Storage & Data Management

Question 1

It can be used to manage your objects so that they are stored using the most cost effective S3 option throughout their lifecycle.

Answer 1

S3 Lifecycle Policies

Question 2

What should you use in order to protect against accidental or malicious deletions of your version-controlled S3 buckets?

Answer 2

MFA Delete.

Question 3

Why do you need a valid code from your MFA device?

Answer 3

• to enable permanent deletion of an S3 object.

- to suspend or reactivate versioning on the S3 bucket.

Question 4

What can be used to Encrypt data in transit to s3?

Answer 4

SSL/TLS

Encrypts data between your PC and S3. (https)

Question 5

What are the two different types of Encryption At-Rest for S3?

Answer 5

Server Side Encryption

Client Side Encryption

Question 6

Three ways of Server Side Encryption for S3:

Answer 6

SSE-S3
SSE-KMS
SSE-C

Question 7

Can a client encrypt data before uploading it to s3?

Answer 7

Yes!

By using Client side encryption.

Question 8

Characteristics of SSE-S3:

Answer 8

• AWS Takes care of everything, you don’t need to worry about it.
• S3 Managed Keys
• AES256

Question 9

Characteristics of SSE-KMS:

Answer 9

• KMS managed Keys
• Envelope key → The key that encrypts your data’s encryption key.
• Audit trail → records the use of your encryption key.

Question 10

Characteristics of SSE-C:

Answer 10

• AWS manages the encryption and decryption activities
• Client manages the keys used.
• Rotation and all.

Question 11

• x-amz-server-side-encryption: AES256
• x-amz-server-side-encryption: ams:kms

What do these parameters do?

Answer 11

When these parameters are included in the header of the PUT request, it simply tells S3 to encrypt the objects at the time of upload and using the specified encryption method.

Question 12

How can you enforce the use of SSE for S3?

Answer 12

By using a bucket policy which denies any S3 PUT request which doesn’t include the x-amz-server-side-encryption parameter in the request header.

Question 13

S3

Durable, immediately available, frequently accessed

Answer 13

S3 Standard

Question 14

S3

Durable, immediately available, infrequently accessed

Answer 14

S3 IA

Question 15

S3

Durable, immediately available, infrequently accessed, data store in a single AZ

Answer 15

S3 One Zone IA

Question 16

S3

Data that is easily reproducible, such as thumbnails

Answer 16

S3 Reduced Redundancy Storage

Question 17

S3

Archived data, where you can wait 3 - 5 hours before accessing the data

Answer 17

S3 Glacier

Question 18

What do these represent?

• Key (name)
• Value (data)
• Version ID
• Metadata
• Subresources - bucket specific configuration:
  
  • Bucket policies, ACL
  • CORS - used to enable different resources within AWS to access your S3 buckets

Answer 18

Core fundamentals of an S3 object

Question 19

Which types of root volumes can be used for EC2 instances?

Answer 19

EBS

Instance Store

Question 20

True or False

The only time instance store persists data is when the instance is rebooted intentionally or not.

Answer 20

True

Question 21

What’s the best practice to follow when changing EC2 volume type?

Answer 21

1. Stop the instance
2. Take a snapshot of the volume
3. Use the snapshot to create a new volume

Question 22

KMS or CloudHSM?

• Shared hardware, multi-tenant managed service
• Suitable for applications for which multi-tenancy is not an issue
• Free-tier eligible
• Encrypt data store in AWS, including EBS volumes, S3, RDS, DynamoDB, etc.
• Symmetric Keys only.

Answer 22

KMS

Question 23

KMS or CloudHSM?

• Dedicated Hardware Security Module instance, hardware is not shared with other tenants, no Free-tier
• It’s under your exclusive control within your own VPC
• FIPS 140-2 Level 3 Compliance (US Government standard for HSMs)
  
  • Includes tamper-evident physical security mechanisms
• Suitable for applications which have a contractual or regulatory requirement for dedicated hardware managing cryptographic keys
• Symmetric or Asymmetric keys.

Answer 23

CloudHSM

Question 24

What is Block device mapping?

Answer 24

specifies which EBS volumes to attach to the instance at launch time

Question 25

True or False

AMIs are global, you can use it anywhere.

Answer 25

False

AMIs are regional, in order to use the AMI in another region, one must copy the AMI before using it.

Question 26

How does sharing AWS AMIs work?

Answer 26

• The sharing account still has control and ownership of the AMI
• The owner is still charged for storage of the AMI within their AWS account
• It’s normally stored on S3

Question 27

How does copying AWS AMIs work?

Answer 27

• The owner of the source AMI must grant you read permissions for the storage that backs the AMI (EBS snapshot or S3)
• If you copy the AMI, you are going to be charged for storing that copy.

Question 28

What are two limitations for copying AMIs?

Answer 28

1. You cannot directly copy an encrypted AMI shared by another account.
   - Copy the snapshot and re-encrypt using your own key
   - The sharing account must also share with you the underlying snapshot and encryption key used to create the AMI.
2. You cannot directly copy an AMI with an associated billingProducts code (license fee)
   - Launch an EC2 instance using the shared AMI and create an AMI from that instance.

Question 29

What’s the difference between Snowball and Snowball Edge?

Answer 29

Snowball:
- Only used for transport 
- TB or PB of data
Snowball edge:
- 100TB device
- Add additional capability to run simple computing functions on the device

Question 30

__________ _____________ consists of an on-premises software appliance, and this connects with AWS cloud-based storage to give you a seamless and secure integration between your on-premises IT environment and AWS.

Answer 30

Storage Gateway

Question 31

Three types of Storage Gateway:

Answer 31

File Gateway
Volume Gateway
Tape Gateway

Question 32

Which type of Storage Gateway is this?

• Store and retrieve objects in S3 Buckets
• Access using NFS or SMB protocols
• The software appliance, or gateway, is deployed into your on-premises environment as a virtual machine running on VMware ESXi or Microsoft Hyper-V hypervisor.
• All the benefits of S3: bucket policies, S3 versioning, lifecycle management, replication, etc.
• Low-cost alternative to on-premises storage.

Answer 32

File Gateway

Question 33

Which type of Storage Gateway is this?

• Provides block storage to your on-premises apps with low-latency via the iSCSI
• It uses S3 buckets for point-in-time snapshots of your EBS Volumes
• Two types of Volume Gateways:
  1. Stored volumes
  2. Cached volumes

Answer 33

Volume Gateway

Question 34

• Store all your data locally and only backup to AWS
• Low-latency access to your entire dataset.
• You will need your own storage infrastructure as all data is stored locally in your data center
• It provides async backups in the form of EBS snapshots which are stored in S3.

Answer 34

Volume Gateway - Stored volumes

Question 35

• Store your data in S3 and cache frequently accessed data locally (in your storage gateway)
• You only need enough local storage capacity to store the frequently accessed data
• Application still get low-latency access to frequently used data

Answer 35

Volume Gateway - Cached volumes

Question 36

Which type of Storage Gateway is this?

• It’s a Virtual Tape Library which provides cost effective data archiving in the cloud using Glacier
• It integrates with existing tape backup infrastructure - NetBackup, Backup Exec, Veeam, etc. which connect to the VTL using iSCSI
• Data is stored on virtual tapes which are stored in Glacier and accessed using the VTL

Answer 36

Tape Gateway

Question 37

• Interactive query service
• Enables you to analyse and query data located in S3 using standard SQL
• Serverless
• Pay per query/ per TB scanned
• No need for ETL processes
• Works directly with data stored in S3

Answer 37

Athena

Question 38

Which AWS service should you use in order to:

• Query log files stored in S3
  
  • ELB logs
  • S3 access logs
• Generate business reports on data stored in S3
• Analyse AWS costs and Usage reports
• Run queries on click-stream data

Answer 38

Athena

Question 39

Characteristics of EFS:

Answer 39

• Managed Network File System
• Standard NFS Protocol
• Used by Linux Systems
• Multiple EC2 Instances can access
• Great for applications that need to access shared files
• Lifecycle Management
• Automatically moves files that have not beed accessed recently to EFS IA storage class
• Encryption
• At rest
• in transit