S3 Flashcards
How to replicate S3 bucket in another region?
Cross-Region Replication
Do you have to pay for Cross-Region Replicaiton?
Yes
Uses edge locations to quickly deliver data to users that may be far away from the S3 bucket (more used for uploading objects from a far distance)
Transfer Acceleration
When to use Transfer Acceleration vs. CloudFront for S3?
Transfer Acceleration is used more for users adding/updating items in bucket, while CloudFront would be more for accessing items (and then caching those item).
How to enable protection from deleting objects in S3?
MFA Delete
True or False: AWS Storage Classes Cannot be changed on the fly
False
Standard S3 Storage
Durability and Availability
Durability 99.999999999%
Availability
99.9%
Standard-IA S3 Storage Durability and Availability
Durability 99.999999999%
Availability
99.9%
OneZone-IA S3 Storage Durability and Availability
Durability 99.999999999%
Availability
99.5%
Glacier S3 Storage Durability and Availability
Durability 99.999999999%
Availability
99.9% after objects are restored
When to use Standard-IA S3 Storage Class?
For data that is accessed less frequently but requires rapid access when needed.
Lower fee than S3 but…
Retrieval fee for all S3 IA Objects
When to use OneZone-IA Storage Class?
Don’t need resilient data
Cost is 20% less than regular S3-IA
When to use Glacier S3 Storage Class?
Want to archive data for a cheap deal.
Don’t need to access data immediately (3-5hr to restore)
Now can actually access in minutes instead of hours!!
When to use Reduced Redundancy Storage (RRS) S3 Storage Class?
NOT RECOMMENDED
Regular S3 is cheaper now
Used to store data that can be recreated if lost (ex. thumbnails)
What service can you use if you have unknown or unpredictable access patterns for S3 bucket?
Intelligent Tiering which auto moves data between
- Frequent
- Infrequent access
So you can save money
There is a small monitoring fee of $0.0025 per 1000 objects.
Recommended Tier now
When to use S3 Glacier Deep Archive?
Can wait up to 12 hours to retrieve object
CHEAPEST option
Glacier Deep Archive S3 Storage Durability and Availability
Durability 99.999999999%
Availability
99.9%
AWS S3 Tiers most EXPENSIVE to CHEAPEST
Standard Standard IA Intelligent Tiering One Zone IA Glacier Glacier Deep Archive
List the S3 charges
Storage per GB
Requests
Storage Management Pricing
- inventory, analytics, and object tags
Data Management Pricing
- data transferred out of S3
Transfer Acceleration
- use CloudFront to optimize transfers
Can you encrypt objects already in S3 bucket?
No, If objects are already in bucket when you set encryption those objects will not be encrypted.
What are the 3 types of At Rest encryption options for S3?
S3 managed keys (SSE-S3)
AWS Key management Service Managed Keys (SSE-KMS)
Server Side Encryption with Customer Provided Keys (SSE-C)
When to use SSE-S3 encryption
Want to each object in S3 to be encrypted with its own key.
256 bit encryption
When to use SSE-KMS encryption
AWS manages key for you
Get audit key
Option to use own key or default key
When to use SSE-C encryption
AWS manages encryption and decryption
But customer handles keys
How to enforce encryption on S3 bucket
Add special parameter in header
x-amz-server-side-encryption:AES256 or x-amz-server-side-encryyption:ams:kms:SSE-KMS
Enfoce server side ecryption by making in required to have x-amz-server-side-encryption parameter in request header
If you have a S3 bucket that wants to access another public bucket what actions do you have to perform to allow bucket access
Must set up CORS even if bucket is public
How to access performance metrics for S3
CloudWatch
When to use AWS CloudFront on your S3 bucket?
If you have a large request rate in S3 (100 PUTS, LISTS, DELETES or < 300 GET)
What service do you use if you want to receive Application Load Balancer Logs
S3
How to modify an S3 object permissions at object level
use S3 Access Control Lists (ACLs)
How to ensure only encrypted data is uploaded to S3?
Use bucket policy that only allows PUT with x-amz-server-side-encryption param in request header
What headers do you need to include when using SSE-C key and want to upload object to bucket?
x-amz-server-side-encryption-customer-algorithm, x-amz-server-side-encryption-customer-key and x-amz-server-side-encryption-customer-key-MD5
What do you need to do if you want Cross-region replication (CCR) to copy objects across all buckets in different AWS regions?
Versioning must be set
If versioning is enabled in AWS S3 can you disable it?
No it can only be suspended
You would have to delete bucket and make a new bucket to completely get rid of it
What to enable in S3 to automate moving objects between storage tiers (can be scoped)
Lifecycle Rules
What Lifecycle rule options does S3 provide?
Transition current version to different storage class
Transition previous version of object to different storage class (after certain amount of days)
Permanently delete previous versions of objects
Delete expired delete markers or incomplete multipart uploads. If lifecycle rule is scoped with tags you can not do this
True or False: With S3 Versioning, Each version if want public will have to make each public individually
True
In S3 if you delete an object with previous versions (without including a version ID) what happens?
It will become hidden well as all versions of that object. It can then be restored.
If you want to permanently delete a specific version of an object in S3 you must..
DELETE with Version ID
What happens to remaining object versions when versioning is suspended in S3?
Preserves any existing object versions
BUT
Suspend creation of object versions for all new operations
Troubleshooting: get a lot of HTTP 503 slowdown response on PUT and DELETE and you have versioning enabled what might be the problem?
It may be there is 1+ objects in bucket with millions of versions.
What is the model for S3 Object Lock?
WORM
Write once read many
When would you add S3 Object Lock at the individual object level or applied across bucket level?
You don’t want someone to edit or delete an item.
Extra layer of protection.
What are the 2 modes of S3 Object Lock and explain what they do?
Governance Mode = user’s can’t overwrite or delete object version unless they have special permissions to
Compliance Mode = protected version can’t be overwritten or deleted by any user (even root). Ensure can’t be overwritten or deleted for retention period.
What is S3 Object Locking Legal Hold?
Prevents object versions from being overwritten or deleted.
Has NO retention period: stays into affect until someone removes the Legal Hold.
Difference between Object Locking in S3 Glacier and other object locking?
Only placed on individual file level.
Once locked can no longer be changed.
S3 number of requests per prefix?
5500
S3 Multipart uploads are recommended on files over the size of?
100 MB
S3 Multipart uploads are required for files over the size of?
5GB
When to use S3 Byte Range fetches?
Only want to download partial amounts of a file (ex. header info)
What to use if you want simple SQL expressions to retrieve only data needed by an app in S3?
S3 Select
Reasons to use S3 Select?
Use SQL to only retrieve data you need
Achieve drastic performance of underlying applications
Data by row or columns
Save money on data transfer
When to use Glacier Select?
Highly regulated industries:
Allows you to run SQL queries against Glacier directly
In AWS Organizations how to have cross account bucket sharing with PROGRAMATIC ACCESS of an entire bucket?
Bucket policies & IAM
In AWS Organizations how to have cross account bucket sharing with PROGRAMATIC ACCESS for individual objects in S3?
Bucket ACLs & IAM
How to have cross account bucket sharing with PROGRAMATIC ACCESS or CONSOLE access?
Create IAM cross account role
Need account ID for account you want to grant access to
Send the link generated by role to the account you want to grant access to
Can be used by user in the other account switch role to get access to access buckets
Prerequisite(s) for enabling Cross Region (CRR) Replication on S3 Bucket
Must enable bucket versioning in SOURCE and DESTINATION bucket
How to add CRR to an S3 Bucket?
Add replication rule on bucket you want to replicate
Create a new IAM role
Select source bucket (can do all or limit scope to a rule using filters)
Can change storage class for replicated objects if you want
Replication time control (set if want to ensure it will be replicated in 15min)
Can even replicate delete markers
Does CRR work on objects already in an S3 bucket?
No
TRUE or FALSE: Any changes made to permissions of objects in source bucket CHANGE the permissions of objects in destination bucket.
FALSE
TRUE or FALSE: CRR in S3 can be done within the same AWS account OR 2 different AWS Accounts
TRUE
CRR S3 replication file is written in what format?
XML
Things that CANNOT be replicated with CRR
Objects using CMK stored in KMS - must explicitly enable replication of these objects
Objects with SSE-C encryption on them
Objects in Glacier or Deep Archive
Existing Objects (can only replicate if contact AWS Support)
Describe CRR Monitor Architecture
Monitor replication status of S3 objects across all AWS regions in customer account
When object added to source S3 bucket, CloudTrail logs the data and triggers CloudWatch event rule.
When triggers sends message to SNS topic in source bucket’s region. SQS queue subscribed to SNS receives message.
After object replication to destination is successful, status info is sent back to SQS. CloudWatch event invokes Lambda to read message from SQS queue and updates DynamoDB with replication status.
Size of files that can be uploaded to S3
0 bytes - 5 TB
Single PUT in S3 max size file
5GB
Multi-PUT in S3 max file size
5TB
Single PUT in console max file size
160GB
Data consistency for S3
Read and write for PUTS of new objects
Eventual consistency for overwrite PUTS and DELETES (can take some time)
What is true about Amazon S3 URLs for accessing a bucket?
You can access buckets using Path-Style URLs and Virtual-host style URLs.
Virtual-host style URLS are the recommended way
