S3 101 Flashcards
1
Q
S3
A
Simple Storage Service
2
Q
What is S3 for?
A
Its’ AWS primary storage service. Provides a secure, durable and highly scalable object storage
3
Q
What are S3’s file size limits?
A
Files can go from 0 bytes to 5 TB’s
4
Q
Does S3 have storage limitations?
A
S3 has unlimited storage
5
Q
What is meant by “S3 is a universal namespace”?
A
S3 names must be unique globally
6
Q
Where are objects?
A
An object is a file and any metadata that describes it
7
Q
What is the format of object name?
A
A web address
8
Q
What do you get in return upon a successful load of an object to S3?
A
You receive an HTTP 200 code
9
Q
What is a Bucket?
A
It’s a root level folder you create in S3
10
Q
What are the structural requirements when creating a Bucket?
A
You must specify the Region where the bucket to exist. Any objects loaded to the S3 bucket will be physically located in the data center in that Region
11
Q
What is a good practice when creating a bucket?
A
Chose a Region that is physically closest to you to reduce transfer latency
12
Q
What does an object consists of?
A
- Key (Name of the object)
- Value (data)
- Version ID (for versioning)
- Metadata
- Subresources
13
Q
What does a subresource consist of?
A
- Access Control List (ACL)
2. Torrent
14
Q
What is Access Control List (ACL)?
A
Permissions of the object at Bucket or object level
15
Q
What is the data consistency model in S3?
A
- Read after write consistent for PUTS of new objects
2. Eventual consistency for overwrite PUTS and DELETES
16
Q
What are S3 Guarantees?
A
- 99.99% S3 platform availability
- 99.9 availability
- 99.999999999% durability
17
Q
What are S3 features?
A
- Tiered Storage
- Lifecycle Management
- Versioning
- Encryption
- MFA Delete
- Secure data using ACL’s and Bucket policies.
18
Q
S3 Storage Classes
A
- Standard
- Infrequent access (IA)
- One Zone IA
- Intelligent Tiering
- Glacier
- Archive Glacier
19
Q
S3 Standard
A
- Most expensive
- 99.99 availability 3. 99.999999999 durability
- Redundant storage across multiple facilities and devices
- Able to sustain the loss of facilities concurrently
20
Q
S3 Infrequent Access
A
- For data less frequently accessed but requires rapid access
- Lower fees than standard
- Charged a retrieval fee
21
Q
S3 One Zone Infrequent Access
A
- Lower cost than IA
2. No redundant data storage
22
Q
Which is more resilient S3 Standard or S3 One Zone IA?
A
Standard S3 because data is spread across multiple availability zones.
23
Q
S3 Intelligent Tiering
A
Automatically moves data to most cost effective access tier w/o performance impact or operational overhead
24
Q
Glacier
A
- For data archiving
- Can store any amount of data
- Retrieval times can go from minutes to hours
25
Glacier Deep Archive
1. Lowest cost storage
| 2. Retrieval times of up to 12 hours
26
What is object durability?
Is the percent over a one year time period that an object stored in S3 will not be lost
27
What is object availability ?
Is the percent over a one year period that an object stored in S3 will be accessible
28
S3 Charges
S3 Charges for:
1. Storage
2. Requests
3. Storage Management
4. Data Transfers
5. Transfer acceleration
6. Cross Region Replication
29
What is Transfer acceleration?
1. Enables fast, easy and secure transfer of objects over long distances between end users and an S3 bucket
30
What is Cross Region Replication?
Replicates objects in buckets across regions (for high availability and disaster recovery)
31
How does Transfer Acceleration works?
It takes advantage of CloudFront global distribution and edge locations. As data arrives to edge locations data is routed to S3 over an optimized network path
32
By Default S3 Bucket and files within are...
not accessible to anyone unless they are set to public
33
What is a potential risk with S3 One Zone IA?
If zone fails you can lose data
34
When should you use S3 One Zone IA?
If there is not need to worry about redundancy
35
Generally, which one is a better option, Standard or Intelligent Tier?
Intelligent Tier may be a better option S3 standard because it can S3 standard and infrequent access (IA)
36
By default newly created buckets are....
Private
37
What tools can be leveraged to set up access controls to buckets?
1. Bucket polices - for bucket level controls
| 2. Access Control List - for individual object level controls
38
What are S3 access logs?
Logs of all requests made to S3 bucket
39
What is S3 In Transit Encryption?
Protects data as it travels to and from Amazon S3 achieved by SSL/TLS
40
What is S3 At Rest Encryption?
Protects data stored on server side (disk) on Amazon data centers
41
Type of S3 Encryption
1. In Transit
| 2. At Rest (On server side)
42
How is S3 Server side encryption managed?
1. S3 Managed Keys - Amazon manages encrypt/decrypt keys (SSE-S3)
2. AWS Kay Management Service - User and Amazon manage keys together (SSE-KMS)
3. Server Side Encryption with Customer Provided Keys - User gives Amazon own keys that are managed by user (SSE-C)
4. Client Side Encryption
43
Versioning
1. Stores all version of an object (writes & deletes)
2. Once enable, it cannot be disabled (only suspended)
3. Integrates with Lifecycle rules
4. MFA delete capability can be used to provide additional layer of security
5. Great back up tool
44
Are versions public permission carried over?
No. Each version has to be made individually public
45
Can an individual version be permanently deleted?
Yes
46
What is an object lifecycle?
Is a set of rules that automate the migration of objects storage classes to a different storage class based on specified time intervals
47
What is an S3 object lock?
Used to store objects using a write model, read many (WORM) model. It helps prevent objects from being deleted or modified for a fixed amount of time/indefinetely
48
Object Lock use cases
1. If you have an object and you don't want anyone to delete it or modify it
2. To meet regulatory requirements that required WORM storage
3. To add extra layer of protection against object changes and deletion
49
What are the object lock modes?
1. Governance Mode
| 2. Compliance Mode
50
Governance Mode
1. Users can't overwrite or delete an object version or alter its lock settings unless they have special permissions.
2. Can grant some users permissions to alter the retention setting or delete an object if necessary.
51
Compliance Mode
1. Ensure object version can't be overwritten or deleted for the duration of the retention period including the root user in the AWS account
2. Retention mode cannot be changed or shortened
52
Retention Periods
Protects an object version for a fixed amount of time
53
How do Retention Periods work?
S3 stores a timestamp in the object's version metadata indicating when the retention period expires. When the retention period expires the object's version can overwritten or deleted unless you place a legal hold on the object
54
What is a legal hold?
Similar to Retention period but it has no associated retention period and remains in effect until removed.
55
Who can place or remove a legal hold?
Any user who has S3:PutOnObjectsLegalHold permission can place or remove a legal hold
56
Glacier Vault Lock
Way of locking your objects inside of glacier similar to S3 object lock
57
How does Vault Lock works?
Allows you to deploy and enforce compliance control to individuals with vault lock policy. Once locked the policy cannot be changed.
58
Can object locks be applied to individual objects only?
No, Object lock can also be applied across the bucket
59
What is a legal hold?
Similar to retention period. It prevents an object version from being overwritten or deleted but it has no retention period associated with it and remains in effect until removed.
60
How can you enforce regulatory and compliance controls in S3 and Glacier?
By applying object locks and glacier vault policies, retention periods and legal holds on object versions
61
How can you design applications to maximize performance in S3?
By using:
1. Prefixes
2. S3 Limits on KMS
3. Multi Part uploads
4. Multi Part downloads
62
Where are Prefixes in the physical location of the object?
It's the middle part between the bucket name and object name
63
How do multi part uploads maximize performance in S3?
Allows to split into chunks and load files in parallel to S3
64
What are the guidelines and requirements for multi part uploads to S3?
Recommended for files over 100 megs and required for files over 5GB's
65
How does multi part download maximize performance in S3?
Parallel download by specified byte ranges.
If there is a failure in the download, it's only for the specified byte range.
It can be use to download partial amounts of the file
66
True or False. The more prefixes the better performance?
True. Performance is improve by spreading prefixes
67
How do you maximize performance using Prefixes?
S3 has extremely low read/write latency. You can also achieve a high number of request per second per prefix (about 3,500) so you can get better performance by spreading your reads across different prefixes
68
How does KMS impacts S3 read/write performance?
There are Region specific quota limits on the number of S3 requests per second
69
What is S3 Select?
It's a feature that enables application to retrieve only a subset of data by using simple SQL and without having to download, decompress or process entire file.
70
What is Glacier Select?
Similarly to S3 select it allows you to run SQL queries directly from the Glacier
71
Glacier Select use case
Highly regulated companies write data to Glacier to satisfy compliance needs (e.g., Health Care and Financial Services)
72
AWS Organizations
It's an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage
73
Consolidated Bills
It takes the aggregate of all of your AWS accounts into one bill. Makes it easier to track , manage and allocate resources and take advantage of volume pricing discounts.
74
How do I enable access to buckets and objects across AWS accounts?
1. Bucket Policies & IAM
2. Bucket ACL's & IAM
3. Cross-Account & IAM Roles
75
Where do you apply Bucket policies & IAM?
It's applied across the entire bucket and by programmatic access only
76
Where do you apply Bucket polices and ACL's?
It's applied to individual objects in the bucket and by programmatic access only
77
Where do you apply Cross-Account IAM Roles
it's applied at bucket and object levels either by programmatic or console access
78
Transfer Acceleration
Utilizes CloudFront edge network to accelerate uploads to S3
79
How does Transfer Acceleration works?
Instead of loading directly to S3 bucket, you can use a distinct URL to upload directly to an edge location which will then transfer file to S3
80
S3 AWS Datasync
Is a service that allows you to move large amounts of data from on-prem data systems such NFS (Network File Systems) into AWS Data storage services
81
What data transfer safety features are supported by Datasync?
1. Automatically encrypts and accelerates data transfers over WAN
2. Performs automatic data integrity check in-transit and at-rest
82
CloudFront
Is a content delivery network (CDN) system of distributed servers (Network) that delivers web content to a user based o the geo location of the user. origin of the web page and the content delivery server
83
What is an edge location?
Location where the web content will be coached
84
What is the origin?
Origin of all the files the CDN will distribute (e.g., S3, EC2)
85
What is the distribution?
Name of the CDN or collection of edge locations
86
How does CloudFront work?
Delivers web contents using global network of edge locations by routing request to the nearest edge location so that contents is delivered with the best possible performance
87
How many types of CloudFront distribution?
1. Web (for websites)
| 2. RTMP (for media streaming)
88
Are edge locations Read only?
No. You can write to them too.
89
What CloudFront features are available to restrict content access?
1. Signed URL's
| 2. Signed Cookies
90
When do you Signed URL's?
When you want to secure contents to individual files so only authorize individuals have access to them
91
When do you use Signed Cookies?
When you want to secure contents to multiple files so only authorize individuals have access to them
92
How do you create Signed URL's or Cookies?
By attaching a policy that includes:
1. URL expiration
2. IP Range
3. Trusted signers
93
What are Trusted Signers?
AWS accounts that can create signed URL's
94
Snowball
It is a peta-byte data transport solution that uses secure data appliances to transfer large amounts of data into and out of AWS
95
Snowball advantages
1. Avoid high network costs
2. Long transfer times
3. Sercurity
4. One fifth the cost of high speed internet
96
Snowball options
Comes in 50 TB or 80 TB
97
Snowball Edge
100 TB data transfer service to move large amounts of data in and out of AWS
98
Snowball Edge advantages
1. Has compute and storage capabilities
| 2. Can run Lambda functions
99
Storage Gateway
It is a hybrid cloud storage service that give you on-premise access to cloud storage
100
What are Storage Gateway types?
1. File Gateway
2. Tape Gateway
3 Volume Gateway
101
What is File Gateway for?
For flat files stored directly in S3
102
What is Tape Gateway for?
Tape Gateway allows you to replace and store physical tapes with virtual tapes in Amazon S3, Amazon S3 Glacier, and Amazon S3 Glacier Deep Archive,
103
Types of Volume Gateways
1. Stored Volumes
| 2. Cache Volumes
104
What is Stored Volumes?
Stores entire Dataset on site that is asynchronously back up in S3
105
What is cached Volumes?
Entird Dataset is stored S3 and the most frequently accessed data is cached on-site
106
Athena
It is an interactive query service that enables you to analyze and query data located in S3 using standard SQL
107
Athena benefits
1. Allows to treat S3 as a DB
2. Serverless
3. Works directly with data stored in S3
108
Macie
Security service which uses machine learning and Natural Language Processing to discover, classify and protect sensitive data stored in S3
109
Macie benefits
1. Work directly with data stored in S3
| 2. Can analyse Cloudtrail logs
