Storage Flashcards
What is S3?
S3 uses buckets to organize & store objects
Give some examples of objects that can be stored in S3
Files such as text files, images, videos, documents, or even application code
We store objects as key value pairs in S3. Explain what a key and value is..
The key is the unique name
The value is the file ie., text files, images, videos..)
How to store data in S3
Objects that can be stored within files that are in bucketes
How to create a bucket?
S£ -> Create Bucket -> name, region, config , permissions
NB: Once created, you can create a folder inside the bucket
What are the 6 s3 storage classes?
S3 Standard
S3 Intelligent Tiering (unknown access pattern)
S3 Standard Infrequent Access (IA)
S3 One Zone Infrequent Access IA
S3 Glacier
S3 Glacier Deep Archive
Name 4 S3 management features
- Lifecycle policies (automate data management by defining rules to transition, expire and delete objects based on criteria like age or storage class)
- Versioning (preserve multiple versions of objects to protect against accidental deletions or overwrites)
- Cross-region replication (automatically replicate the objects from one s3 bucket in another region to enhance durability and disaster recovery or low latency access)
- Bucket logging (record detailed access logs for your s3 bucket to monitor/audit object-level access, track usage & identify potential security issues)
Name the 2 S3 Access Policies?
IAM Policy (fine grained policy for user, group or role)
Bucket policy (broad controls at the bucket level)
Can you use conditions in policies?
Yes, conditions are added to JSON ie.,
Action
CreateBucket
Name 2 resource-based policies (policies that focus on the control of access to specific resources ie., s3 or objects)?
bucket policies (JSON defines who is allowed/denied access to s3 buckets or objects within it)
Access Control List (manages permissions at the object level)
When should we use an IAM policy instead of a Bucket Policy?
Use an IAM policy when you need fine-grained control over access permissions for IAM users, groups or roles when you are managing access across multiple aws services
A company wants to control S3 Buckets and its objects, maintain security policies within s3 and grant access for multiple accounts without having to use IAM roles
Should they use Bucket Policies or IAM Policies?
Bucket Policies
What is the max IAM policy size for users, groups nd roles
Users - 2kb
Groups - 5kb
Roles - 10kb
What is the max size of bucket policies?
20kb
Name 4 types of ACL permissions?
Read (list objects)
Write (upload / delete objects)
Read_ACP (read bucket permissions)
Write_ACP (write bucket permissions)
By default, access is denied to an object, even without an explicit Deny within any policy
True
There needs to be an Allow policy defined within a bucket policy or ACL
What does CORS stand for?
Cross Origin Resource Sharing
What is Cross Origin Resource Sharing (CORS)?
CORS is a security mechanism in web browsers that ensures websites can only access resources on other domains if those domains explicitly allow it
Name 5 types of S3 Encryption
SSE (server side encryption) …
- S3
- KMS
- C
CSE…
- KSM
- C
Describe (Server Side Encryption S3) SSE-S3?
upload data, s3 handles the rest
you know the key exists, but you can’t see it and don’t know anything about it
easiest encryption option, hands off approach
Describe SSE-KMS (server side encryption key management service)?
KMS manages keys
You can see the key, control rotation and access
Ie., if you need to be able to rotate the keys every 3 months this is a good option
Describe (Server Side Encryption with Customer Provided Keys) SSE-C
Suitable if you need full control over the key for strict requirements
You own and operate everything for this key
What is CSE-KMS (Customer Side Encryption Key Management Service)
You need to provide key encrypted on our system or receive Cypher text and decrypt it
- Adds extra layer of protection which is useful for sensitive data ie., financial or personal records or compliance requirements ie., GDPR
CSE-C (Client Side Encryption - Customer Provided Keys)
- Encrypt data and keys before you upload to the cloud
- Gives you the highest level of control over your data
- Have to provide a key each time (not just a master key)
When would you use S3 Intelligent-Tiering vs Lifecycle Configurations for data management?
S3 Intelligent Tiering to optimise storge costs by using automated tiering
Lifecycle Configurations to follow data retention and archiving policies
Name 5 actions you can do as part of lifecycle configuration
- Transition objects to different storage classes
- Delete objects
- Archive objects to Glacier or Deep Archive
- Apply object tags
- Invoke lambda functions
For lifecycle configuration, what does it mean to transition objects to different storage classes?
Can move objects from one storage class to another based on a specific criteria
ie., transition objects from the Standard storage class to Glacier storage after 60 days to reduce costs
You could use the <NoncurrentVersionTransition> with <NoncurrentDays> 60 .. and <StorageClass>GLACIER</StorageClass></NoncurrentDays></NoncurrentVersionTransition>
For lifecycle configuration, how are objects deleted?
You can configure objects to be deleted when certain conditions are met
using <Expiration> tag with other tags inside such as <days></days></Expiration>
For lifecycle configuration, when would you apply object tags?
You would use tags to help categorize and manage objects in S3
ie.,
<tag> with <key> and <value> inside
</value></key></tag>
For the stage of the lifecycle configuration when you invoke a lambda function, how would you do it?
You would use the <LambdaFunctionArn> tag and specifiy the ARN (unique id) of the lambda function</LambdaFunctionArn>
What is an IAM policy?
An IAM policy is attached to a user, group or role.
IAM policies have a name and are defined by a Policy Document that is written in JSON format that specifies:
- effect (allow / deny)
- action (api operation)
- resoucre (s3 buckets / ec2 instances)
Name the 3 key advantages S3 is designed for?
SAD
Scalabiity
Availability
Durability
Because its available across multiple Availability Zones, automatic load distribution and 99.9…% durability
When do you use a bucket policy over a IAM policy
Use a bucket policy when you want to enforce bucket wide access controls, manage public access to objects, configure cors or simplify access management for your s3 bucket
Why would you turn on versioning for s3?
To keep older versions for rollback scenario
You need to turn it on, but you will need to pay for each version
Think of some use cases for versioning
You need to decide whether object, file or block is best solution for storage
What is S3 is object storage commonly used for?
Write once read many (WORM)
S3 supports read and write operations. It is designed to provide highly scalable, durable, and secure object storage. While it does allow for the overwriting and deletion of objects, S3 is often used for scenarios where data is written once and then frequently read. This makes it suitable for various use cases, such as data backup, archiving, data lakes, content distribution, and static website hosting.
What do you use for object level logging?
Cloud trail
Why use transfer accelation?
It uses an edge location to get your data into the aws location quickly
You pay extra to use it
How do we use policies in aws so right and wrong people can access what we have stored in s3
- IAM policies (users, roles, groups)
- Bucket policies
- ACLs (AWS accounts or groups. Can be applied at bucket or object level)
When and why do we use CORS with S3
We use CORS with S3 buckets in AWS to allow web pages from a different domain to access resources in your S3 bucket.
Ie., web application running on one domain that needs to access resources, such as images or files, stored in an S3 bucket on another domain.
By configuring CORS, you can specify which origins are permitted to access your S3 resources, thereby controlling and securing cross-origin requests.
What is the purpose is life cycle configuration?
It let’s us set rules for objects that sit in S3
ie., to move objects to different storage classes
it’s free , reduces overhead
Can you bring objects in S3 storage to more expensive storage ie., glacier to standard infrequent access
No you can only push it deeper into cheaper storage options, not bring it forward to more expensive storage
What is difference with EBS storage and S3 storage and EFS?
EBS is low level storage blocks on hard disks so we look at bits and bytes. It’s very fast.
S3 is high level storage. object level storage.
Think of EFS as a shared drive
IOPS vs standard SSD
IOPS - time taken to process read / write requests
SSD - storage
What do you do if pdfs are stored in an S3 bucket. These objects are rarely accessed after 30 days. Not needed after 60 days, but need to be stored.
What is the most cost effective way to meet these requirements?
Create a lifecycle rule to move objects from S3 to S3 standard IA (after 30 days) and then to Glacier Deep Archieve (after 60 days)
A company is required by law to protect s3 data at rest from loss.
What is AUTOMATICALLY executed by AWS and the user does NOT need to enable?
Data replication
Does a user need to enable s3 bucket versioning?
Yes because you pay for the extra versions you store
Developing app processes logs for security org using s3 and lambda. customer wants to use their exisiting master key
What is best SERVER SIDE ENCRYPTION method for this?
SSE-C or SSE-KMS
SSE KMS because Master key
Not SSE-C because you’d need to upload key each time
Developing an app which transfers files across long distance between client storage and an s3 bucket
How do you send data using S3 transfer acceleration
- Turn on s3 transfer acceleration for the bucket
- Use the new accelerate endpoints to transfer your data
What 2 s3 features can provide info on who is accessing buckets and be notified of delete actions
- Enable s3 server access logs on buckets
- Turn on S3 Event notifications for delete actions
What should we use for unknown access pattern
s3 intelligent tiring
