Storage Flashcards

1
Q

What is S3?

A

S3 uses buckets to organize & store objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Give some examples of objects that can be stored in S3

A

Files such as text files, images, videos, documents, or even application code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

We store objects as key value pairs in S3. Explain what a key and value is..

A

The key is the unique name
The value is the file ie., text files, images, videos..)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How to store data in S3

A

Objects that can be stored within files that are in bucketes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How to create a bucket?

A

S£ -> Create Bucket -> name, region, config , permissions

NB: Once created, you can create a folder inside the bucket

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the 6 s3 storage classes?

A

S3 Standard
S3 Intelligent Tiering (unknown access pattern)
S3 Standard Infrequent Access (IA)
S3 One Zone Infrequent Access IA
S3 Glacier
S3 Glacier Deep Archive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Name 4 S3 management features

A
  1. Lifecycle policies (automate data management by defining rules to transition, expire and delete objects based on criteria like age or storage class)
  2. Versioning (preserve multiple versions of objects to protect against accidental deletions or overwrites)
  3. Cross-region replication (automatically replicate the objects from one s3 bucket in another region to enhance durability and disaster recovery or low latency access)
  4. Bucket logging (record detailed access logs for your s3 bucket to monitor/audit object-level access, track usage & identify potential security issues)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Name the 2 S3 Access Policies?

A

IAM Policy (fine grained policy for user, group or role)
Bucket policy (broad controls at the bucket level)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Can you use conditions in policies?

A

Yes, conditions are added to JSON ie.,

Action
CreateBucket

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Name 2 resource-based policies (policies that focus on the control of access to specific resources ie., s3 or objects)?

A

bucket policies (JSON defines who is allowed/denied access to s3 buckets or objects within it)

Access Control List (manages permissions at the object level)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When should we use an IAM policy instead of a Bucket Policy?

A

Use an IAM policy when you need fine-grained control over access permissions for IAM users, groups or roles when you are managing access across multiple aws services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A company wants to control S3 Buckets and its objects, maintain security policies within s3 and grant access for multiple accounts without having to use IAM roles

Should they use Bucket Policies or IAM Policies?

A

Bucket Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the max IAM policy size for users, groups nd roles

A

Users - 2kb
Groups - 5kb
Roles - 10kb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the max size of bucket policies?

A

20kb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Name 4 types of ACL permissions?

A

Read (list objects)
Write (upload / delete objects)
Read_ACP (read bucket permissions)
Write_ACP (write bucket permissions)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

By default, access is denied to an object, even without an explicit Deny within any policy

A

True

There needs to be an Allow policy defined within a bucket policy or ACL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does CORS stand for?

A

Cross Origin Resource Sharing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is Cross Origin Resource Sharing (CORS)?

A

CORS is a security mechanism in web browsers that ensures websites can only access resources on other domains if those domains explicitly allow it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Name 5 types of S3 Encryption

A

SSE (server side encryption) …
- S3
- KMS
- C

CSE…
- KSM
- C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Describe (Server Side Encryption S3) SSE-S3?

A

upload data, s3 handles the rest

you know the key exists, but you can’t see it and don’t know anything about it

easiest encryption option, hands off approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Describe SSE-KMS (server side encryption key management service)?

A

KMS manages keys

You can see the key, control rotation and access

Ie., if you need to be able to rotate the keys every 3 months this is a good option

22
Q

Describe (Server Side Encryption with Customer Provided Keys) SSE-C

A

Suitable if you need full control over the key for strict requirements

You own and operate everything for this key

23
Q

What is CSE-KMS (Customer Side Encryption Key Management Service)

A

You need to provide key encrypted on our system or receive Cypher text and decrypt it

  • Adds extra layer of protection which is useful for sensitive data ie., financial or personal records or compliance requirements ie., GDPR
24
Q

CSE-C (Client Side Encryption - Customer Provided Keys)

A
  • Encrypt data and keys before you upload to the cloud
  • Gives you the highest level of control over your data
  • Have to provide a key each time (not just a master key)
25
Q

When would you use S3 Intelligent-Tiering vs Lifecycle Configurations for data management?

A

S3 Intelligent Tiering to optimise storge costs by using automated tiering

Lifecycle Configurations to follow data retention and archiving policies

26
Q

Name 5 actions you can do as part of lifecycle configuration

A
  • Transition objects to different storage classes
  • Delete objects
  • Archive objects to Glacier or Deep Archive
  • Apply object tags
  • Invoke lambda functions
27
Q

For lifecycle configuration, what does it mean to transition objects to different storage classes?

A

Can move objects from one storage class to another based on a specific criteria

ie., transition objects from the Standard storage class to Glacier storage after 60 days to reduce costs

You could use the <NoncurrentVersionTransition> with <NoncurrentDays> 60 .. and <StorageClass>GLACIER</StorageClass></NoncurrentDays></NoncurrentVersionTransition>

28
Q

For lifecycle configuration, how are objects deleted?

A

You can configure objects to be deleted when certain conditions are met

using <Expiration> tag with other tags inside such as <days></days></Expiration>

29
Q

For lifecycle configuration, when would you apply object tags?

A

You would use tags to help categorize and manage objects in S3

ie.,

<tag> with <key> and <value> inside
</value></key></tag>

30
Q

For the stage of the lifecycle configuration when you invoke a lambda function, how would you do it?

A

You would use the <LambdaFunctionArn> tag and specifiy the ARN (unique id) of the lambda function</LambdaFunctionArn>

31
Q

What is an IAM policy?

A

An IAM policy is attached to a user, group or role.

IAM policies have a name and are defined by a Policy Document that is written in JSON format that specifies:
- effect (allow / deny)
- action (api operation)
- resoucre (s3 buckets / ec2 instances)

32
Q

Name the 3 key advantages S3 is designed for?

A

SAD

Scalabiity
Availability
Durability

Because its available across multiple Availability Zones, automatic load distribution and 99.9…% durability

33
Q

When do you use a bucket policy over a IAM policy

A

Use a bucket policy when you want to enforce bucket wide access controls, manage public access to objects, configure cors or simplify access management for your s3 bucket

34
Q

Why would you turn on versioning for s3?

A

To keep older versions for rollback scenario

You need to turn it on, but you will need to pay for each version

Think of some use cases for versioning

35
Q

You need to decide whether object, file or block is best solution for storage

A
36
Q

What is S3 is object storage commonly used for?

A

Write once read many (WORM)

S3 supports read and write operations. It is designed to provide highly scalable, durable, and secure object storage. While it does allow for the overwriting and deletion of objects, S3 is often used for scenarios where data is written once and then frequently read. This makes it suitable for various use cases, such as data backup, archiving, data lakes, content distribution, and static website hosting.

37
Q

What do you use for object level logging?

A

Cloud trail

38
Q

Why use transfer accelation?

A

It uses an edge location to get your data into the aws location quickly

You pay extra to use it

39
Q

How do we use policies in aws so right and wrong people can access what we have stored in s3

A
  • IAM policies (users, roles, groups)
  • Bucket policies
  • ACLs (AWS accounts or groups. Can be applied at bucket or object level)
40
Q

When and why do we use CORS with S3

A

We use CORS with S3 buckets in AWS to allow web pages from a different domain to access resources in your S3 bucket.

Ie., web application running on one domain that needs to access resources, such as images or files, stored in an S3 bucket on another domain.

By configuring CORS, you can specify which origins are permitted to access your S3 resources, thereby controlling and securing cross-origin requests.

41
Q

What is the purpose is life cycle configuration?

A

It let’s us set rules for objects that sit in S3

ie., to move objects to different storage classes

it’s free , reduces overhead

42
Q

Can you bring objects in S3 storage to more expensive storage ie., glacier to standard infrequent access

A

No you can only push it deeper into cheaper storage options, not bring it forward to more expensive storage

43
Q

What is difference with EBS storage and S3 storage and EFS?

A

EBS is low level storage blocks on hard disks so we look at bits and bytes. It’s very fast.

S3 is high level storage. object level storage.

Think of EFS as a shared drive

44
Q

IOPS vs standard SSD

A

IOPS - time taken to process read / write requests

SSD - storage

45
Q

What do you do if pdfs are stored in an S3 bucket. These objects are rarely accessed after 30 days. Not needed after 60 days, but need to be stored.

What is the most cost effective way to meet these requirements?

A

Create a lifecycle rule to move objects from S3 to S3 standard IA (after 30 days) and then to Glacier Deep Archieve (after 60 days)

46
Q

A company is required by law to protect s3 data at rest from loss.

What is AUTOMATICALLY executed by AWS and the user does NOT need to enable?

A

Data replication

47
Q

Does a user need to enable s3 bucket versioning?

A

Yes because you pay for the extra versions you store

48
Q

Developing app processes logs for security org using s3 and lambda. customer wants to use their exisiting master key

What is best SERVER SIDE ENCRYPTION method for this?

SSE-C or SSE-KMS

A

SSE KMS because Master key

Not SSE-C because you’d need to upload key each time

49
Q

Developing an app which transfers files across long distance between client storage and an s3 bucket

How do you send data using S3 transfer acceleration

A
  1. Turn on s3 transfer acceleration for the bucket
  2. Use the new accelerate endpoints to transfer your data
50
Q

What 2 s3 features can provide info on who is accessing buckets and be notified of delete actions

A
  1. Enable s3 server access logs on buckets
  2. Turn on S3 Event notifications for delete actions
51
Q

What should we use for unknown access pattern

A

s3 intelligent tiring