Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS SAA3 > S3 > Flashcards

S3 Flashcards

1
Q

To maintain compliance with HIPAA, all healthcare-related data being stored on Amazon S3 needs to be encrypted at rest. Assuming S3 is being used for storing the data, which of the following are the preferred methods of encryption?

choose 2.

  • Store the data on encrypted EBS volumes.
  • Enable Server Side Encryption on your S3 bucket. S3 automatically applies AES-256 encryption.
  • Encrypt the data locally using your own encryption keys and then transfer the encrypted data to S3.
  • Store the data in S3 as EBS snapshots
A
  • Enable Server Side Encryption on your S3 bucket. S3 automatically applies AES-256 encryption.
  • Encrypt the data locally using your own encryption keys and then transfer the encrypted data to S3.

You could encrypt locally or let S3-SSE handle encryption for you. Local encryption will generally cost more due to overhead, testing and management not required if you use the certified S3 offering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

To enable cross-region replication in S3, what is not required?

  • Permission on the destination bucket
  • Versioning
  • Enable S3 Streams
  • Enable the cross-region replication option
A
  • Enable S3 Streams

S3 Streams is not a real feature or option. Permissions, versioning, and cross-region replication features must all be configured for cross-region replication to function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Private content exists on S3. You wish to share this content confidentially with others in the company organization as well as some outside contractors. What is the ideal solution to do so?

  • Create an IAM policy allowing the necessary access. Create an IAM Group, and add all users into the group and apply the policy
  • Create a bucket policy permitting specific IAM users access to the objects
  • Create a bucket policy permitting a specific role to access the objects; grant the appropriate users access to the role
  • Generate pre-signed URLs for the content to be distributed
  • Make the content public, but only share the URL with people who need it
A
  • Generate pre-signed URLs for the content to be distributed

Generating pre-signed URLs will ensure the most flexibility. IAM policies and roles are a nice idea here; however, not everyone will have an IAM user or be federated for access. As such, pre-signed URLs allow us to even create a separate URL for each viewer if we’d like. We can also revoke the pre-signed URLs when we wish, and even add

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You wish to identify when an S3 bucket is made public, and automatically remediate this with an automated action that reverts it back to a private bucket. How could one efficiently accomplish this? (Choose 2)

  • Use AWS Config Rules to identify the change, and trigger a Lambda function to change the Bucket ACL & policy back to private
  • Use CloudTrail logs to identify any change to the bucket, and revert the change with Lambda
  • Restrict users from making a bucket public through the use of IAM User policies
  • Use Amazon Macie, along with CloudWatch Events to identify the public state, and automate is resolution through Lambda
A
  • Use AWS Config Rules to identify the change, and trigger a Lambda function to change the Bucket ACL & policy back to private
  • Use Amazon Macie, along with CloudWatch Events to identify the public state, and automate is resolution through Lambda

AWS Config has a built-in AWS Config Rule to detect public buckets. Because of this, Use AWS Config Rules to identify the change, and trigger a Lambda function to change the Bucket ACL & policy back to private” is a solid option. Use Amazon Macie, along with CloudWatch Events to identify the public state, and automate is resolution through Lambda” is also good, as Macie has the ability to alert upon public bucket exposure and automate its resolution through CloudWatch Events. The reason “Use CloudTrail logs to identify any change to the bucket, and revert the change with Lambda” is not correct is because although this could work, it would be highly inefficient and would be prone to missing actions. The CloudTrail log entries would require us to set up automation inspecting every single policy change made to the bucket. This could be a lot of overhead and complexities that make this inefficient. In addition, inspecting policy changes this way will require a large amount of logic to ensure we catch the changes at hand. Using combinations of Macie, CloudWatch Events, and/or AWS Config Rules, we can simply watch for the EFFECT of a change, vs. identifying specific calls that may possibly make up the unwanted change. Lastly, the reason Restrict users from making a bucket public through the use of IAM User policies” is incorrect, is although we do not want people to create public buckets that shouldn’t, there will most likely be some that will have that ability at some point in the company history and future. Applying protection at the bucket itself would be the angle to take here in addition to IAM user policies and IAM Roles that follow the principle of least privilege.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Your site uses machine learning algorithms to modify user-uploaded images in interesting ways, generating new images in under a second as a result. Both the original user image and the generated images are currently stored in S3 – but your site is currently growing with 50Gb of new content added per day, driving up your storage costs. Recent usage statistics have shown that both user uploaded and generated images are heavily accessed in the first 21 days after upload or creation, after which access sharply drops off. After 120 days they are never accessed again. You want to keep the good buzz you site has going and want to ensure that images are there when users need them, but at the same time you want to reduce storage costs to keep you site profitable. Which of the below is the best trade-off of the two?

  • Store all images on S3. After 21 days move them both user uploaded and generated images to S3-IA with a lifecycle policy, then after 120 days move them to Glacier for archival purposes
  • Store all images on S3-IA in the first 21 days. After 21 days move both user uploaded and generated images to S3-1Z-IA with a lifecycle policy, then after 120 days move them to Glacier for archival purposes
  • Store all images on S3 in the first 21 days. After 21 days, move user images to S3-IA and generated images to S3-1Z-IA. Delete all content older than 120 days via lifecycle policy
  • Store all images on S3 in the first 21 days. After 21 days move them both to S3-IA with a lifecycle policy. Create Lambda function that runs daily that deletes anything older than 120 days
A
  • Store all images on S3 in the first 21 days. After 21 days, move user images to S3-IA and generated images to S3-1Z-IA. Delete all content older than 120 days via lifecycle policy

With a complex scenario like this, it’s a good a to break it down into components. In the first 21 days, due to the high usage of the images any storage that includes retrieval costs will not be suitable – ruling out any IA storage. After 21 days as usage drops off significantly IA becomes a viable option. Taking it a step further – as your site is generating the images based on the user uploaded image, generated images are easily replaceable if lost, as long as you have the user image. This means that a reduced redundancy storage option is valid for generated images – S3-1Z-IA. Anything older than 120 days can be deleted as it is no longer needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Your manager has approached you about storing some old media files in AWS. These files need to be stored at the lowest cost possible. It is acceptable to wait for files to become available. Which of the following S3 Storage Tiers is best suited for this request?

  • S3 Glacier
  • S3 One Zone – Standard-Infrequent Access
  • S3 Infrequently Accessed
  • S3 Standard
A
  • S3 Glacier

S3 Glacier is a secure, durable, and low-cost storage class for data archiving. You can reliably store any amount of data at costs that are competitive with or cheaper than on-premises solutions. To keep costs low yet suitable for varying needs, S3 Glacier provides three retrieval options that range from a few minutes to hours.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is NOT a chargeable event in S3?

  • Transfer from S3 to EC2 in the same region
  • Transfer OUT to another Region
  • PUT / GET / LIST
  • Versioned data
A
  • Transfer from S3 to EC2 in the same region

S3 will not charge for Transfer within the same region to or from EC2. All data leaving the S3 region will incur a transfer charge, except when destined for CloudFront. Additionally web operations such as PUT / GET / LIST will incur a seperate charge along with the data storage itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When creating a website, and hosting exclusively on S3 while using Route53 to point an Alias to the bucket, what naming conventions must be met?

  • Bucket name must be DNS compliant
  • Any bucket name can be used for S3 hosting
  • Bucket name must match the URL
  • Bucket name must not contain periods
A
  • Bucket name must match the URL

When directing a route53 Alias to the bucket, the bucket name must match the URL such as: www.mysite.com or mysite.com — would also be the name of two different buckets (though one bucket can redirect to another). Though any bucket name can host a website, if using aliases in Route53 this is a requirement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the primary unit of data in S3 called?

  • Bucket
  • Tag
  • Object
  • File
A
  • Object

A “file” in S3 would be referred to as an Object. S3 is an object store, which means it is a key-value store. The Key being the “name” of the object, and the value being its contents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You are working on a research project for a healthcare insurer and your first task is to ingest 6 months of trial data collected by about 30 participating physicians around the country. Each data set is about 15 GB in size and contains protected health information. You are proposing to use S3 Transfer Acceleration for the data upload to an S3 bucket but a colleague raises some concerns about that. Which of the following statements are valid?

  • It will take a long time because S3 Transfer Acceleration does not support all bucket level features including multipart uploads.
  • The name of your bucket used for Transfer Acceleration must be DNS-compliant and must not contain periods (‘.’).
  • Most physicians have only about 40 to 50Mbps of available bandwidth. S3 Transfer Acceleration is therefore not a good option.
  • Because S3 Transfer Acceleration is not a HIPAA eligible service, you can’t use it to transfer protected health information between the physicians and your Amazon S3 bucket.
A

The name of your bucket used for Transfer Acceleration must be DNS-compliant and must not contain periods (‘.’).

S3 TA supports all bucket level features including multipart uploads. AWS has expanded its HIPAA compliance program to include Amazon S3 Transfer Acceleration as a HIPAA eligible service. In general; if there are recurring transfer jobs, and there is more than 25Mbps of available bandwidth, and it will not take more than a week to transfer over the Internet, S3 Transfer Acceleration is an acceptable option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are uploading multiple files ranging 10 GB – 20 GB in size to AWS S3 bucket by using multi- part upload from an application on EC2. Once the upload is complete, you would like to notify a group of people who do not have AWS IAM accounts. How can you achieve this?(choose 2 options)

  • Use S3 event notification and configure Lambda function which sends email using AWS SES non-sandbox.
  • Use S3 event notification and configure SNS which sends email to subsribed email addresses.
  • Write a custom script on your application side to poll S3 bucket for new files and send email through SES non-sandbox.
  • Write a custom script on your application side to poll S3 bucket for new files and send email through SES sandbox.
A
  • Use S3 event notification and configure Lambda function which sends email using AWS SES non-sandbox.
  • Use S3 event notification and configure SNS which sends email to subsribed email addresses.

Answer: A, B
The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket. To enable notifications, you must first add a notification configuration identifying the events you want Amazon S3 to publish, and the destinations where you want Amazon S3 to send the event notifications.
https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html
AWS Simple Email Service (SES) is a cost-effective email service built on the reliable and scalable infrastructure that Amazon.com developed to serve its own customer base. With Amazon SES, you can send transactional email, marketing messages, or any other type of high-quality content.
To help prevent fraud and abuse, and to help protect your reputation as a sender, we apply certain restrictions to new Amazon SES accounts.
We place all new accounts in the Amazon SES sandbox. While your account is in the sandbox, you can use all of the features of Amazon SES. However, when your account is in the sandbox, we apply the following restrictions to your account:
You can only send mail to verified email addresses and domains, or to the Amazon SES
mailbox simulator.
You can only send mail from verified email addresses and domains.
Note
This restriction applies even when your account is not in the sandbox.
You can send a maximum of 200 messages per 24-hour period.
You can send a maximum of 1 message per second.
You can request to move out of the sandbox mode when you are ready for production mode.
For more information on how to move out of sandbox mode, refer to the documentation here.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html
Option A triggers Lambda function which uses non-sandbox SES to send email to people who does not have AWS IAM account nor verified in AWS SES.
Option B triggers SNS.
The following document describes how to add SNS event notification to a bucket.
https://docs.aws.amazon.com/AmazonS3/latest/dev/ways-to-add-notification-config-to-bucket.html
Options C and D, although sounds feasible options, it requires compute resources to continuously monitor S3 for new files.
We should use AWS provided features where ever are applicable. Custom solutions can be built when AWS provided features do not meet the requirement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What service does S3 transfer acceleration utilize for ingesting data?

  • WAF
  • S3
  • CloudFront
  • Hadoop
A
  • CloudFront

CloudFront provides the edge points to ingest data closer to the user; this will allow for the data to enter the AWS optimized network as early as possible within the transfer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You work for a large insurance company that has issued 10,000 insurance policies. These policies are stored as PDFs. You need these policies to be highly available, and company policy says that the data must be able to survive the simultaneous loss of two facilities. What storage solution should you use?

  • Glacier
  • S3
  • EBS
  • A single EC2 instance with an EBS volume provisioned as a secondary volume.
A
  • S3

Your best solution would be to use S3, which redundantly stores multiple copies of your data in multiple facilities and on multiple devices within each facility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You created a bucket named “myfirstbucket” in US West region. What are valid URLs for accessing the bucket? (Choose 2 options)

http://myfirstbucket.s3.us-west-1.amazonaws.com
http://s3.myfirstbucket.us-west-1.amazonaws.com
http://s3.us-west-1.amazonaws.com/myfirstbucket
http://s3-us-west-1-amazonaws.com/myfirstbucket
http://s3.amazonaws.com/myfirstbucket

A

http://myfirstbucket.s3.us-west-1.amazonaws.com
http://s3.us-west-1.amazonaws.com/myfirstbucket

Answer: A, C
For option A, it matches the virtual-hosted-style URL and it is correct.
For option B, it does not match any of the above-mentioned URL patterns. It is incorrect.
For option C, it matches the path-style URL and it is correct.
For option D, it does not match any of the above-mentioned URL patterns.
For option E, it matches path-style URL, but since the bucket is in us-west-1 region, it must contain the region in the endpoint. So it is incorrect.
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html#access-bucket-intro
NOTE: Option C and D are different. (Dot and Hyphen).
Option C – http://s3.us-west-1.amazonaws.com/myfirstbucket
Option D – http://s3-us-west-1-amazonaws.com/myfirstbucket

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the durability of S3 – IA?

99.9%
99.999999999%
99%
99.99%

A

99.999999999%

S3 Standard – IA is designed for the same 99.999999999% durability as S3 Standard and Amazon Glacier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have been tasked with storing some PDFs used a couple of times a month in AWS. These files need to be available within seconds when requested and the company cannot afford for these files to go missing therefore they must survive an outage of an Availability Zone. Which of the following S3 Storage Tiers is best suited for this request?

S3 Infrequently Accessed
S3 One Zone – Infrequently Accessed
Glacier
S3 Standard

A

S3 Infrequently Accessed

S3 Standard-IA is for data that is accessed less frequently, but requires rapid access when needed. S3 Standard-IA offers the high durability, high throughput, and low latency of S3 Standard, with a low per GB storage price and per GB retrieval fee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the name of the services that can automatically transition objects in S3 across storage classes, including moving into archive (Glacier) and even expire (delete) objects per defined rules?

  • S3 Object Management
  • S3 Lifecycle Management
  • S3 Transition Manager
  • This cannot be done natively; a script would need to be created and run on a schedule
A
  • S3 Lifecycle Management

S3 Lifecycle Management is designed to offer this functionality. “S3 Object Management” and “S3 Transition Manager” are simply non-existent features and “This cannot be done natively; a script would need to be created and run on a schedule” is simply wrong since it can in fact be done natively within S3 per the Lifecycle Management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You have an application which writes application logs to version enabled S3 bucket. Each object has multiple versions attached to it. After 60 days, application deletes the objects in S3 through DELETE API on the object. However, in next month’s bill, you see charges for S3 usage on the bucket. What could have caused this?

  • DELETE API call on the object only deletes latest version.
  • DELETE API call on the object does not delete the actual object, but places delete marker on the object.
  • DELETE API call moves the object and its versions to S3 recycle bin from where object can be restored till 30 days.
  • DELETE API for all versions of the object in version enabled bucket cannot be done through API. It can be only done by bucket owner through console.
A
  • DELETE API call on the object does not delete the actual object, but places delete marker on the object.

Answer: B
When versioning is enabled, a simple DELETE cannot permanently delete an object.
Instead, Amazon S3 inserts a delete marker in the bucket, and that marker becomes the current version of the object with a new ID. When you try to GET an object whose current version is a
delete marker, Amazon S3 behaves as though the object has been deleted (even though it has not been erased) and returns a 404 error.
The following figure shows that a simple DELETE does not actually remove the specified object. Instead, Amazon S3 inserts a delete marker.
To permanently delete versioned objects, you must use DELETE Object versionId.
The following figure shows that deleting a specified object version permanently removes that object.
For information on how to delete versioned objects through API, refer documentation here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/DeletingObjectVersions.html#delete-obj-version-enabled-bucket-rest
Option A is not true. DELETE call on object does not delete latest version unless DELETE call is made with the latest version id.
Option C is not true. AWS S3 does not have recycle bin.
Option D is not true. DELETE call on versioned object can be made through API by providing version id of the object’s version to be deleted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Your current website currently manages its state locally. This state is preventing the ability to scale properly and requires the use of sticky sessions on the load balancers. You wish to change this. What is not an acceptable way to do this?

  • Track the state in DynamoDB
  • Track the state in Elasticache running Redis
  • Track the state in an SQL database
  • Track the state using an S3 object that contains customer details
A
  • Track the state using an S3 object that contains customer details

S3 is eventually consistent. Though consistency is in fact quite fast most of the time, there are no guarantees around it and when managing something like state the data may change more rapidly than S3 will be good for. Updated/changed data is an entirely new object in the eyes of S3 (either new version, or a complete overwrite). As such, rapidly changing data is not ideal. In addition, due to eventual consistency, its possible a state request could pull old state information (even if just stale by milliseconds or seconds) which could cause some serious issues in our application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You have chosen to use S3 – OneZone-IA with your cloud application. Which limitations have you considered in doing so?

  • 1Zone-IA is available only in the US-STANDARD region.
  • 1Zone-IA offers only 99.50% availability. Therefore you have to design your application to re-create any objects that may be temporally unavailable.
  • 1Zone-IA has a 3 – 5 hour data recovery windows.
  • 1Zone-IA offers only 99.50% durability. Therefore you have to design your application to re-create any objects that may be lost.
  • 1Zone-IA requires supplementary Access Control Lists.
A
  • 1Zone-IA offers only 99.50% availability. Therefore you have to design your application to re-create any objects that may be temporally unavailable.

In exchange for a significant cost savings, 1Zone-IA has the same Durability as S3, but a lower Availability SLA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Your company is storing large datasets as CSV’s in S3 daily. The objects are hundreds of Gigabytes each. You need to work with the data many times a day, but only require small subsets of the information such as specific columns and rows. What solution would help me more effectively work with this data in S3 over issuing a standard GET of the entire object?

  • AWS Athena
  • Launch an EMR cluster to query the data
  • AWS S3 Select
  • This cannot be done. You must retrieve the whole object, and then work with the data outside of S3
A

AWS S3 Select

AWS S3 Select allows us to query INSIDE a single object. Though Athena is meant to do something similar, it may be pulling entire objects; in cases where it needs to pull select data from within the object, SE Select is performing those operations for Athena. Additionally, though “Launch an EMR cluster to query the data” also works, its extra unnecessary resources we would have to spin up, manage, and pay for unnecessarily when S3 could act as our storage. Athena is built on top of the Hadoop ecosystem, and in fact runs Hive and Presto to do so.

22
Q

You are an employee at a communications firm that is in the process of migrating its data to Amazon S3. The data will be stored in buckets and is sent to customers to do as they see fit. However, certain data is frequently changed when customers request revisions, while the rest of the data is rarely changed. You must be able to immediately access certain data while minimizing costs. Which S3 storage class should you choose?

  • S3 Glacier
  • S3 Intelligent Tiering
  • S3 Standard
  • S3 One Zone-Infrequent Access
A
  • S3 Intelligent Tiering

While S3 Glacier is a low-cost storage class, it is for data archiving and thus not ideal for frequent access or changes to data. And S3 One Zone-Infrequent Access is also low-cost, but it does not address the frequently changed data. Although S3 Standard is a suitable choice, since it addresses frequent access, it is not the least expensive choice for the less frequently accessed data. If it was hard to determine which data is frequently changed and which isn’t, S3 Standard might have been the most cost-effective choice. But in this case, S3 Intelligent Tiering is. Intelligent Tiering stores data in two access tiers: one tier is optimized for frequently accessed data while the other is a lower-cost tier for infrequent access.

23
Q

You want a storage solution to store all e-commerce sales numbers processed on a daily basis. Notably, this solution must be designed in a way that protects against accidental deletion of data. Which of the following actions will satisfy your requirements?

  • Store the sales numbers in an S3 bucket and enable versioning.
  • Store the sales numbers in three S3 buckets and in different AWS Regions.
  • Store the sales numbers in a Redshift cluster.
  • Store the sales numbers in an EBS volume and create snapshots at the end of each day.
A
  • Store the sales numbers in an S3 bucket and enable versioning.

Enabling versioning will mean that if someone accidentally deletes an object, S3 would insert a delete marker to make that the current object version. In addition, you can always restore the previous object version if needed. Although storing data in three S3 buckets gives you an extra layer of protection, users can still delete the objects in both buckets. With a new EBS snapshot, the changes made since the last one are lost. And Redshift is the least likely response, since it is used for data warehousing rather than simple straightforward storage.

24
Q

Your CEO is still concerned about the durability and availability of company data stored in S3 after reading up on regions and availability zones. From the following, select all valid statements about this. (select 3)

  • The Amazon S3 One Zone-IA storage class replicates data within a single AZ. AWS recommends using this storage class for object replicas when setting cross-region replication.
  • Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 region.
  • All of the storage classes except for ONEZONE_IA are designed to be resilient to simultaneous complete data loss in two Availability Zones.
  • Availability Zones in the same region are connected to each other with fast, private fiber-optic networking. S3 operates in a minimum of three AZs within each region, each separated by miles to protect against local events like fires, floods, etc. This remains true in Regions where fewer than three AZs are publicly available.
A
  • The Amazon S3 One Zone-IA storage class replicates data within a single AZ. AWS recommends using this storage class for object replicas when setting cross-region replication.
  • Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 region.
  • Availability Zones in the same region are connected to each other with fast, private fiber-optic networking. S3 operates in a minimum of three AZs within each region, each separated by miles to protect against local events like fires, floods, etc. This remains true in Regions where fewer than three AZs are publicly available.

All of the storage classes except for ONEZONE_IA are designed to be resilient to simultaneous complete data loss in a single Availability Zone and partial loss in another Availability Zone.

25
Q

CRR replicates every object-level upload that you make directly to your source bucket. Which of the following also forms a part of that replication?

choose 2.

  • The object’s checksum encryption data
  • The object metadata
  • The object ACLs
  • The object’s SSL certificate
A
  • The object metadata
  • The object ACLs

CRR replicates every object-level upload that you make directly to your source bucket. The metadata and ACLs associated with the object are also part of the replication.

26
Q

What logging service would need to be enabled for anonymous (public) access to S3 objects?

  • CloudTrail
  • VPC Flow Logs
  • S3 Bucket Access Logs
  • AWS Shield Logs
A
  • S3 Bucket Access Logs

“S3 Bucket Access Logs” is the correct answer. S3 Bucket Access Logs are the only logs that will provide S3, object level logs, anonymously. “CloudTrail” is incorrect because unauthenticated GETs to S3 would not be included in CloudTrail because CloudTrail only tracks AWS API calls. A standard, anonymous GET is not an AWS API call and not included. “VPC Flow Logs” is incorrect because VPC flow logs only track network flows within a VPC; S3 does not sit within a VPC. “AWS Shield Logs” is incorrect because AWS Shield is a DDoS service, but not a logging service for S3 objects.

27
Q

Your company is concerned about accidental deletion of files in S3 buckets. Which of the following steps can be taken to help prevent this?

choose 2.

  • Enable MFA Delete on the bucket.
  • Enable versioning on the bucket.
  • Enable encryption on the bucket.
  • Only work on S3 files while someone is reviewing your work.
A
  • Enable MFA Delete on the bucket.
  • Enable versioning on the bucket.

Versioning’s Multi-Factor Authentication (MFA) Delete capability can be used to provide an additional layer of security. By default, all requests to your Amazon S3 bucket require your AWS account credentials. If you enable Versioning with MFA Delete on your Amazon S3 bucket, two forms of authentication are required to permanently delete a version of an object: your AWS account credentials and a valid six-digit code and serial number from an authentication device in your physical possession.

28
Q

Your manager has approached you about storing image and video files for the company website (which is very popular) in AWS. These files need to be immediately available when requested. The company cannot afford for these files to go missing and they must survive an outage of an Availability Zone. Which of the following S3 Storage Tiers is best suited for this request?

  • Glacier
  • S3 Standard
  • S3 Infrequently Accessed
  • S3 One Zone – Infrequently Accessed
A
  • S3 Standard

S3 Standard offers high durability, availability, and performance object storage for frequently accessed data.

29
Q

By default, how many S3 buckets can you have with a new AWS account?

25
50
200
100

A

100

By default, customers can provision up to 100 buckets per AWS account. However, you can increase your Amazon S3 bucket limit by visiting AWS Service Limits.

30
Q

You have an application that stores data in S3, and you need to design an integrated solution providing encryption at rest. You want Amazon to handle key management and protection using multiple layers of security. Which S3 encryption option should you use?

  • SSE-S3
  • SSE-C
  • SSE-KMS
  • Amazon S3 Encryption Client
A

SSE-S3

SSE-S3 uses managed keys and one of the strongest block ciphers available, AES-256, to secure your data at rest.

31
Q

When is not a good situation to use AWS Transfer Acceleration for S3?

  • When the S3 bucket is generally very far from the customer
  • When the S3 bucket is generally very close to the customer
  • When dealing with very small objects
  • When dealing with very large objects
A
  • When the S3 bucket is generally very close to the customer

AWS Transfer Accelerator is designed to offload PUT operations to CloudFront. This leverages edge points for ingestion into S3. These edge points allow a closer entry into the AWS network; however, as such, if one enables this when already very close to the region at hand, it creates an additional step/hop in our data flow and can actually slow it down at times, and at an increased financial cost. To measure if Transfer Acceleration is right for your solution go here:

https://s3-accelerate-speedtest.s3-accelerate.amazonaws.com/en/accelerate-speed-comparsion.html

32
Q

What is NOT a billable component of S3

  • Data Transfer Out
  • Operations (PUT, GET, LIST, etc.)
  • S3 Object Tagging
  • Data returned by S3 Select
  • None. All of the above are billable
A
  • None. All of the above are billable

Core S3 charges are Data Transfer In, Storage, and Requests; however, additional features can have their own costs as well, such as S3 Select, S3 Tagging, etc

33
Q

You have a requirement that all objects stored in a particular bucket be copied to another region. You have enabled Cross Region Replication from the source bucket to the target bucket, but objects are not appearing in the target bucket as expected. What are some possible reasons this could be happening?

choose 3.

  • The objects in the source bucket are replicas that were created by another cross-region replication.
  • The objects in the source bucket for which the bucket owner has permissions to read objects and ACLs.
  • The object does not have lifecycle configuration enabled.
  • The object tags in the source bucket have not been assigned.
  • The objects created with server-side encryption using customer-provided (SSE-C) encryption keys.
  • The objects existed before you added the replication configuration to the source bucket.
A
  • The objects in the source bucket are replicas that were created by another cross-region replication.
  • The objects created with server-side encryption using customer-provided (SSE-C) encryption keys.
  • The objects existed before you added the replication configuration to the source bucket.

S3 doesn’t replicate objects retroactively. S3 doesn’t chain replications of CRR. S3 can’t copy objects with SSE-C.

34
Q

Given the durable and cost effective nature of S3, your company decides to store a large portion of its data within the service. This data will be downloaded and used often by multiple branch offices. There is currently 50TB of data sitting in your S3 bucket, and you’ve calculated the total cost to store it, however, when the bill arrives, it’s far higher than you anticipated. What is not a cause for this discrepancy in expectation vs reality?

  • There is a data transfer charge when uploading data into S3
  • Your bucket has a large number of requests being made to it (put/copy/post/list/get/select/etc)
  • You have versioning turned on, and have multiple versions of your data stored.
  • There is a data transfer charge outbound from S3 bucket
  • You have abandoned “parts” from multipart uploads that have not completed
A
  • There is a data transfer charge when uploading data into S3

There is no data transfer cost into S3, only data transferred out of the S3 bucket, leaving the region. This means if all of your branch offices are downloading data from the bucket and into their local data centers, a data transfer fee will be incurred. Versioning will store multiple version of your S3 objects, and each version is an entire object, and subject to storage fees. S3 also charges by the requests, which is possibly a pricing aspect of S3 you may have overlooked.

35
Q

Which of the following statements are true?

choose 4.

  • S3-OneZone-IA carries the risk that the destruction of a Datacentre will result in data loss.
  • S3-Standard provides 99.99% availability.
  • S3-RRS provides 99.99% durability
  • S3-Standard is designed for 11-nines durability.
  • S3-Standard is designed for 11-nines availability
A
  • S3-OneZone-IA carries the risk that the destruction of a Datacentre will result in data loss.
  • S3-Standard provides 99.99% availability.
  • S3-RRS provides 99.99% durability
  • S3-Standard is designed for 11-nines durability.

Be clear about the meaning of the terms Availability, Durability & Resilient.

36
Q

After enabling S3 Bucket Versions, you have come to the realization that your costs are running out of control due to too many versions. You need a solution to manage the versions, expire old data, and define controls such as how many versions to keep for what data. What is the best solution for managing this?

  • Create a custom lambda function that evaluates any objects with versions, maintaining the appropriate number of versions. Run this script often, perhaps daily to create a cleanup job for version control
  • Set the number of versions you wish to keep in the AWS S3 bucket versioning settings
  • Instead of versioning the whole bucket, just turn on versioning for the objects you need versioning for, and manage those versions through a nightly CRON job
  • Create AWS S3 Lifecycle rules. Define rules for the whole bucket, prefixes, and for specific tags. The lifecycle rules will transition the previous versions to different storage classes, archive, and delete (expire) the data as defined
A
  • Create AWS S3 Lifecycle rules. Define rules for the whole bucket, prefixes, and for specific tags. The lifecycle rules will transition the previous versions to different storage classes, archive, and delete (expire) the data as defined

“Create a custom lambda function that evaluates any objects with versions, maintaining the appropriate number of versions. Run this script often, perhaps daily to create a cleanup job for version control” could technically work but is unnecessary in most cases, and would increase complexity along with costs. “Set the number of versions you wish to keep in the AWS S3 bucket versioning settings” is not an option that exists. “Instead of versioning the whole bucket, just turn on versioning for the objects you need versioning for, and manage those versions through a nightly CRON job” is incorrect because versioning is an entire bucket setting. It’s either on or off for the whole bucket. To then manage the versions, you would use Lifecycle rules as defined in “Create AWS S3 Lifecycle rules. Define rules for the whole bucket, prefixes, and for specific tags. The lifecycle rules will transition the previous versions to different storage classes, archive, and delete (expire) the data as defined”.

37
Q

You decide to use S3 as a log storage solution. You send all log events to S3 in near-real time. S3 performance seems to keep up with the needs and all seems well. Upon receiving the first bill, you are shocked to see a bill far higher than anticipated. What is likely to be the excess cost here?

  • S3 bills for IO (Web calls such as PUTS, GETS, LIST) in addition to storage; the high volume of PUTS is your problem
  • The bucket most likely is misconfigured or has a bunch of additional features enabled that have associated charges
  • The minimum billable object size is 16KB. If an object is less than 16KB, you are billed for 16KB. This could amplify the cost of S3 substantially if many of your objects are smaller than 16KB
A
  • S3 bills for IO (Web calls such as PUTS, GETS, LIST) in addition to storage; the high volume of PUTS is your problem

S3 PUTS are typically charged at nearly 10x the cost of GETS. This means writes can be costly under certain circumstances. If this is the case, consider sending logs to Kinesis Firehose or CloudWatch Logs instead. They could still be stored into S3 as log files, with aggregated events inside the log file, but if each event is a separate PUT this could get costly. “The bucket most likely is misconfigured or has a bunch of additional features enabled that have associated charges” is wrong as no billable features would cause this issue. “The minimum billable object size is 16KB. If an object is less than 16KB, you are billed for 16KB. This could amplify the cost of S3 substantially if many of your objects are smaller than 16KB” is incorrect in that there is no minimum size of an object. An object can be 0 bytes or larger. For storage costs, S3 bills in GB-Hours, which is aggregated across all objects. You are not charged per object but rather total storage size.

38
Q

You are creating an S3 bucket called company-subsite-logos, and you want to give it the exact same settings that your company-logos bucket has. What would be the quickest way of doing so?

  • At the Create bucket screen for the company-subsite-logos bucket, choose Copy settings from an existing bucket option, and then choose the company-logos bucket to copy its settings.
  • Select the company-logos bucket to pop up a screen. Write down all the settings in the screen to use for the company-subsite-logos bucket.
  • Create the company-subsite-logos bucket. Then right-click on it, choose the Copy settings from an existing bucket option, and then choose the company-logos bucket to copy its settings.
  • Right-click on the company-logos bucket. Write down all the settings in the screen to use for the company-subsite-logos bucket.
A

At the Create bucket screen for the company-subsite-logos bucket, choose Copy settings from an existing bucket option, and then choose the company-logos bucket to copy its settings.

You can choose to select the company-logos bucket to pop up a screen and take note of all the settings in the screen to use for the company-subsite-logos bucket. However, it is nowhere as quick as applying the Copy settings from an existing bucket option to the new S3 bucket when creating it.

39
Q

You have chosen to use S3-RRS with your cloud application. Which limitations have you considered in doing so? (choose 2)

  • RRS offers only 99.99% durability, so you have to design your application to re-create any objects that may be lost.
  • RRS requires supplementary Access Control Lists.
  • RRS has a 4-hour data recovery time.
  • RRS is not recommended for new projects in some AWS regions.
  • RRS is available only in the US-STANDARD region.
A
  • RRS offers only 99.99% durability, so you have to design your application to re-create any objects that may be lost.
  • RRS is not recommended for new projects in some AWS regions.

The use of RRS is being phased out. In exchange for a significant cost savings, RRS offers only 99.99% durability.

40
Q

You have an application that allows people in very remote locations to store their files safely and securely. You need to leverage CloudFront’s globally distributed Edge Locations, so that as data arrives at an Edge Location the data is routed to your Amazon S3 bucket over an optimized network path. Which of the following services should you use?

  • S3 Transfer Acceleration
  • CloudFront Transfer Acceleration
  • CloudFront Multipart Upload
  • S3 Multipart Upload
A
  • S3 Transfer Acceleration

Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and your Amazon S3 bucket. Transfer Acceleration leverages Amazon CloudFront’s globally distributed AWS Edge Locations.

41
Q

The company you work for has been acquired and you have been tasked with the redirection of all its website traffic to the new company’s website. The old one is hosted on S3 as a static website while the target is a self-hosted website. Which of the following options describes the best approach to achieve that as quickly as possible?

  • Amazon S3 does not support website redirects. You will need to contact your domain registrar and ask them to update the target URL to point to the self-hosted website.
  • In the Amazon S3 console, set the website redirect location in the metadata of each object in the relevant public bucket. You can do so by specifying the new domain as the value of the ‘Website-Redirect-Location’ key within the ‘Metadata’ section under the Properties tab.
  • In the Amazon S3 console, configure a redirect to the new domain in the ‘Redirect requests: Target bucket or domain’ box within the ‘Static website hosting’ section under the Properties tab of the relevant bucket.
  • Amazon S3 static website hosting supports only redirects to other AWS S3 buckets but not to external URLs. Therefore, you should set up a redirect to a new bucket with a single HTML file in it that uses client-side scripting (window.location.ref and a ‘refresh’ http-equiv meta tag) for the redirect to the new domain.
A
  • In the Amazon S3 console, configure a redirect to the new domain in the ‘Redirect requests: Target bucket or domain’ box within the ‘Static website hosting’ section under the Properties tab of the relevant bucket.

Although other listed options are feasible, the quickest way to achieve the desired outcome is to set up a redirect at the S3 bucket level.

42
Q

What is a namespace in Glacier called?

  • Bucket
  • Vault
  • Namespace
  • Archive
A
  • Vault

Like buckets in S3, in Glacier we create a namespace which could be referred to as a Vault.

43
Q

When setting up the properties of an S3 bucket, which of the following options should you select to track storage cost?

  • Versioning
  • Server access logging
  • Object-level logging
  • Tags
A
  • Tags

You need to label your S3 buckets with tags to track their storage costs. AWS will use the tags to organize costs in a cost allocation report. Object-level logging is for using AWS CloudTrail to record object-level API activity, server access logging is for logging requests for access to the bucket, and versioning is for keeping all versions of an object in the same bucket – not for tracking costs.

44
Q

You have placed data in Glacier to reduce the storage charges and then delete the data 30 days later. What length of time are you charged in Glacier for this data?

  • 15 days
  • 30 days
  • 60 days
  • 90 days
A
  • 90 days

Glacier has a minimum storage of 90 days; though this will not prevent you from deleting the data you will be charged for a full 90 days minimum. In doing this strategy, you have effectively cost you more than leaving the data in an active S3 storage class. The data now must be charged 3x the Glacier charge (90 days vs 30 days) negating any storage savings. A better solution may have been to put the data in S3 Standard-IA.

45
Q

Your organization had built a video sharing website on EC2 within US for which S3 bucket in us- east-1 is used to store the video files. The website has been receiving very good feedback and your organization decided to expand the website all over the world. However, customers in Europe and Asia started to complain that website access, upload and download of videos files are slow. How can you resolve the issue? (choose 2 options)

  • Use CloudFront for improving the performance on website by caching static files.
  • Use VPC Endpoints in Europe and Asia regions to improve S3 uploads and downloads.
  • Enable Transfer Acceleration feature on S3 bucket which uses AWS edge locations to improve upload and download speeds.
  • Change your application design to provision higher-memory configuration EC2 instances and process S3 requests through EC2.
A
  • Use CloudFront for improving the performance on website by caching static files
  • Enable Transfer Acceleration feature on S3 bucket which uses AWS edge locations to improve upload and download speeds.

Answer: A, C
Option A is correct. AWS CloudFront can be used to improve the performance of your website where network latency is an issue.
https://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-cloudfront-walkthrough.html
Option B is not correct. VPC endpoints do not support cross-region requests. Moreover, VPC endpoints are for accessing AWS resources within VPC.
Option C is correct. Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.
For more information on transfer acceleration, refer to the documentation here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html#transfer-acceleration-why-use
Option D is not a good design. It increases cost on EC2 usage and does not solve the problem with slower upload and download speeds to S3.

46
Q

Cross region replication requires versioning to be enabled on?

  • Only on Destination bucket.
  • Versioning is useful to avoid accidental deletes and not a requirement for replicating across regions.
  • Only on Source bucket.
  • Both Source and Destination buckets.
A
  • Both Source and Destination buckets.

Answer: D
Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buckets in different AWS Regions. We refer to these buckets as source bucket and destination bucket. These buckets can be owned by different AWS accounts.
For more information on AWS S3 cross-region replication, refer documentation here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html

47
Q

You want to send data to S3 from clients distributed globally. Some are on the other side of the globe from where the S3 bucket resides. What is a feature that can speed up your S3 data transfer?

  • S3 Transfer Acceleration
  • S3 SpeedBoost
  • CloudFront distribution configured as a Transfer Accelerator
  • Nothing – S3 is a public service and is subject to Internet speeds
A
  • S3 Transfer Acceleration

S3 Transfer Acceleration will leverage CloudFront edge locations to ingest data closer to the user. This allows the AWS network to optimize the network flow vs the public Internet.

48
Q

You have been asked to advise on a scaling concern. The client has an elegant solution that works well. As the information base grows they use CloudFormation to spin up another stack made up of an S3 bucket and supporting compute instances. The trigger for creating a new stack is when the PUT rate approaches 100 PUTs per second. the problem is that as the business grows that number of buckets is growing into the hundreds and will soon be in the thousands. You have been asked what can be done to reduce the number of buckets without changing the basic architecture.

  • Refine the key hashing to randomise the name Key to achieve the potential of 300 PUTs per second.
  • Upgrade all buckets to S3 provisioned IOPS to achieve better performance.
  • Change the trigger level to around 3000 as S3 can now accommodate much higher PUT and GET levels.
  • Set up multiple accounts so that the per account hard limit on S3 buckets is avoided.
A
  • Change the trigger level to around 3000 as S3 can now accommodate much higher PUT and GET levels.

Until 2018 there was a hard limit on S3 puts of 100 PUTs per second. To achieve this care needed to be taken with the structure of the name Key to ensure parallel processing. As of July 2018 the limit was raised to 3500 and the need for the Key design was basically eliminated. Disk IOPS is not the issue with the problem. The account limit is not the issue with the problem.

49
Q

You work as a website administrator at a real estate developer. The company’s website uses S3 to store pictures of the single-family homes it builds. The company recently released a brand-new elevation for one of its most popular models, which is called ‘Greenberry C.’ So far, there’s only one picture of the ‘Greenberry C’, so you want to ensure that it is not accidentally deleted by enabling the object lock feature. Which of the following actions will accomplish that?

choose 2.

  • Right-click the picture and choose the object lock option.
  • Contact customer support.
  • Enable object lock at the bucket level.
  • Enable object lock at the object level.
A
  • Contact customer support.
  • Enable object lock at the bucket level.

Amazon S3 object lock prevents an object from being deleted or overwritten. Object lock is enabled at the bucket level; when creating the bucket, you can select the feature to lock objects in it. However, once the bucket has been created, you cannot enable object lock, you will have to contact customer support to do so. Right-click is not a valid option – you must select the object then go to Properties, Object lock.

50
Q

Why is a unit of data in S3 called an Object?

  • S3 is a key-value store; the key being the object name, the value being the contents of the object
  • S3 is an SQL database
  • S3 is a NoSQL database
  • S3 a hosted HBase / Hadoop database
A
  • S3 is a key-value store; the key being the object name, the value being the contents of the object

S3 is ultimately a Key-Value store. S3 is ultimately built on a “Hadoop-Like” datastore, but is not directly Hadoop, or HBase. As far as what is presented to the users, it is not directly a database at all; however, it is stored like Hadoop.

AWS SAA3 (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions