Storage & Data Management Flashcards
It can be used to manage your objects so that they are stored using the most cost effective S3 option throughout their lifecycle.
S3 Lifecycle Policies
What should you use in order to protect against accidental or malicious deletions of your version-controlled S3 buckets?
MFA Delete.
Why do you need a valid code from your MFA device?
- to enable permanent deletion of an S3 object.
- to suspend or reactivate versioning on the S3 bucket.
What can be used to Encrypt data in transit to s3?
SSL/TLS
Encrypts data between your PC and S3. (https)
What are the two different types of Encryption At-Rest for S3?
Server Side Encryption
Client Side Encryption
Three ways of Server Side Encryption for S3:
SSE-S3
SSE-KMS
SSE-C
Can a client encrypt data before uploading it to s3?
Yes!
By using Client side encryption.
Characteristics of SSE-S3:
- AWS Takes care of everything, you don’t need to worry about it.
- S3 Managed Keys
- AES256
Characteristics of SSE-KMS:
- KMS managed Keys
- Envelope key → The key that encrypts your data’s encryption key.
- Audit trail → records the use of your encryption key.
Characteristics of SSE-C:
- AWS manages the encryption and decryption activities
- Client manages the keys used.
- Rotation and all.
- x-amz-server-side-encryption: AES256
- x-amz-server-side-encryption: ams:kms
What do these parameters do?
When these parameters are included in the header of the PUT request, it simply tells S3 to encrypt the objects at the time of upload and using the specified encryption method.
How can you enforce the use of SSE for S3?
By using a bucket policy which denies any S3 PUT request which doesn’t include the x-amz-server-side-encryption parameter in the request header.
S3
Durable, immediately available, frequently accessed
S3 Standard
S3
Durable, immediately available, infrequently accessed
S3 IA
S3
Durable, immediately available, infrequently accessed, data store in a single AZ
S3 One Zone IA
S3
Data that is easily reproducible, such as thumbnails
S3 Reduced Redundancy Storage
S3
Archived data, where you can wait 3 - 5 hours before accessing the data
S3 Glacier
What do these represent?
- Key (name)
- Value (data)
- Version ID
- Metadata
- Subresources - bucket specific configuration:
- Bucket policies, ACL
- CORS - used to enable different resources within AWS to access your S3 buckets
Core fundamentals of an S3 object
Which types of root volumes can be used for EC2 instances?
EBS
Instance Store
True or False
The only time instance store persists data is when the instance is rebooted intentionally or not.
True
What’s the best practice to follow when changing EC2 volume type?
- Stop the instance
- Take a snapshot of the volume
- Use the snapshot to create a new volume
KMS or CloudHSM?
- Shared hardware, multi-tenant managed service
- Suitable for applications for which multi-tenancy is not an issue
- Free-tier eligible
- Encrypt data store in AWS, including EBS volumes, S3, RDS, DynamoDB, etc.
- Symmetric Keys only.
KMS
KMS or CloudHSM?
- Dedicated Hardware Security Module instance, hardware is not shared with other tenants, no Free-tier
- It’s under your exclusive control within your own VPC
- FIPS 140-2 Level 3 Compliance (US Government standard for HSMs)
- Includes tamper-evident physical security mechanisms
- Suitable for applications which have a contractual or regulatory requirement for dedicated hardware managing cryptographic keys
- Symmetric or Asymmetric keys.
CloudHSM
What is Block device mapping?
specifies which EBS volumes to attach to the instance at launch time
True or False
AMIs are global, you can use it anywhere.
False
AMIs are regional, in order to use the AMI in another region, one must copy the AMI before using it.
How does sharing AWS AMIs work?
- The sharing account still has control and ownership of the AMI
- The owner is still charged for storage of the AMI within their AWS account
- It’s normally stored on S3
How does copying AWS AMIs work?
- The owner of the source AMI must grant you read permissions for the storage that backs the AMI (EBS snapshot or S3)
- If you copy the AMI, you are going to be charged for storing that copy.
What are two limitations for copying AMIs?
- You cannot directly copy an encrypted AMI shared by another account.
- Copy the snapshot and re-encrypt using your own key
- The sharing account must also share with you the underlying snapshot and encryption key used to create the AMI. - You cannot directly copy an AMI with an associated billingProducts code (license fee)
- Launch an EC2 instance using the shared AMI and create an AMI from that instance.
What’s the difference between Snowball and Snowball Edge?
Snowball: - Only used for transport - TB or PB of data Snowball edge: - 100TB device - Add additional capability to run simple computing functions on the device
__________ _____________ consists of an on-premises software appliance, and this connects with AWS cloud-based storage to give you a seamless and secure integration between your on-premises IT environment and AWS.
Storage Gateway
Three types of Storage Gateway:
File Gateway
Volume Gateway
Tape Gateway
Which type of Storage Gateway is this?
- Store and retrieve objects in S3 Buckets
- Access using NFS or SMB protocols
- The software appliance, or gateway, is deployed into your on-premises environment as a virtual machine running on VMware ESXi or Microsoft Hyper-V hypervisor.
- All the benefits of S3: bucket policies, S3 versioning, lifecycle management, replication, etc.
- Low-cost alternative to on-premises storage.
File Gateway
Which type of Storage Gateway is this?
- Provides block storage to your on-premises apps with low-latency via the iSCSI
- It uses S3 buckets for point-in-time snapshots of your EBS Volumes
- Two types of Volume Gateways:
1. Stored volumes
2. Cached volumes
Volume Gateway
- Store all your data locally and only backup to AWS
- Low-latency access to your entire dataset.
- You will need your own storage infrastructure as all data is stored locally in your data center
- It provides async backups in the form of EBS snapshots which are stored in S3.
Volume Gateway - Stored volumes
- Store your data in S3 and cache frequently accessed data locally (in your storage gateway)
- You only need enough local storage capacity to store the frequently accessed data
- Application still get low-latency access to frequently used data
Volume Gateway - Cached volumes
Which type of Storage Gateway is this?
- It’s a Virtual Tape Library which provides cost effective data archiving in the cloud using Glacier
- It integrates with existing tape backup infrastructure - NetBackup, Backup Exec, Veeam, etc. which connect to the VTL using iSCSI
- Data is stored on virtual tapes which are stored in Glacier and accessed using the VTL
Tape Gateway
- Interactive query service
- Enables you to analyse and query data located in S3 using standard SQL
- Serverless
- Pay per query/ per TB scanned
- No need for ETL processes
- Works directly with data stored in S3
Athena
Which AWS service should you use in order to:
- Query log files stored in S3
- ELB logs
- S3 access logs
- Generate business reports on data stored in S3
- Analyse AWS costs and Usage reports
- Run queries on click-stream data
Athena
Characteristics of EFS:
- Managed Network File System
- Standard NFS Protocol
- Used by Linux Systems
- Multiple EC2 Instances can access
- Great for applications that need to access shared files
- Lifecycle Management
- Automatically moves files that have not beed accessed recently to EFS IA storage class
- Encryption
- At rest
- in transit
