Storage

Question 1

What is S3?

Answer 1

S3 uses buckets to organize & store objects

Question 2

Give some examples of objects that can be stored in S3

Answer 2

Files such as text files, images, videos, documents, or even application code

Question 3

We store objects as key value pairs in S3. Explain what a key and value is..

Answer 3

The key is the unique name
The value is the file ie., text files, images, videos..)

Question 4

How to store data in S3

Answer 4

Objects that can be stored within files that are in bucketes

Question 5

How to create a bucket?

Answer 5

S£ -> Create Bucket -> name, region, config , permissions

NB: Once created, you can create a folder inside the bucket

Question 6

What are the 6 s3 storage classes?

Answer 6

S3 Standard
S3 Intelligent Tiering (unknown access pattern)
S3 Standard Infrequent Access (IA)
S3 One Zone Infrequent Access IA
S3 Glacier
S3 Glacier Deep Archive

Question 7

Name 4 S3 management features

Answer 7

1. Lifecycle policies (automate data management by defining rules to transition, expire and delete objects based on criteria like age or storage class)
2. Versioning (preserve multiple versions of objects to protect against accidental deletions or overwrites)
3. Cross-region replication (automatically replicate the objects from one s3 bucket in another region to enhance durability and disaster recovery or low latency access)
4. Bucket logging (record detailed access logs for your s3 bucket to monitor/audit object-level access, track usage & identify potential security issues)

Question 8

Name the 2 S3 Access Policies?

Answer 8

IAM Policy (fine grained policy for user, group or role)
Bucket policy (broad controls at the bucket level)

Question 9

Can you use conditions in policies?

Answer 9

Yes, conditions are added to JSON ie.,

Action
CreateBucket

Question 10

Name 2 resource-based policies (policies that focus on the control of access to specific resources ie., s3 or objects)?

Answer 10

bucket policies (JSON defines who is allowed/denied access to s3 buckets or objects within it)

Access Control List (manages permissions at the object level)

Question 11

When should we use an IAM policy instead of a Bucket Policy?

Answer 11

Use an IAM policy when you need fine-grained control over access permissions for IAM users, groups or roles when you are managing access across multiple aws services

Question 12

A company wants to control S3 Buckets and its objects, maintain security policies within s3 and grant access for multiple accounts without having to use IAM roles

Should they use Bucket Policies or IAM Policies?

Answer 12

Bucket Policies

Question 13

What is the max IAM policy size for users, groups nd roles

Answer 13

Users - 2kb
Groups - 5kb
Roles - 10kb

Question 14

What is the max size of bucket policies?

Answer 14

20kb

Question 15

Name 4 types of ACL permissions?

Answer 15

Read (list objects)
Write (upload / delete objects)
Read_ACP (read bucket permissions)
Write_ACP (write bucket permissions)

Question 16

By default, access is denied to an object, even without an explicit Deny within any policy

Answer 16

True

There needs to be an Allow policy defined within a bucket policy or ACL

Question 17

What does CORS stand for?

Answer 17

Cross Origin Resource Sharing

Question 18

What is Cross Origin Resource Sharing (CORS)?

Answer 18

CORS is a security mechanism in web browsers that ensures websites can only access resources on other domains if those domains explicitly allow it

Question 19

Name 5 types of S3 Encryption

Answer 19

SSE (server side encryption) …
- S3
- KMS
- C

CSE…
- KSM
- C

Question 20

Describe (Server Side Encryption S3) SSE-S3?

Answer 20

upload data, s3 handles the rest

you know the key exists, but you can’t see it and don’t know anything about it

easiest encryption option, hands off approach

Question 21

Describe SSE-KMS (server side encryption key management service)?

Answer 21

KMS manages keys

You can see the key, control rotation and access

Ie., if you need to be able to rotate the keys every 3 months this is a good option

Question 22

Describe (Server Side Encryption with Customer Provided Keys) SSE-C

Answer 22

Suitable if you need full control over the key for strict requirements

You own and operate everything for this key

Question 23

What is CSE-KMS (Customer Side Encryption Key Management Service)

Answer 23

You need to provide key encrypted on our system or receive Cypher text and decrypt it

• Adds extra layer of protection which is useful for sensitive data ie., financial or personal records or compliance requirements ie., GDPR

Question 24

CSE-C (Client Side Encryption - Customer Provided Keys)

Answer 24

• Encrypt data and keys before you upload to the cloud
• Gives you the highest level of control over your data
• Have to provide a key each time (not just a master key)

Question 25

When would you use S3 Intelligent-Tiering vs Lifecycle Configurations for data management?

Answer 25

S3 Intelligent Tiering to optimise storge costs by using automated tiering

Lifecycle Configurations to follow data retention and archiving policies

Question 26

Name 5 actions you can do as part of lifecycle configuration

Answer 26

• Transition objects to different storage classes
• Delete objects
• Archive objects to Glacier or Deep Archive
• Apply object tags
• Invoke lambda functions

Question 27

For lifecycle configuration, what does it mean to transition objects to different storage classes?

Answer 27

Can move objects from one storage class to another based on a specific criteria

ie., transition objects from the Standard storage class to Glacier storage after 60 days to reduce costs

You could use the <NoncurrentVersionTransition> with <NoncurrentDays> 60 .. and <StorageClass>GLACIER</StorageClass></NoncurrentDays></NoncurrentVersionTransition>

Question 28

For lifecycle configuration, how are objects deleted?

Answer 28

You can configure objects to be deleted when certain conditions are met

using <Expiration> tag with other tags inside such as <days></days></Expiration>

Question 29

For lifecycle configuration, when would you apply object tags?

Answer 29

You would use tags to help categorize and manage objects in S3

ie.,

<tag> with <key> and <value> inside
</value></key></tag>

Question 30

For the stage of the lifecycle configuration when you invoke a lambda function, how would you do it?

Answer 30

You would use the <LambdaFunctionArn> tag and specifiy the ARN (unique id) of the lambda function</LambdaFunctionArn>

Question 31

What is an IAM policy?

Answer 31

An IAM policy is attached to a user, group or role.

IAM policies have a name and are defined by a Policy Document that is written in JSON format that specifies:
- effect (allow / deny)
- action (api operation)
- resoucre (s3 buckets / ec2 instances)

Question 32

Name the 3 key advantages S3 is designed for?

Answer 32

SAD

Scalabiity
Availability
Durability

Because its available across multiple Availability Zones, automatic load distribution and 99.9…% durability

Question 33

When do you use a bucket policy over a IAM policy

Answer 33

Use a bucket policy when you want to enforce bucket wide access controls, manage public access to objects, configure cors or simplify access management for your s3 bucket

Question 34

Why would you turn on versioning for s3?

Answer 34

To keep older versions for rollback scenario

You need to turn it on, but you will need to pay for each version

Think of some use cases for versioning

Question 35

You need to decide whether object, file or block is best solution for storage

Question 36

What is S3 is object storage commonly used for?

Answer 36

Write once read many (WORM)

S3 supports read and write operations. It is designed to provide highly scalable, durable, and secure object storage. While it does allow for the overwriting and deletion of objects, S3 is often used for scenarios where data is written once and then frequently read. This makes it suitable for various use cases, such as data backup, archiving, data lakes, content distribution, and static website hosting.

Question 37

What do you use for object level logging?

Answer 37

Cloud trail

Question 38

Why use transfer accelation?

Answer 38

It uses an edge location to get your data into the aws location quickly

You pay extra to use it

Question 39

How do we use policies in aws so right and wrong people can access what we have stored in s3

Answer 39

• IAM policies (users, roles, groups)
• Bucket policies
• ACLs (AWS accounts or groups. Can be applied at bucket or object level)

Question 40

When and why do we use CORS with S3

Answer 40

We use CORS with S3 buckets in AWS to allow web pages from a different domain to access resources in your S3 bucket.

Ie., web application running on one domain that needs to access resources, such as images or files, stored in an S3 bucket on another domain.

By configuring CORS, you can specify which origins are permitted to access your S3 resources, thereby controlling and securing cross-origin requests.

Question 41

What is the purpose is life cycle configuration?

Answer 41

It let’s us set rules for objects that sit in S3

ie., to move objects to different storage classes

it’s free , reduces overhead

Question 42

Can you bring objects in S3 storage to more expensive storage ie., glacier to standard infrequent access

Answer 42

No you can only push it deeper into cheaper storage options, not bring it forward to more expensive storage

Question 43

What is difference with EBS storage and S3 storage and EFS?

Answer 43

EBS is low level storage blocks on hard disks so we look at bits and bytes. It’s very fast.

S3 is high level storage. object level storage.

Think of EFS as a shared drive

Question 44

IOPS vs standard SSD

Answer 44

IOPS - time taken to process read / write requests

SSD - storage

Question 45

What do you do if pdfs are stored in an S3 bucket. These objects are rarely accessed after 30 days. Not needed after 60 days, but need to be stored.

What is the most cost effective way to meet these requirements?

Answer 45

Create a lifecycle rule to move objects from S3 to S3 standard IA (after 30 days) and then to Glacier Deep Archieve (after 60 days)

Question 46

A company is required by law to protect s3 data at rest from loss.

What is AUTOMATICALLY executed by AWS and the user does NOT need to enable?

Answer 46

Data replication

Question 47

Does a user need to enable s3 bucket versioning?

Answer 47

Yes because you pay for the extra versions you store

Question 48

Developing app processes logs for security org using s3 and lambda. customer wants to use their exisiting master key

What is best SERVER SIDE ENCRYPTION method for this?

SSE-C or SSE-KMS

Answer 48

SSE KMS because Master key

Not SSE-C because you’d need to upload key each time

Question 49

Developing an app which transfers files across long distance between client storage and an s3 bucket

How do you send data using S3 transfer acceleration

Answer 49

1. Turn on s3 transfer acceleration for the bucket
2. Use the new accelerate endpoints to transfer your data

Question 50

What 2 s3 features can provide info on who is accessing buckets and be notified of delete actions

Answer 50

1. Enable s3 server access logs on buckets
2. Turn on S3 Event notifications for delete actions

Question 51

What should we use for unknown access pattern

Answer 51

s3 intelligent tiring