S3 Flashcards
S3 buckets offer read-after-write consistency for PUTS of new objects.
True
What is the default encryption used on S3?
AES-256
Your S3 backed website is consistently receiving over 400 read requests per second and is steadily rising. What can you do to achieve the best performance as traffic to your website continues to increase?
Configure a CloudFront CDN and use the S3 bucket as the origin.
S3 buckets provides eventual consistency for overwrite PUTS and DELETES.
True.
Name three ways that allows a user to have secure access to private files located in S3.
- CloudFront Signed Cookies
- CloudFront Signed URLs
- CloudFront Origin Access Identity
S3 is for object storage, what does that mean?
It means that it is for files, images and web pages.
It is NOT for OS and databases.
What does S3 do to minimise the risk of losing any data?
The data is spread across multiple devices and facilities.
What are the S3 tiers/classes?
- S3 (Standard)
- Data redundantly across multiple devices in multiple facilities
- Is designed to sustain the loss of 2 facilities concurrently
- S3 IA (Infrequent Access)
- For data that is accessed less frequently, but still requires rapid access when needed
- Lower fee than S3, but you are charged every time you retrieve data
- S3 One Zone IA
- Same as IA, but the data is only stored in a single AZ
- Only 99.5% availability
- Cost is 20% less than regular S3 AI
- S3 Glacier
- Very cheap
- Used for archival only
- Optimised for data that is infrequently accessed
- Can take 3-5 hours to restore data from Glacier
- S3 Reduced Redundancy
- Only 99.99% durability
- Used for data that can be recreated if lost
- E.g. thumbnails
- S3 - Intelligent Tiering
- For data with known or unpredictable access patterns
- Keeps data in a frequently tier, and move it to an unfrequently access tier if you haven’t accessed in in 30 days. The data is moved back to frequently accessed tier if it is accessed again.
- No fees for accessing or moving your data between the two tiers
Name two ways to set up access control on a S3 bucket.
- Bucker Policy
- Applied on a bucket level
- Used if you want to give a user or set of users access to your bucket
- Written in JSON
- Access Control Lists
- Applied at an object level
- We can apply an access specifying what people can access a certain object, and which kind of access they have (read, write, full control)
What is the availability (built for vs guaranteed) and durability for S3?
- Built for 99.99% availability
- Amazon guarantees 99.9% availability
- Amazon guarantees 99.999999999% durability
Name three things we can do to kept our data more safe.
- Version control
- Prevent certain users from deleting you data
- Replicate data
How can you track what calls have been made to you S3 bucket?
You can configure a bucket to create access logs (Server access logging), which logs all requests made to the S3 bucket. These logs can be written to the same or another bucket in the same region.
What encryption is used in transit for S3?
SSL/TLS
What encryption is used at rest for S3?
- SSE-S3
- S3 Managed Keys
- Each object is encrypted with its own unique key using strong multi-factor encryption
- The key itself is also encrypted with a master key that is regularly rotated
- AES-256
- SSE-KMS
- AWS Key Management Service
- AWS Manage these keys (just like for SSE-S3)
- Audit trail - you can see how, when and by whom the key was used
- SSE-C
- Server Side Encryption with Customer Provided Key
- AWS manage the encryption and decryption
- You manage the keys
How can you enforce encryption on a S3 bucket?
Add the x-amz-server-side-encryption parameter in the header.
Two options:
x-amz-server-side-encryption: AES256 (SSE-S3))
x-amz-server-side-encryption: ams:kms (SSE-KMS)
