB AWS Snowball device.
• ​
Use the AWS Direct Connect link to upload the data to S3.
• ​
Use AWS DataSync to migrate the data to S3.

A

• ​
Upload the data to the S3 bucket using S3 Transfer Acceleration.
(Correct)
Explanation
The fastest way to upload the data would be to use the higher speed internet connection and use Amazon S3 Transfer Acceleration.
Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.
CORRECT:”Upload the data to the S3 bucket using S3 Transfer Acceleration” is the correct answer.
INCORRECT:”Use the AWS Direct Connect link to upload the data to S3” is incorrect. The Direct Connect link is slower than the internet link, with transfer acceleration latency can be reduced as the data is sent to the nearest edge location and then routed over the AWS global network.
INCORRECT:”Use AWS DataSync to migrate the data to S3” is incorrect. AWS DataSync will not improve the speed in this case whereas transfer acceleration will.
INCORRECT:”Copy the data to an 80 TB AWS Snowball device” is incorrect. With the internet link running at 1 Gbps and 25TB of data, the data can be moved quickly to AWS. Shipping snowball devices both ways will likely take longer.
References:
https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html
Save time with our exam-specific cheat sheets:
https://digitalcloud.training/certification-training/aws-certified-solutions-architect-professional/aws-storage/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An S3 endpoint has been created in an Amazon VPC. A staff member assumed an IAM role and attempted to download an object from a bucket using the endpoint. The staff member received the error message “403: Access Denied”. The bucket is encrypted using an AWS KMS key. A Solutions Architect has verified that the staff member assumed the correct IAM role and the role does allow the object to be downloaded. The bucket policy and NACL are also valid.
Which additional step should the Solutions Architect take to troubleshoot this issue?
• ​
Verify that the IAM role has the correct trust relationship configured.
• ​
Ensure that blocking all public access has not been enabled in the S3 bucket.
• ​
Check that local firewall rules are not preventing access to the S3 endpoint.
• ​
Verify that the IAM role has permission to decrypt the referenced KMS key.

A

• ​
Verify that the IAM role has permission to decrypt the referenced KMS key.
Explanation
If an IAM user can’t access an object that the user has full permissions to, then check if the object is encrypted by AWS KMS. You can use the Amazon S3 console to view the object’s properties, which include the object’s encryption information.
If the object is KMS encrypted, then make sure that the KMS key policy grants permissions to the IAM user for the following actions:
- “kms:Encrypt”
- “kms:Decrypt”
- “kms:ReEncrypt
- “kms:GenerateDataKey
- “kms:DescribeKey”
CORRECT:”Verify that the IAM role has permission to decrypt the referenced KMS key” is the correct answer.
INCORRECT:”Verify that the IAM role has the correct trust relationship configured” is incorrect. If the IAM role trust relationship was not configured correctly the user would not be able to assume the role and the question states that the user did assume the role.
INCORRECT:”Ensure that blocking all public access has not been enabled in the S3 bucket” is incorrect. This is not a case of public access, the S3 bucket is being accessed using an IAM role with the permissions set correctly.
INCORRECT:”Check that local firewall rules are not preventing access to the S3 endpoint” is incorrect. The NACL is valid and an access denied error is being generated by S3, it would not be generated by a firewall.
References:
https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/
Save time with our exam-specific cheat sheets:
https://digitalcloud.training/certification-training/aws-certified-solutions-architect-professional/aws-security-identity-compliance/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

AWS PRO (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions