S3

Question 1

What is S3?

Answer 1

• Simple Storage Solution
• Buckets store objects
• objects contains key : value pairs
• No object can live outside of a bucket
• Flat File System

Question 2

What is the storage capacity of S3?

Answer 2

unlimited storage

Question 3

What is the object size range in S3 (smallest possible to largest possible)?

Answer 3

0 bytes to 5TB

Question 4

What is the durability of S3?

Answer 4

Data is stored across 3 AZs to ensure 11-9’s of durability

Question 5

Describe the naming structure of a bucket

Answer 5

• Bucket names are global and must be unique across a partition (a grouping of regions).
• Names must be between 3-63 characters long.
• Names can only contain upper or lowercase, numbers, dots(.) or hyphens(-).
• Names must begin and end with a letter or a number.
• Names cannot be formatted like an IP address.
• Names can not begin with xn–

Question 6

Describe the data consistency model for S3.

Answer 6

• Read after write consistent for New PUTS (posts)
• Eventually consistent for overwrite puts.
• Eventually consistent for DELETES

Question 7

What operations can you perform on an object?

Answer 7

• PUT,
• GET,
• DELETE (RM),
• LIST

Question 8

What is Versioning?

Answer 8

• Objects are given a version ID
• When new objects are uploaded the old objects are kept.
• You can access any object version.
• When you delete an object that is versioned then the previous version is restored.

Question 9

Are buckets versioned by default?

Answer 9

• No. Versioning must be enabled, and can be enabled at anytime.
• Once turned on it can only be suspended.

Question 10

T/F - All new buckets are private by default

Answer 10

True

Question 11

What are bucket policies?

Answer 11

A resource based policy JSON documents that control access Grants other AWS accounts or IAM users access permissions for the bucket and objects in it.

Question 12

Access Control Lists

Answer 12

• Legacy permissions control. Still used though.
• Grants access to objects and buckets with simple actions.

Question 13

What is Cross Region Replication (CRR)?

Answer 13

• Allows files to be replicated across regions for greater durability.
• Versioning must be enabled.

Question 14

Cross Region Replication - What gets replicated?

Answer 14

• Any new objects added after CRR is enabled.
• Object Metadata Tags Encryption (only SSE-KMS & SSE S3)(if source file is encrypted)

Question 15

Cross Region Replication - What is NOT replicated?

Answer 15

• Objects that existed in source bucket before CRR was enabled.
• Objects encrypted with SSE-C
• Source objects that the bucket owner does not have read permissions on.
• Updates to bucket level sub resources (i.e changes to lifecycle configuration)
• Objects in the source bucket that are there as a result of replication from another bucket.

Question 16

How do delete operations work on files that are Cross Region Replication?

Answer 16

• For delete WITHOUT version ID, S3 will add a delete marker which CRR DOES replicate.
• For delete with WITH a version ID (source) the source object is deleted but the destination object in NOT deleted.

Question 17

What is transfer acceleration?

Answer 17

• provides faster and secure uploads from anywhere in the world.
• Data is uploaded to an Edge location, then that data is transported to your S3 bucket via AWS backbone network.

Question 18

What is a presigned URL?

Answer 18

• A URL generated via the AWS CLI and SDK. Provides temporary access to write or download object data.
• Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT.
• Pre-signed Urls are commonly used to access private objects.

Question 19

Name the (6) S3 storage classes

Answer 19

1. Standard
2. Intelligent Tiering
3. Standard Infrequent Access (IA)
4. One Zone IA
5. Glacier
6. Glacier Deep Archive

Question 20

S3 Standard

Answer 20

• Fast.
• 11-9’s of durability 99.99% availability
• replicated across at least 3 AZs

Question 21

S3 Intelligent Tiering

Answer 21

• Uses machine learning to analyze your object usage and determines the appropriate storage class.
• Data is moved to the most cost effective class w/o any performance impact or added overhead.

Question 22

Standard IA

Answer 22

• Cheaper then standard (50%).
• reduced availability.
• Good if file is accessed only once a month or less.
• Additional retrieval fee applied.

Question 23

One Zone IA

Answer 23

• Objects only exist in 1 AZ -> Data could get destroyed
• Availability = 99.95%
• Cheaper then Standard IA (20%)
• Retrieval fee applied

Question 24

Glacier

Answer 24

• Long term cold storage
• Retrieval can take minutes to hours

Question 25

Deep Glacier

Answer 25

• Lowest cost storage
• Retrieval time = 12 - 48 hours

Question 26

Life Cycle Management in S3

Answer 26

• Automates the process of moving objects to different storage classes or deleting objects all together.
• Can be used together with versioning.
• Can be applied to both current and previous versions.

Question 27

How is S3 Encryption in Transit achieved?

Answer 27

Traffic between your local host and S3 is achieved via SSL/TLS

Question 28

What are the 2 types of default encryption that can be applied to an S3 bucket?

Answer 28

• SSE-AES - S3 handles the key and used AES-256 algorithm.
• SSE-KMS - Envelope encryption, AWS KMS and you manage the keys.

Question 29

What are other types of encryption that can be used for S3 but not offered by default?

Answer 29

• SSE-C : Server Side. Customer provided key
• Client-Side Encryption: you encrypt your own files before uploading to S3 and you manage the keys.

Question 30

Buckets are PUBLIC or PRIVATE by default?

Answer 30

private

Question 31

What is the difference between SSE-C and Client Side encryption for s3 buckets?

Answer 31

• SSE-C is server-side encryption that uses data keys that are fully managed by the customer outside of AWS.
• Client Side Encryption may use a client library like Amazon S3 Encryption client (therefore managing keys within AWS)

Question 32

What is the difference between SSE-S3 & SSE-KMS S3 encryption services?

Answer 32

• SSE-KMS - keys are managed within AWS KMS Service which allows more user control and provides an audit trail.
• SSE-S3 is fully managed as part of S3 (no user control or audit trail).

Question 33

Which s3 encryption method requires HTTPS?

Answer 33

SSE-C

Question 34

What is S3 MFA - delete?

Answer 34

• forces user to generate a code on a device (usually a mobile phone or hardware) before doing important operations on S3
• Versioning must be enabled

Question 35

Who can enable MFA-delete on an S3 bucket?

Answer 35

Root account

Question 36

From which source can S3 MFA-deleted be enabled?

Answer 36

CLI only

Question 37

What will you need S3 MFA delete for?

What will you NOT need it for?

Answer 37

You will need MFA to

• permanently delete an object version
• suspend versioning on the bucket

You will NOT need MFA for

• enabling versioning
• listing deleted versions

Question 38

What are S3 Access Logs?

Answer 38

• For audit purposes you may want to log all access to S3 buckets
• Any request made to S3, from any account, authorized or denied, will be logged into another S3 bucket
• That data can be analyzed using data analysis tools, or Amazon Athena

Question 39

Where shoud access logs be held in relation to the bucket being monitored? (Same bucket or different bucket)

Answer 39

In a different bucket! Otherwise, it will create a logging loop and bucket size will grow exponentially == HUGE BILL

Question 40

Can Cross Region Replication (CRR) and Same Region Replication (SRR) happen across different accounts?

Answer 40

Yes, as long as the correct IAM permissions are granted

Question 41

Does Cross Region Replication and Same Region Replication happen sychronously or asychronously?

Answer 41

asychronously

Question 42

What are some use cases for Cross Region Replication?

Answer 42

• Compliance
• Lower latency access
• Replication across accounts

Question 43

What are some use cases for Same Region Replication?

Answer 43

• Log aggregation
• Live replication between production and test accounts

Question 44

What is the default length of time that a pre-signed URL is good for?

Answer 44

• Valid for a default of 3600 seconds (1-hour).
• Can change this by modifying the –expires-in [TIME_BY_SECONDS] argument.

Question 45

What are some use cases to use a pre-signed URL?

Answer 45

• Allow only logged-in users to download a premium video on your s3 bucket.
• Allow an ever changing list of users to download files by generating URLs dynamically
• Allow temporay ability to a user to upload a file to your bucket (in a specific location).

Question 46

What are the 3 retrieval options for Amazon Glacier and how long will it take to retrieve and object from each type?

Answer 46

• Expedited (1 to 5 minutes) - extra $
• Standard (3 -5 hours)
• Bulk (5-12 hours)

Question 47

What is the minimum storage time for Glacier objects?

Answer 47

90 days

Question 48

What are the 2 retrieval options for Glacier Deep Archive and their associated times?

Answer 48

• Standard (12 hours)
• Bulk (48 hours)

Question 49

What is the minimum storage duration for Glacier Deep Archive?

Answer 49

180 days

Question 50

Which S3 storage classes charge a retrieval fee?

Answer 50

• S3 Standard-IA
• S3 1-Zone IA
• S3 Glacier
• S3 Glacier Deep Archive

Question 51

Is there a minimum storage duration for S3 Standard objects?

Answer 51

No, but there are for all other tiers

30 Day Min Storage

• S3 Intelligent Tiering
• S3 Standard-IA
• S3 One Zone IA

90 Day Min

• Glacier

180 Day Min

• Glacier Deep Archive

Question 52

How many requests per second, per prefix can be achieved for an applications S3 bucket?

Answer 52

requests per second / per bucket prefix

• 3,500 PUT / COPY / POST / DELETE
• 5,500 GET / HEAD

Question 53

What are some S3 - KMS Limitations?

Answer 53

• KMS as different quotas / second depending on the region, and these quoatas can not be increased.
• If quotas are exceeded then the S3 request(s) is throttled

Question 54

When is multipart-upload recommended in S3?

When are they required?

Answer 54

• Recommended for files > 100MB
• Must be used for files > 5GB

Question 55

How can data be filtered server-side S3? Why would you do this?

Answer 55

• Select & Glacier Select
• Can retrieve less data using SQL by performing server side filtering
• Can filter by rows and columns
• Can not aggregate data
• Do this for less network transfer = less CPU cost client side

Question 56

What are the 3 event targets for S3?

Answer 56

• SNS
• SQS
• Lamba Function

Question 57

What is Athena?

Answer 57

• Serverless service to perform analytics against S3 files
• Uses SQL language to query the files
• Has JDBC / ODBC driver
• Charged per query and amount of data scanned

Question 58

What data formats does Athena support?

Answer 58

• CSV
• JSON
• ORC
• Avro
• Parquet

Question 59

What are some use cases for Athena?

Answer 59

• Business Intelligence
• Analytics
• Reporting
• VPC Flow Logs
• ELB Logs
• CloudTrails

Question 60

How can you analyze data on S3? (or ELB Logs/VPC Flow Logs / CloudTrail etc)

Answer 60

Athena

Question 61

How could you guarantee that an object isn’t deleted from S3 or Glacier?

Answer 61

• S3 Object ock or
• Glacier Vault Lock
• Both polices adopt a WORM models (Write Once Read Many)
• Blocks an object deletion for a specific amount of time
• Helpful to lock against future edits
• Helpful for compliance and data retention