Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Solutions Architect - Associate > Section 3 - IAM and S3 > Flashcards

Section 3 - IAM and S3 Flashcards

1
Q

What is a Region?

A

Region: a physical location in the world which consists of 2 or more AZs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a AZ?

A

1 or more discrete data centres, each with: redundant power, networking and connectivity, housed in separate facilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a Edge Location?

A

Endpoints for AWS which are used for caching content. Typically this consists of CloudFront - Amazon’s CDN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the IAM Categories

A

Users, Groups, Policies, Roles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe IAM Users

A

people, employees of an org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe IAM Groups

A

a collection of users. Each user in group will inherit permissions of group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe IAM Policies

A

made up of documents called policy documents. Formatted in JSON, give permissions as to what a user / group / role is able to do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe IAM Roles

A

you create roles and assign them to AWS resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Does IAM apply to regions?

A

No, it is universal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the root account?

A

The “root” account is the account created when you first set up your AWS account. It has complete admin access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

In what state is a new IAM user?

A

New users have NO PERMISSIONS when first created
New users are assigned ACCESS KEY ID + SECRET ACCESS KEYS when first created
These are not the same as a password. They cannot be used to sign in to the console. However, they can be used for programmatic access to access AWS via the API and CLI
You only get to view these once. If lost you have to regenerate them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe S3

A

Simple Storage Service
Provides developers and IT teams with secure, durable, highly-scalable object storage. Amazon S3 is easy to use, with a simple web services interface to store and retrieve any amount of data from anywhere on the web.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How do you know an upload to S3 was successful?

A

HTTP 200 Status Code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the Basics of S3?

E.g. what can you store, where can you store, how much can you store? Url of storage location

A
  • Object-based - i.e. allows you to upload files
  • Files can be from 0 bytes to 5TB
  • There is unlimited storage
  • Files are stored in buckets
  • S3 is a universal namespace. Names must be unique globally. Bucket name examples:
    https: //acloudguru.s3.amazonaws.com - N. Virginia default region
    https: //acloudguru.us-west-1.amazonaws.com - other region
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What do S3 objects consist of?

A

Think of objects just as files. Objects consist of the following:

Key - the name of the object
Value - the data, made up of a sequence of bytes
Version ID - important for versioning
Metadata - data about data you are storing - e.g. department ownership
Subresources
- Access control lists
- Torrent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Describe the S3 Data Consistency Model

A
  1. Read after Write Consistency for PUTs of new objects
    If you write a new file and read it immediately afterwards you will be able to view that data
  2. Eventual Consistency for overwrite PUTs and DELETEs
    If you update an existing file, or delete a file and read it immediately, you may get the older version. Changes to objects can take time to propagate
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does S3 guarantee?

A

Build for 99.99% availability on the S3 platform
Amazon guarantees 99.9% availability
Amazon guarantees 99.999999999% durability for S3 information (11 x 9s)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are S3’s core features?

A 
Tiered storage
Lifecycle management
Versioning
Encryption
MFA Delete
Secure your data using Access Control Lists and Bucket Policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

List the 6 S3 storage classes

A
  1. S3 Standard
  2. S3 IA
  3. S3 One Zone IA
  4. S3 Intelligent Tiering
  5. S3 Glacier
  6. S3 Glacier Deep Archive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is S3 Standard?

A 
S3 Standard (FBL = ms)
99.9% availability, 99.999999999% durability, stored redundantly across multiple devices in multiple facilities, and is designed to sustain the loss of 2 facilities concurrently
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is S3 IA?

A

S3 IA - Infrequently Accessed (FBL = ms)
For data that is accessed less frequently but requires rapid access when needed. Lower fee than S3 Standard, but you are charged a retrieval fee (RSS is similar)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is S3 One Zone IA?

A

S3 One Zone IA (FBL = ms)
For where you want the lower-cost option for infrequently accessed data, but do not require the multiple availability zone data resilience

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is S3 Intelligent Tiering?

A

S3 Intelligent Tiering (FBL = ms)
Designed to optimise costs by automatically moving data to the most cost-effective access tier, without performance impact or operational overload. Uses machine learning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is S3 Glacier?

A 
S3 Glacier (FBL = minutes or hours)
A secure, durable, low-cost storage class for data archiving.. You can reliably store any amount of data at costs that are competitive with or cheaper than on-premises solutions. Retrieval times configurable from minutes to hours

All Storage / Month
$0.004 per GB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is S3 Glacier Deep Archive?

A 
S3 Glacier Deep Archive (FBL = 12 hrs)
Amazon S3’s lowest cost storage class where a retrieval of 12 hrs is acceptable
26
Q

Describe S3 - Cross Region Replication

A

For high availability and disaster recovery. When you upload objects / data to one bucket, e.g. us-east-1, it will automatically replicate to another bucket, e.g. Sydney.

27
Q

Describe S3 - Transfer Acceleration

A

Enables fast, easy and secure transfer of files over long distances between your end users and an S3 bucket. Takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location, it is routed to S3 over an optimised network path.

28
Q

What are S3 charges comprised of?

A 
Storage
Number of requests and data retrievals
Storage management pricing
Transfer application
Data transfer pricing
Cross region replication pricing
29
Q

What are the S3 Pricing Tiers?

A

Check against P6 in Report

30
Q

By default, newly created buckets are ________

A

Private

31
Q

How can you set up access control on your buckets?

Can you monitor access to your bucket?

A

You can set up access control on your buckets using:

  • Bucket Policies -> work at a bucket level
  • Access Control Lists (ACL) -> down to object level

S3 buckets can be configured to create access logs which log all requests made to the S3 bucket. This can be sent to another bucket, and even another bucket in another account. So every time someone tries to access the object, this will be logged.

32
Q

What are the 2 types of Encryption that can be used in S3?

A
  1. Encryption in Transit

2. Encryption AT REST (server side)

33
Q

Describe Encryption in transit

A
  • https means the traffic is going to be encrypted in transit
  • Achieved by SSL / TLS
34
Q

Describe encryption AT REST

A

a) Encrypt the data that is being stored, e.g. if the hard disk is stolen, data cant be read without the key
b) Server-side - amazon encrypts the data for you
i) S3 managed keys - SSE-S3 -> amazon manages the keys
ii) AWS Key Management Service - Managed Keys - SSE-KMS
iii)You and amazon manage the keys together
Server-side encryption with customer Provided keys - SSE-C
c) Client-Side Encryption
i) Encrypt yourself and then upload object to S3

35
Q

Describe S3 Versioning

A
  • Stores all versions of an object (including all writes and even if you delete an object)
  • Great backup tool
  • Once enabled, versioning CANNOT BE DISABLED, only suspended
  • Integrates with lifecycle rules
  • Versioning’s MFA Delete capability, which uses MFA, can be used to provide an additional layer of security
36
Q

Describe S3 lifecycle management

A
  • Automates moving your objects between different storage tiers
  • Can be used in conjunction with versioning
  • Can be applied to current versions and previous versions
37
Q

What is AWS Organisations?

A

An account management service that enables you to consolidate multiple AWS accounts into an organisation that you create and centrally manage.

38
Q

What are advantages of using AWS Consolidated Billing?

A
  • One bill per AWS account
  • Very easy to track charges and allocate costs
  • Volume pricing discount
39
Q

What are the best practices when using AWS Consolidated Billing?

A
  • Always enable MFA on root account
  • Always use strong and complex pwd on root account
  • Paying account should be used for billing purposes only
    • Do not deploy resources into paying account
  • Enable / Disable AWS services using Service Control Policies (SCP) either on OU or on individual accounts
40
Q

S3 cross account access - what are 3 ways to share S3 Buckets across accounts?

A
  1. Using Bucket Policies & IAM (entire bucket). Programmatic Access only.
  2. Using Bucket ACLs & IAM (individual objects). Programmatic Access only.
  3. Cross-account IAM Roles. Programmatic AND Console Access.
41
Q

What is a prerequisite for enabling cross region replication in S3?

A

To enable cross-region replication, versioning must be enabled on both source and destination buckets.

42
Q

Describe cross region replication behaviours

A
  • To enable cross-region replication, versioning must be enabled on both the source and destination buckets
  • Files in an existing bucket are not replicated automatically
  • All subsequent updated files will be replicated automatically
  • Deleting individual versions or delete markers will not be replicated
43
Q

Describe S3 transfer acceleration

A

Utilises the CloudFront Edge Network to accelerate your uploads to S3. Instead of uploading directly to your S3 bucket, you can use a distinct URL to upload directly to an Edge Location which will then transfer that file to S3. You will get a distinct URL to upload to: e.g. acloudguru.s3-accelerate.amazonaws.com

44
Q

Describe CloudFront

A

CloudFront is a CDN which is a system of distributed servers (network) that deliver webpages and other web content to a user based on the geographical location of the user, the origin of the webpage, and a content delivery server.

Amazon CloudFront can be used to deliver your entire website, including dynamic, static, streaming, and interactive content using a global network of Edge Locations. Requests for your content are automatically routed to the nearest Edge Location, so content is delivered with the best possible performance.

45
Q

What is so key terminology when talking about CloudFront?

A
  • Edge Location: The location where content will be cached. Separate to an AWS Region / AZ
  • Origin: The origin of all the files that the CDN will distribute. This can be an S3 Bucket, and EC2 Instance, and ELB, Route53
  • Distribution: The name given to the CDN which consists of a collection of Edge Locations
46
Q

What are the 2 types of distribution when using CloudFront?

A
  1. Web Distribution - Typically used for websites

2. RTMP - Used for media streaming (deprecated)

47
Q

What is good to know when using CloudFront?

A
  • Edge Locations are not just READ ONLY - you can write to them too (i.e. PUT an object to them
  • Objects are cached for the life of the TTL (Time To Live)
  • You can clear / invalidate cached object, but you will be charged
48
Q

What is Snowball? Why is it a good solution when transporting large amount of data?

A

Snowball is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of AWS. Using Snowball addressed common challenges with large-scale data transfers including high network costs, long transfer times, and security concerns.

49
Q

What other options do you have other than snowball to transfer large quantities of data to AWS?

A

Snowball Edge, and Snowmobile. Snowball Edge is 100TB, snowmobile up to 100PB

50
Q

What is Storage Gateway?

A

A service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organisation’s on-premises IT environment and AWS’s storage infrastructure. The service enables you to securely store data to the AWS cloud for scalable and cost effective storage.

51
Q

How do you access Storage Gateway?

A

AWS Storage Gateway’s software appliance is available for download as a VM image that you install on a host in your data centre. Storage Gateway supports either VMware ESXi or Microsoft Hyper-V. Once you’ve installed your gateway and associated it with your AWS account through the activation process, you can use the AWS management console to create the storage gateway option that is right for you.

52
Q

What are the 3 Storage Gateway types?

A
  1. File Gateway (NFS & SMB)
  2. Volume Gateway (iSCSI)
  3. Tape Gateway (VTL)
53
Q

Describe the File Gateway Storage Gateway type

A
  • For flat files stored directly on S3
  • Files are stored as objects in your S3 buckets, accessed through a Network File System (NFS) mount point. Ownership, permissions and timestamps are durably stored in S3 in the user-metadata of the object associated with the file. Once objects are transferred to S3, they can be managed as native S3 objects, and bucket policies such as versioning, lifecycle management, and cross-region replication apply directly to the objects stored in your bucket.
54
Q

Describe the Volume Gateway Storage Gateway type

A
  • The volume interface presents your application with disk volumes using the iSCSI block protocol.
  • Data written to these volumes can be asynchronously backed up as point-in-time snapshots of your volumes, and stored in the cloud as Amazon EBS snapshots.
  • Snapshots are incremental backups that capture only changed blocks. All snapshot storage is also compressed to minimise your charges.

Volume Gateway has 2 types, Stored Volumes and Cached volumes

55
Q

Describe Volume Gateway Stored Volumes (Storage Gateway type)

A

Stored Volumes - entire dataset stored on your on-premises application servers and is asynchronously backed up to S3 in the form of EBS Snapshots. 1GB - 16TB in size for Stored Volumes.

Stored volumes provide your on-premises application with low-laying access to their entire datasets, while providing durable, off-site backups. You can create storage volumes and mount them as iSCSI devices from your on-premises application servers.

56
Q

Describe Volume Gateway Cached Volumes (Storage Gateway type)

A

Entire dataset is stored on S3 as your primary data storage and the most frequently accessed data is cached on-site in your storage gateway.

Cached volumes minimises the need to scale your on-premises storage infrastructure, while still providing your application with low-latency access to their frequently accessed data. You can create storage volumes up to 32TB in size and attach to them with iSCSI devices from your on-premises application servers. Your gateway stores data that you write to these volumes in S3 and retains recently read data in your on-premises storage. Gateway’s cache and upload buffers storage. 1GB - 32TB in size for cached volumes.

57
Q

Describe the Tape Gateway Storage Gateway type

A

Offers a durable cost effective solution to archive your data in the AWS cloud. The VTL interface it provides lets you leverage your existing tape-based backup application infrastructure to store data on virtual tape cartridges that you create on our tape gateway. Each tape gateway is preconfigured with a media changer and tape drivers, which are available to your existing client backup applications as iSCSI devices. You add tape cartridges as you need to archive your data. Supported by NetBackup, Backup Exec, Veeam, etc.

58
Q

What is Athena?

A

Interactive query service which enables you to analyse and query data located in S3 using Standard SQL

  • Serverless, nothing to provision, pay per query / per TB scanned
  • No need to set up complex Extract / Transform / Load (ETL) processes
  • Works directly with data stored in S3
59
Q

What is Athena used for?

A
  • To query log files stored in S3, e.g. ELB logs, S3 access logs, etc
  • Generate business reports on data stored in S3
  • Analyse costs (AWS) and usage reports
  • Run queries on click-stream data
60
Q

What is Macie?

A

Security service which uses Machine Learning and NLP (Natural Language Processing) to discover, classify and protect sensitive data stored in S3
- Uses AI to recognise if your S3 objects contain sensitive data such as PII
- Dashboards, reporting, alerts
Works directly with data stored in S3
- Can also analyse CloudTrail logs
- Great for PCI-DSS and preventing ID theft

Solutions Architect - Associate (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions