S3 Part 2

Question 1

What must be enabled to enabled MFA delete?

When will you need MFA?

Who can enable MFA-Delete?

How can MFA delete be enabled?

Answer 1

Bucket versioning.

To permanently delete an object version or suspend versioning on the bucket

Only the bucket owner (Root account)

It can only be enabled via the CLI.

Question 2

What can you see in access logs?

Where are the logs stored

Should you application and access log utilize the same S3 bucket? Why or why not?

If there are authorization issues or attacks, etc how can you analize them

Answer 2

All of the requests made to your s3 bucket

In an S3 bucket?

No because it will cause the logs to go into an infinite loop.

By reviewing the access logs

Question 3

What are the Cross Region Replication (CRR) use-cases?

What are the Single Region Replication use cases?

Is copying synchronous or async?

What objects replicated after enabling replication?

Regarding delete operations, are delete markers replicated from the source to the target?

Is the deleting of individual versions replicated?

Will replication be chained from a bucket 1 -> 2 -> 3?

Answer 3

Compliance, lower latency access, replication across accounts.

Log aggregation, live replicatoin between production and test accounts.

Only the new objects.

Yes, but only if that setting is enabled.

No, this is to prevent a malicious actor.

No, repliation would only happen from bucket 1 -> bucket 2

Question 4

How long are pre-signed URLs valid for?

How can you change the time that a pre-signed URL is valid for?

What happens to the permissions of users that are given a pre-signed URL?

What are some use-cases for using pre-signed URLs?

Answer 4

By default 3600 seconds.

By using the –expires-in [time_in_seconds} argument

They inherit the permissions of the person who generate the URL for GET/PUT

Allow logged in users to download a premium video on your s3 bucket.
Allow temporarily a users to upload a file to a precise location in our bucket.

Question 5

What are the use-cases for general purpose S3?

What’s the use-case for S3 Standard Infrequent Access (IA).

What are the use-cases for S3 One Zone Infrequent Access.

What is the downside of using One Zone Infrequent Access?

What does S3 Intelligent Tiering Do?

What additional fee is associated with S3 Intelligent tiering?

Answer 5

Big Data analytics, mobile & gaming applications, content distribution.

Data that needs to be accessed less frequently, but requires rapid access when needed. (Data store for disaster recovers, backups, etc)

Storing secondary backup copies of on-premise data, or storing data you can recreate (like thumbnails).

If the AZ goes down all data will be lost.

It moves data between tiers based on access.

A small monthly auto-tiering fee

Question 6

What is the use-case for Glacier?

What is glacier an alternative to?

What is an item in Glacier called?

What is a buckertalled in Glacier?

Answer 6

Low cost storage meant for archiving and backups that can be stored for 10s of years.

Magnetic tape

An archive.

A vault

Question 7

What are the retrieval options for Glacier?

What is the minimum storage duration?

Answer 7

Expedited (1 - 5 minutes)
Standard (3 - 5 hours)
Bulk (5 to 12 hours)

90 days

Question 8

What is the use-case for glacier deep archive?

What is the quickest retrieval time for deep archive?

What are the retrieval options for deep archive?

What is the minimum storage duration for deep archive?

Answer 8

Long term (min 180 days) storage where quick retrieval is not needed. Cheaper than regular glacier

12 hours.

Standard (12 hours)
Bulk (48 hours)

180 days

Question 9

What is a transition action?

What are expiration actions?

What are some of the ways to specify which bucket and objects the rules apply to?

What is the minimum amount of time an object must be in regular storage before it is transitioned?

Answer 9

It defines when objects are transitions to another storage class.
Ex move objects to standard IA after 60 days after creation. Move glacier to archiving after 6 months.

Configure objects to expire (delete) after some time.
Ex: Access log files can be set to delete after 365 days
Can be used to delete old versions of files if versioning is enabled
Can be used to delete incomplete multi-part uploads

Rules can be created for a certain prefix Ex s#://mybucket/mp3/*
or for an certain object tag (Department: Finance)

30 days

Question 10

What does S3 analytics help you do?

What is the performance of S3?

How can you get the maximum baseline performance out of S3?

How can KMS limit the performance of S3 and how can this limitation be overcome?

Answer 10

It helps you determine when to transition objects from standard IA. It’s a good first step to put together lifecycle rules or improve them.

3,500 put/copy/post/delete operations per second per prefix
5,500 get/head requests per second

Spread frequently accessed objects across different prefixes.

KMS has a maximum quota of 30k rps depending on the region. If your using encryption on your buckets, you may need to request an additional quota since each uploand and download request will make a request to KMS

Question 11

How does Multi-part upload increase the performance of file transfers?

What is S3 transfer acceleration?

Answer 11

It parallelizes uploads. Ex ex part of the file upload can happen concurrently?

It increases transfer speed by transferring a file to a edge location which will forward the data to the s3 bucket in the target region. Ex if you want to upload a file from the US to Australia, you would use the S3 you could use transfer acceleration by uploading it to the US edge location which would then forward the data to S3

Question 12

How can you improve the performance of get requests?

Answer 12

You can parallelize gets by using byte range fetches or you can only retrieve a part of the file using a byte range. Ex only retrieve the header.

Question 13

What is s3 select/glacier select?

Answer 13

Is allows you to select rows and columns from an s3 file by sending a basic sql query. This will save you network and time as you do not need to download the whole file

Question 14

What are s3 events?

What are the s3 event channels?

What could happen if 2 there are 2 simultaneous writes to a non-versioned file. How can this be prevented from happening?

Answer 14

S3 events allow you to receive notifications when certain events happen in your S3 bucket. Ex an object is created or written to.

SNS, SQS, and Lambda functions

It is possible that only one event is triggered. This can be prevented if versioning is enabled.

Question 15

What is requestor pays buckets?

When would this be helpful?

Answer 15

You can create a requestor pays bucket so a non-anonymous user will be billed for the network cost of downloading a file. form s3.

If you want to share large datasets with other accounts.

Question 16

What is glacier vault lock?

What is this helpful for?

What is object lock?

How are the retention periods defined for an object lock?

What are the modes for object lock?

Answer 16

It allows you to specify a policy so that files cannot be deleted. You can also specify for the policy itself not be be deleted.

Compliance and data retention.

It allows you to block and object version deletion for a specific amount of time.

Retention period (Fixed period)
Legal hold (Same protection, no expiry date)

Governance mode - Users can’t overwrite or delete an object version or modify it’s lock unless they have special permission
Compliance mode - A protected object version can’t be overwritten or deleted by any user including the root user on your aws account. When an object is locked in compliance mode it’s retention mode can’t changed and it’s retention period can’t be changed.

Question 17

What is AWS Athena?

What are some use-cases for Athena?

Answer 17

A service to perform analytics directly against s3 files.

Business intelligence, analytics, reporting on/analyzing VPC Flow Logs, elb logs, cloud trails etc