S3

Question 1

The scenarios to use Transfer Acceleration

Answer 1

1. You have a centralized bucket, the end user need to uploading data across from globe.
2. regularly transfer GBs and TBs of data across continents.
3. available bandwidth is underutilized.

Question 2

Requester Pay Model

Answer 2

You only pay the cost of the data you store in S3.
When you want to share the data but do not want to get charged for the requests received, data downloads, or upload operations.
Do not support anonymous request, BitTorrent, and SOAP request.
does not allow you to enable end user logging on Requester Pays bucket.

Question 3

Object elements

Answer 3

key, version ID, value, metadata, subresources, access control information.

Question 4

Object keys

Answer 4

unique; a sequence of Unicode characters in UTF-8 encoding; maximum of 1024 bytes long;

Question 5

Object Metadata types

Answer 5

System-metadata; user-defined metadata.

Question 6

System-metadata

Answer 6

content-length; content-MD5; Date; Last-Modified; x-amz-delete-marker; x-amz-server-side-encryption; …

Question 7

S3 Storage Classes

Answer 7

S3 standard storage; S3-infrequently Accessed(IA) storage; S3 Reduced Redundancy Storage(RRS); Glacier;

Question 8

S3-IA storage

Answer 8

less frequently used but needs to be available immediately when needed. Suitable for long-term data storage, backups, and disaster recovery. minimum object size 128KB. minimum storage duration: 30 days
durability 11 9’s
availability 99.90%

Question 9

S3 RRS

Answer 9

suitable for storing noncritical and reproducible data. ideal for storing thumbnails, transcoded media, and any other processed data that can be reproduced.
durability 99.99%
availability 99.99%

Question 10

Glacier

Answer 10

very low-cost, secure, and durable data archival storage. 90 days; data retrieval time: 3 to 5 hours; Maximum size 40TB.
durability 11 9’s

Question 11

Lifecycle Rules – action types

Answer 11

Transition actions and Expiration actions

Question 12

Hosting static website on S3

Answer 12

can not support server side scripting. can host HTML pages, css, client-side scripts etc.

Question 13

S3 Limits & Restrictions

Answer 13

an AWS account can own up to 100 S3 buckets

No Limit to the number of objects that can be stored in a bucket.

Question 14

Bucket name restrictions

Answer 14

globally unique;
comply with DNS naming conventions;
3-63 characters long;
only lowercase, numbers, periods and hyphens;
periods and hyphens can not follow each other;
must not be an IP address format.
must start with a letter or number.

Question 15

S3 Objects

Answer 15

basic entities stored in S3.
0-5TB;
larger than 5 GB require using the multipart Upload API;
>100MB recommended using multipart Upload.
URL: https://s3-.amazonaws.com//

Question 16

Amazon S3 - URL

Answer 16

.s3-website-.amazonaws.com

Question 17

S3

Answer 17

highly available and redundant object storage in the cloud; is a global service but buckets are region specific. Unlimited storage.

Question 18

Bucket

Answer 18

a logic unit in S3, just like a folder. it is a container wherein you can store objects and also folders. buckets creates at root level. used for organizing objects in S3.

Question 19

Data Consistency

Answer 19

Read-after-write consistency for puts of new objects

Eventual consistency for Overwrite PUTS and DELETES.

Question 20

HTTP Error Codes

Answer 20

200 – successful,
300 – redirection,
400 – client-side error,
500 – server-side error

Question 21

Multipart Upload

Answer 21

Break a file up into pieces, upload the pieces and combine in S3 to create the object.
can be run in parallel.
over 5GB must be uploaded via multipart upload. > 100MB recommended.
can pause and resume uploads;
if a part fails, then just that part can be reloaded instead of whole object.

Question 22

S3 Storage classess– Standard

Answer 22

provides low-latency and high-throughput performance
durability – 11 9’s
availability – 99.99%

Question 23

Bucket Permissions

Answer 23

bucket policies – Resource-based; user policies;
specify who is allowed to access resources; what that user can do with those resources;
AWS gives full permissions to the owner of a resource.
Resources owners can grant access to others, even cross-account.
the bucket owner paying bills can deny access or modify objects regardless of who owns them.

Question 24

Bucket Polices

Answer 24

Resource-based policy;
use json file attached to the resource
can grant other aws accounts or iam users permission for the bucket and objects inside.
should be used to manage cross-account permission for all s3 permission
Limited to 20 KB in size.

Question 25

ACL

Answer 25

Access Control List;
used for both buckets and objects;
grant read/write permissions to other aws accounts;
can not grant conditional permission;
can not explicity deny permissions
is the only way to manage access to objects not owned by the bucket owner,
XML Format.

Question 26

IAM Policies

Answer 26

user policy;
can create multiple users and give then the same policy or different policies
Policies are attached and can be detached.
can not grant to anonymopuse users.
arn:aws:s3:::bucket_name/key_name/${aws:username}

Question 27

encryption

Answer 27

in-transit vs at rest,

Question 28

Protecting data in transit – using a client-side master key.

Answer 28

Master keys and unencrypted data are never sent to AWS.
on Upload: 1. Client provides a master key to the Amazon S3 encryption client;
2. S3 client generates a random data key and encrypts it with your master key.
3. S3 client encrypts you8r data using the data key, and uploads a material description as part of the object metadata.
on Download: 1. Client downloads encrypted object along with its metadata
2. metadata tells which master key to use to decrypt;
3. using the master key to decrypts the data key.
4. datakey is used to decrypt the object.

Question 29

Protecting data in transit – KMS-managed customer master key(CMK)

Answer 29

Client gets a unique encryption key for each object.
on upload: 1. client first sends a request to aws kms for a key.
2. aws kms returns an encryption key(plain text used to encrypt object data, and a cipher blob to upload to S3 as object metadata)
on download: 1. download encrypted object from S3 with the cipher blob stored in metadata
2. client then sends that cipher blob to aws KMS to get the plain text
3. plain text is used to decrypt the object.

Question 30

at rest – S3-Managed Encryption

Answer 30

x-amz-server-side-encryption request header to upload request.
AES-256

Question 31

at rest – KMS-Managed Encryption keys

Answer 31

give more flexibility in controlling keys.

Question 32

at rest – Customer-Provided Encryption Keys

Answer 32

gives you the option to generate your own keys outside of the AWS environment.
amazon does not store your encryption key.

Question 33

How can I delete large numbers of objects?

Answer 33

Multi-Object Delete

Question 34

How is Amazon S3 data organized?

Answer 34

S3 is a simple key-based object store.

Question 35

What is the BitTorrent protocol, and how do I use it with Amazon S3?

Answer 35

BitTorrent is an open source Internet distribution protocol. Amazon S3’s bandwidth rates are inexpensive, but BitTorrent allows developers to further save on bandwidth costs for a popular piece of data by letting users download from Amazon and other users simultaneously. Any publicly available data in Amazon S3 can be downloaded via the BitTorrent protocol, in addition to the default client/server delivery mechanism. Simply add the ?torrent parameter at the end of your GET request in the REST API.

Question 36

How can I delete large numbers of objects?

Answer 36

You can use Multi-Object Delete to delete large numbers of objects from Amazon S3. This feature allows you to send multiple object keys in a single request to speed up your deletes. Amazon does not charge you for using Multi-Object Delete.

Question 37

How is Amazon S3 data organized?

Answer 37

Amazon S3 is a simple key-based object store. When you store data, you assign a unique object key that can later be used to retrieve the data. Keys can be any string, and can be constructed to mimic hierarchical attributes.

Question 38

How can I Increase the number of Amazon S3 buckets that I can provision?

Answer 38

By default, customers can provision up to 100 buckets per AWS account. However, you can increase your Amazon S3 bucket limit by visiting AWS Service Limits.

Question 39

Wasn’t there a US Standard region?

Answer 39

We renamed the US Standard Region to US East (Northern Virginia) Region to be consistent with AWS regional naming conventions. There is no change to the endpoint and you do not need to make any changes to your application.

Question 40

What is an Amazon VPC Endpoint for Amazon S3?

Answer 40

An Amazon VPC Endpoint for Amazon S3 is a logical entity within a VPC that allows connectivity only to S3. The VPC Endpoint routes requests to S3 and routes responses back to the VPC.

Question 41

Can I allow a specific Amazon VPC Endpoint access to my Amazon S3 bucket?

Answer 41

You can limit access to your bucket from a specific Amazon VPC Endpoint or a set of endpoints using Amazon S3 bucket policies. S3 bucket policies now support a condition, aws:sourceVpce, that you can use to restrict access.

Question 42

What is Amazon Macie?

Answer 42

Amazon Macie is an AI-powered security service that helps you prevent data loss by automatically discovering, classifying, and protecting sensitive data stored in Amazon S3. Amazon Macie uses machine learning to recognize sensitive data such as personally identifiable information (PII) or intellectual property, assigns a business value, and provides visibility into where this data is stored and how it is being used in your organization. Amazon Macie continuously monitors data access activity for anomalies, and delivers alerts when it detects risk of unauthorized access or inadvertent data leaks.

Question 43

What checksums does Amazon S3 employ to detect data corruption?

Answer 43

Amazon S3 uses a combination of Content-MD5 checksums and cyclic redundancy checks (CRCs) to detect data corruption. Amazon S3 performs these checksums on data at rest and repairs any corruption using redundant data. In addition, the service calculates checksums on all network traffic to detect corruption of data packets when storing or retrieving data.

Question 44

How do I get my data into Standard - IA?

Answer 44

You can directly PUT into Standard – IA by specifying STANDARD_IA in the x-amz-storage-class header. You can also set lifecycle policies to transition objects from Standard to Standard - IA.

Question 45

Is there a minimum duration for Standard - IA?

Answer 45

30 days

Question 46

What is “Query in Place” functionality?

Answer 46

S3 Select, Amazon Athena, and Amazon Redshift Spectrum,

Question 47

What am I charged for archiving objects in Amazon Glacier?

Answer 47

Amazon Glacier storage is priced from $0.004 per gigabyte per month. Lifecycle transition requests into Amazon Glacier cost $0.05 per 1,000 requests. Objects that are archived to Glacier have a minimum of 90 days of storage, and objects deleted before 90 days incur a pro-rated charge equal to the storage charge for the remaining.

Question 48

CORS

Answer 48

Cross Origin Resource Sharing – to avoid the use of proxy. defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORs support in Amazon S3. you can build rich client-side web applications with S3 and selectively allow cross-origin access to your amazon s2 resources.

Question 49

Cross Region Replication

Answer 49

requires versioning enabled on source and destination buckets. existing objects will not be replicated, only new objects will be replicated across the region.

Question 50

Lifecycle Management in S3

Answer 50

(1) when versioning is disabled
Transition to IA S3 - min 30 days and has a 128KB minimum of object size
Archive to Glacier - min 1 day if IA is not checked, min 60 day if Transition to IA S3 is checked
Permanently Delete - min 2 day if IA is not checked and 1 is selected for Glacier, min 61 day if IA is selected 30, Glacier is selected 60.
(2) when versioning is enabled you have lifecycle management options to take action on previous version as well as current version.

Question 51

Server-Side Encryption with Amazon S3-Managed Keys(SSE-S3).

Answer 51

Each object is encrypted with a unique key employing strong multi-factor encryption. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.