Study Guide - Chapter 1-2 - S3

Question 1

Types of compliance in AWS

Answer 1

• Service Organization Controls (SOC) 1/International Standard on Assurance Engagements (ISAE) 3402, SOC 2, and SOC 3
• Federal Information Security Management Act (FISMA), Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), and Federal Risk and Authorization Management Program (FedRAMP)
• Payment Card Industry Data Security Standard (PCI DSS) Level 1
• International Organization for Standardization (ISO) 9001, ISO 27001, and ISO 27018

Question 2

What languages does Elastic Beanstalk support?

Answer 2

PHP, Java, Python, Ruby, Node.js, .NET, and Go.

Question 3

Name some EBS facts

Answer 3

• persistent block-level storage volumes
• each volume is automatically replicated within its Availability Zone
• low-latency performance

Question 4

How does storage gateway work?

Answer 4

It provides low-latency performance by maintaining a cache of frequently accessed data on-premises while securely storing all of your data encrypted in Amazon S3 or Amazon Glacier.

Question 5

Why use Dynamo DB?

Answer 5

fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. great fit for mobile, web, gaming, ad-tech, Internet of Things, and many other applications.

Question 6

What is CloudTrail

Answer 6

web service that records AWS API calls for an account and delivers log files for audit and review.

Question 7

Common use cases for S3

Answer 7

Backup and archive for on-premises or cloud data Content, media, and software storage and distribution Big data analytics Static website hosting Cloud-native mobile and Internet application hosting Disaster recovery

Question 8

S3 storage classes

Answer 8

general purpose, infrequent access, and archive.

Question 9

How does block storage operate?

Answer 9

Block storage operates at a lower level—the raw storage device level—and manages data as a set of numbered, fixed-size blocks.

Question 10

How does file storage operate?

Answer 10

File storage operates at a higher level—the operating system level—and manages data as a named hierarchy of files and folders.

Question 11

What protocols do block storage use? SAN - Storage Area Network

Answer 11

iSCSI or Fiber Channel

Question 12

What protocols does file storage use? NAS - Network Attached Storage

Answer 12

Common Internet File System (CIFS) Network File System (NFS)

Question 13

What protocol does S3 use?

Answer 13

Application Program Interface (API) built on standard HTTP verbs

Question 14

An S3 ______ contains both data and metadata

Answer 14

object

Question 15

Objects reside in containers called ______

Answer 15

buckets

Question 16

How are S3 objects identified?

Answer 16

unique user-specified keys (filename)

Question 17

Amazon S3 objects are automatically replicated on multiple devices in multiple facilities within a region. T or F?

Answer 17

True

Question 18

Amazon S3 automatically partitions buckets to support very high request rates and simultaneous access by many clients. T or F?

Answer 18

True

Question 19

Which storage option provides network-attached shared file storage (NAS storage) using the NFS v4 protocol.

Answer 19

Amazon Elastic File System (AWS EFS)

Question 20

Which storage option provides block level storage for Amazon Elastic Compute Cloud (Amazon EC2) instances.

Answer 20

EBS

Question 21

Bucket names can contain:

Answer 21

63 lowercase letters, numbers, hyphens, and periods.

Question 22

How many buckets can you have per account by default?

Answer 22

100

Question 23

Best practice

Answer 23

It is a best practice to use bucket names that contain your domain name and conform to the rules for DNS names. This ensures that your bucket names are your own, can be used in all regions, and can host static websites.

Question 24

What sizes can S3 objects be?

Answer 24

0 bytes to 5TB

Question 25

How many objects can a single bucket store?

Answer 25

Unlimited

Question 26

What is included in system metadata?

Answer 26

the date last modified, object size, MD5 digest, and HTTP Content-Type.

Question 27

When can you create user metadata on an object?

Answer 27

Only at the time the object is created.

Question 28

A S3 key consists of what?

Answer 28

up to 1024 bytes of Unicode UTF-8 characters, including embedded slashes, backslashes, dots, and dashes.

Question 29

What is the URL format of S3?

Answer 29

http://mybucket.s3.amazonaws.com/jack.doc http://mybucket.s3.amazonaws.com/fee/fi/fo/fum/jack.doc

Question 30

Is there a file or folder hierarchy in S3?

Answer 30

There is no actual file and folder hierarchy. A key may contain delimiter characters like slashes or backslashes to help you name and logically organize your Amazon S3 objects, but to Amazon S3 it is simply a long key name in a flat namespace. For convenience, the Amazon S3 console and the Prefix and Delimiter feature allow you to navigate within an Amazon S3 bucket as if there were a folder hierarchy. However, remember that a bucket is a single flat namespace of keys with no structure.

Question 31

The S3 API includes:

Answer 31

Create/delete a bucket Write an object Read an object Delete an object List keys in a bucket

Question 32

What type of API does S3 use?

Answer 32

REST (Representational State Transfer) API. uses standard HTTP or HTTPS requests to create and delete buckets, list keys, and read and write objects.

Question 33

How does REST work in S3?

Answer 33

REST maps standard HTTP “verbs” (HTTP methods) to the familiar CRUD (Create, Read, Update, Delete) operations. Create is HTTP PUT (and sometimes POST); read is HTTP GET; delete is HTTP DELETE; and update is HTTP POST (or sometimes PUT).

Question 34

Best practice

Answer 34

Always use HTTPS for Amazon S3 API requests to ensure that your requests and data are secure.

Question 35

What are some of the high level interfaces people use to interact with S3 instead of the REST interface itself?

Answer 35

These include the AWS Software Development Kits (SDKs) (wrapper libraries) for iOS, Android, JavaScript, Java, .NET, Node.js, PHP, Python, Ruby, Go, and C++, the AWS Command Line Interface (CLI), and the AWS Management Console.

Question 36

What does durability mean according to AWS?

Answer 36

Durability addresses the question, “Will my data still be there in the future?”

Question 37

What does availability mean according to AWS?

Answer 37

Availability addresses the question, “Can I access my data right now?”

Question 38

how many 9s are Amazon’s S3 storage DURABILITY of objects over a given year designed for?

Answer 38

99.9999999999% - 11 total 9s Amazon S3 achieves high durability by automatically storing data redundantly on multiple devices in multiple facilities within a region. It is designed to sustain the concurrent loss of data in two facilities without loss of user data. Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage.

Question 39

how many 9s are Amazon’s S3 storage AVAILABILITY of objects over a given year designed for?

Answer 39

99.99% - 4 total 9s

Question 40

If high durability is not required, what is the best storage to use?

Answer 40

RRS - Reduced Redundancy Storage

Question 41

What durability does RRS offer?

Answer 41

99.99% with a lower cost of storage

Question 42

Best Practice

Answer 42

Even though Amazon S3 storage offers very high durability at the infrastructure level, it is still a best practice to protect against user-level accidental deletion or overwriting of data by using additional features such as versioning, cross-region replication, and MFA Delete.

Question 43

Why is S3 considered an eventually consistent system?

Answer 43

your data is automatically replicated across multiple servers and locations within a region, changes in your data may take some time to propagate to all locations. As a result, there are some situations where information that you read immediately after an update may return stale data.

Question 44

What is meant by an eventually consistent system?

Answer 44

Eventual consistency means that if you PUT new data to an existing key, a subsequent GET might return the old data. Similarly, if you DELETE an object, a subsequent GET for that object might still read the deleted object. In all cases, updates to a single key are atomic—for eventually-consistent reads, you will get the new data or the old data, but never an inconsistent mix of data.

Question 45

For PUTs to new objects….

Answer 45

Amazon S3 provides read-after-write consistency.

Question 46

for PUTs to existing objects (object overwrite to an existing key) and for object DELETEs…

Answer 46

Amazon S3 provides eventual consistency.

Question 47

Types of controls put on S3

Answer 47

coarse-grained access controls (Amazon S3 Access Control Lists [ACLs]), and fine-grained access controls (Amazon S3 bucket policies, AWS Identity and Access Management [IAM] policies, and query-string authentication).

Question 48

S3 ACLs allow you to grant:

Answer 48

READ, WRITE, or FULL-CONTROL at the object or bucket level. ACLs are a legacy access control mechanism, created before IAM existed. ACLs are best used today for a limited set of use cases, such as enabling bucket logging or making a bucket that hosts a static website be world-readable.

Question 49

Differences between IAM policies and S3 policies:

Answer 49

S3: They are associated with the bucket resource instead of an IAM principal. They include an explicit reference to the IAM principal in the policy. This principal can be associated with a different AWS account, so Amazon S3 bucket policies allow you to assign cross-account access to Amazon S3 resources.

Question 50

What does a policy in effect do in s3?

Answer 50

you can specify who can access the bucket, from where (by Classless Inter-Domain Routing [CIDR] block or IP address), and during what time of day.

Question 51

Can IAM policies be associated directly with IAM principals?

Answer 51

yes

Question 52

What does a prefix and delimiter parameters do for S3?

Answer 52

lets you organize, browse, and retrieve the objects within a bucket hierarchically. Typically, you would use a slash (/) or backslash () as a delimiter and then use key names with embedded delimiters to emulate a file and folder hierarchy within the flat object key namespace of a bucket.

Question 53

What are the S3 storage classes?

Answer 53

Standard Intelligent-Tiering (S3 Intelligent-Tiering) Standard – Infrequent Access (Standard-IA) One Zone-Infrequent Access (S3 One Zone-IA) Reduced Redundancy Storage (RRS) Amazon Glacier Glacier Deep Archive (S3 Glacier Deep Archive)

Question 54

Amazon S3 Standard (S3 Standard)

Answer 54

S3 Standard offers high durability, availability, and performance object storage for frequently accessed data. Because it delivers low latency and high throughput, S3 Standard is appropriate for a wide variety of use cases, including cloud applications, dynamic websites, content distribution, mobile and gaming applications, and big data analytics. S3 Storage Classes can be configured at the object level and a single bucket can contain objects stored across S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, and S3 One Zone-IA. You can also use S3 Lifecycle policies to automatically transition objects between storage classes without any application changes.

Question 55

Amazon S3 Standard (S3 Standard) Key features

Answer 55

Low latency and high throughput performance Designed for durability of 99.999999999% of objects across multiple Availability Zones Resilient against events that impact an entire Availability Zone Designed for 99.99% availability over a given year Backed with the Amazon S3 Service Level Agreement for availability Supports SSL for data in transit and encryption of data at rest S3 Lifecycle management for automatic migration of objects to other S3 Storage Classes

Question 56

Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering)

Answer 56

The S3 Intelligent-Tiering storage class is designed to optimize costs by automatically moving data to the most cost-effective access tier, without performance impact or operational overhead. It works by storing objects in two access tiers: one tier that is optimized for frequent access and another lower-cost tier that is optimized for infrequent access. For a small monthly monitoring and automation fee per object, Amazon S3 monitors access patterns of the objects in S3 Intelligent-Tiering, and moves the ones that have not been accessed for 30 consecutive days to the infrequent access tier. If an object in the infrequent access tier is accessed, it is automatically moved back to the frequent access tier. There are no retrieval fees when using the S3 Intelligent-Tiering storage class, and no additional tiering fees when objects are moved between access tiers. It is the ideal storage class for long-lived data with access patterns that are unknown or unpredictable. S3 Storage Classes can be configured at the object level and a single bucket can contain objects stored in S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, and S3 One Zone-IA. You can upload objects directly to S3 Intelligent-Tiering, or use S3 Lifecycle policies to transfer objects from S3 Standard and S3 Standard-IA to S3 Intelligent-Tiering. You can also archive objects from S3 Intelligent-Tiering to S3 Glacier.

Question 57

Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering) Key features:

Answer 57

Same low latency and high throughput performance of S3 Standard Small monthly monitoring and auto-tiering fee Automatically moves objects between two access tiers based on changing access patterns Designed for durability of 99.999999999% of objects across multiple Availability Zones Resilient against events that impact an entire Availability Zone Designed for 99.9% availability over a given year Backed with the Amazon S3 Service Level Agreement for availability Supports SSL for data in transit and encryption of data at rest S3 Lifecycle management for automatic migration of objects to other S3 Storage Classes

Question 58

Amazon S3 Standard-Infrequent Access (S3 Standard-IA)

Answer 58

S3 Standard-IA is for data that is accessed less frequently, but requires rapid access when needed. S3 Standard-IA offers the high durability, high throughput, and low latency of S3 Standard, with a low per GB storage price and per GB retrieval fee. This combination of low cost and high performance make S3 Standard-IA ideal for long-term storage, backups, and as a data store for disaster recovery files. S3 Storage Classes can be configured at the object level and a single bucket can contain objects stored across S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, and S3 One Zone-IA. You can also use S3 Lifecycle policies to automatically transition objects between storage classes without any application changes.

Question 59

Amazon S3 Standard-Infrequent Access (S3 Standard-IA) Key features:

Answer 59

Same low latency and high throughput performance of S3 Standard Designed for durability of 99.999999999% of objects across multiple Availability Zones Resilient against events that impact an entire Availability Zone Data is resilient in the event of one entire Availability Zone destruction Designed for 99.9% availability over a given year Backed with the Amazon S3 Service Level Agreement for availability Supports SSL for data in transit and encryption of data at rest S3 Lifecycle management for automatic migration of objects to other S3 Storage Classes

Question 60

Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

Answer 60

S3 One Zone-IA is for data that is accessed less frequently, but requires rapid access when needed. Unlike other S3 Storage Classes which store data in a minimum of three Availability Zones (AZs), S3 One Zone-IA stores data in a single AZ and costs 20% less than S3 Standard-IA. S3 One Zone-IA is ideal for customers who want a lower-cost option for infrequently accessed data but do not require the availability and resilience of S3 Standard or S3 Standard-IA. It’s a good choice for storing secondary backup copies of on-premises data or easily re-creatable data. You can also use it as cost-effective storage for data that is replicated from another AWS Region using S3 Cross-Region Replication. S3 One Zone-IA offers the same high durability†, high throughput, and low latency of S3 Standard, with a low per GB storage price and per GB retrieval fee. S3 Storage Classes can be configured at the object level, and a single bucket can contain objects stored across S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, and S3 One Zone-IA. You can also use S3 Lifecycle policies to automatically transition objects between storage classes without any application changes.

Question 61

Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) Key Features:

Answer 61

Same low latency and high throughput performance of S3 Standard Designed for durability of 99.999999999% of objects in a single Availability Zone† Designed for 99.5% availability over a given year Backed with the Amazon S3 Service Level Agreement for availability Supports SSL for data in transit and encryption of data at rest S3 Lifecycle management for automatic migration of objects to other S3 Storage Classes

Question 62

Amazon S3 Glacier (S3 Glacier)

Answer 62

S3 Glacier is a secure, durable, and low-cost storage class for data archiving. You can reliably store any amount of data at costs that are competitive with or cheaper than on-premises solutions. To keep costs low yet suitable for varying needs, S3 Glacier provides three retrieval options that range from a few minutes to hours. You can upload objects directly to S3 Glacier, or use S3 Lifecycle policies to transfer data between any of the S3 Storage Classes for active data (S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, and S3 One Zone-IA) and S3 Glacier.

Question 63

Amazon S3 Glacier (S3 Glacier) Key Features:

Answer 63

Designed for durability of 99.999999999% of objects across multiple Availability Zones Data is resilient in the event of one entire Availability Zone destruction Supports SSL for data in transit and encryption of data at rest Low-cost design is ideal for long-term archive Configurable retrieval times, from minutes to hours S3 PUT API for direct uploads to S3 Glacier, and S3 Lifecycle management for automatic migration of objects

Question 64

Amazon S3 Glacier Deep Archive (S3 Glacier Deep Archive)

Answer 64

S3 Glacier Deep Archive is Amazon S3’s lowest-cost storage class and supports long-term retention and digital preservation for data that won’t be regularly accessed. It is designed for customers — particularly those in highly-regulated industries, such as the Financial Services, Healthcare, and Public Sectors — that retain data sets for 7-10 years or longer to meet regulatory compliance requirements. S3 Glacier Deep Archive can also be used for backup and disaster recovery use cases, and is a cost-effective and easy-to-manage alternative to magnetic tape systems, whether they are on-premises libraries or off-premises services. S3 Glacier Deep Archive complements Amazon S3 Glacier, which is ideal for more active archives where data is regularly retrieved and needed in minutes. All objects stored in S3 Glacier Deep Archive are replicated and stored across at least three geographically-dispersed Availability Zones, protected by 99.999999999% of durability, and can be restored within 12 hours.

Question 65

Amazon S3 Glacier Deep Archive (S3 Glacier Deep Archive) Key features:

Answer 65

Designed for durability of 99.999999999% of objects across multiple Availability Zones Lowest cost storage class designed for long-term retention of data that will be retained for 7-10 years Ideal alternative to magnetic tape libraries Retrieval time within 12 hours S3 Lifecycle management for automatic migration of objects

Question 66

performance across S3 storage class

Answer 66

Question 67

Bucket lifecycle

Answer 67

Store backup data initially in Amazon S3 Standard.After 30 days, transition to Amazon Standard-IA.After 90 days, transition to Amazon Glacier.After 3 years, delete.

Question 68

How do you encrypt S3 data in transit?

Answer 68

Amazon S3 Secure Sockets Layer (SSL) API endpoints. This ensures that all data sent to and from Amazon S3 is encrypted while in transit using the HTTPS protocol.

Question 69

How do you encrypt data at rest in S3?

Answer 69

Server-Side Encryption (SSE).

All SSE performed by Amazon S3 and AWS Key Management Service (Amazon KMS) uses the 256-bit Advanced Encryption Standard (AES).

Question 70

SSE-S3 (AWS-Managed Keys)

Answer 70

This is a fully integrated “check-box-style” encryption solution where AWS handles the key management and key protection for Amazon S3. Every object is encrypted with a unique key. The actual object key itself is then further encrypted by a separate master key. A new master key is issued at least monthly, with AWS rotating the keys. Encrypted data, encryption keys, and master keys are all stored separately on secure hosts, further enhancing protection.

Question 71

SSE-KMS (AWS KMS Keys)

Answer 71

This is a fully integrated solution where Amazon handles your key management and protection for Amazon S3, but where you manage the keys. SSE-KMS offers several additional benefits compared to SSE-S3. Using SSE-KMS, there are separate permissions for using the master key, which provide protection against unauthorized access to your objects stored in Amazon S3 and an additional layer of control. AWS KMS also provides auditing, so you can see who used your key to access which object and when they tried to access this object. AWS KMS also allows you to view any failed attempts to access data from users who did not have permission to decrypt the data.

Question 72

SSE-C (Customer-Provided Keys)

Answer 72

This is used when you want to maintain your own encryption keys but don’t want to manage or implement your own client-side encryption library. With SSE-C, AWS will do the encryption/decryption of your objects while you maintain full control of the keys used to encrypt/decrypt the objects in Amazon S3.

Question 73

Client-Side Encryption

Answer 73

Client-side encryption refers to encrypting data on the client side of your application before sending it to Amazon S3.

You have the following two options for using data encryption keys:

:Use an AWS KMS-managed customer master key.

Use a client-side master key.

Question 74

Best Practice

Answer 74

For maximum simplicity and ease of use, use server-side encryption with AWS-managed keys (SSE-S3 or SSE-KMS).

Question 75

Versioning

Answer 75

Amazon S3 versioning helps protects your data against accidental or malicious deletion by keeping multiple versions of each object in the bucket, identified by a unique version ID. Versioning allows you to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. If a user makes an accidental change or even maliciously deletes an object in your S3 bucket, you can restore the object to its original state simply by referencing the version ID in addition to the bucket and object key. Versioning is turned on at the bucket level. Once enabled, versioning cannot be removed from a bucket; it can only be suspended

Question 76

MFA Delete

Answer 76

MFA Delete adds another layer of data protection on top of bucket versioning. MFA Delete requires additional authentication in order to permanently delete an object version or change the versioning state of a bucket. In addition to your normal security credentials, MFA Delete requires an authentication code (a temporary, one-time password) generated by a hardware or virtual Multi-Factor Authentication (MFA) device. Note that MFA Delete can only be enabled by the root account.

Question 77

Pre-Signed URLs

Answer 77

All Amazon S3 objects by default are private, meaning that only the owner has access. However, the object owner can optionally share objects with others by creating a pre-signed URL, using their own security credentials to grant time-limited permission to download the objects. When you create a pre-signed URL for your object, you must provide your security credentials and specify a bucket name, an object key, the HTTP method (GET to download the object), and an expiration date and time. The pre-signed URLs are valid only for the specified duration. This is particularly useful to protect against “content scraping” of web content such as media files stored in Amazon S3.

Question 78

Multipart Upload

Answer 78

better support uploading or copying of large objects

through parallel transfers

the ability to pause and resume, and the ability to upload objects where the size is initially unknown.

Multipart upload is a three-step process: initiation, uploading the parts, and completion (or abort).

Parts can be uploaded independently in arbitrary order, with retransmission if needed. After all of the parts are uploaded, Amazon S3 assembles the parts in order to create an object.

you should use multipart upload for objects larger than 100 Mbytes, and you must use multipart upload for objects larger than 5GB.

s. When using the high-level APIs and the high-level Amazon S3 commands in the AWS CLI (aws s3 cp, aws s3 mv, and aws s3 sync), multipart upload is automatically performed for large objects.

Question 79

best Practice

Answer 79

You can set an object lifecycle policy on a bucket to abort incomplete multipart uploads after a specified number of days. This will minimize the storage costs associated with multipart uploads that were not completed.

Question 80

Range Gets

Answer 80

It is possible to download (GET) only a portion of an object in both Amazon S3 and Amazon Glacier by using something called a Range GET. Using the Range HTTP header in the GET request or equivalent parameters in one of the SDK wrapper libraries, you specify a range of bytes of the object. This can be useful in dealing with large objects when you have poor connectivity or to download only a known portion of a large Amazon Glacier backup

Question 81

Cross-Region Replication

Answer 81

Cross-region replication is a feature of Amazon S3 that allows you to asynchronously replicate all new objects in the source bucket in one AWS region to a target bucket in another region. Any metadata and ACLs associated with the object are also part of the replication. After you set up cross-region replication on your source bucket, any changes to the data, metadata, or ACLs on an object trigger a new replication to the destination bucket. To enable cross-region replication, versioning must be turned on for both source and destination buckets, and you must use an IAM policy to give Amazon S3 permission to replicate objects on your behalf.

used to reduce the latency required to access objects in Amazon S3 by placing objects closer to a set of users or to meet requirements to store backup data at a certain distance from the original source data.

Question 82

Best Practice

Answer 82

If turned on in an existing bucket, cross-region replication will only replicate new objects. Existing objects will not be replicated and must be copied to the new bucket via a separate command.

Question 83

Logging

Answer 83

In order to track requests to your Amazon S3 bucket, you can enable Amazon S3 server access logs. Logging is off by default, but it can easily be enabled. When you enable logging for a bucket (the source bucket), you must choose where the logs will be stored (the target bucket). You can store access logs in the same bucket or in a different bucket. Either way, it is optional (but a best practice) to specify a prefix, such as logs/ or yourbucketname/logs/, so that you can more easily identify your logs.

Question 84

Logs include this information:

Answer 84

• Requestor account and IP address
• Bucket name
• Request time
• Action (GET, PUT, LIST, and so forth)
• Response status or error code

Question 85

Event Notifications

Answer 85

sent in response to actions taken on objects uploaded or stored in Amazon S3. Event notifications enable you to run workflows, send alerts, or perform other actions in response to changes in your objects stored in Amazon S3. You can use Amazon S3 event notifications to set up triggers to perform actions, such as transcoding media files when they are uploaded, processing data files when they become available, and synchronizing Amazon S3 objects with other data stores.

Question 86

Event notifications 2

Answer 86

Amazon S3 event notifications are set up at the bucket level, and you can configure them through the Amazon S3 console, through the REST API, or by using an AWS SDK. Amazon S3 can publish notifications when new objects are created (by a PUT, POST, COPY, or multipart upload completion), when objects are removed (by a DELETE), or when Amazon S3 detects that an RRS object was lost. You can also set up event notifications based on object name prefixes and suffixes. Notification messages can be sent through either Amazon Simple Notification Service (Amazon SNS) or Amazon Simple Queue Service (Amazon SQS) or delivered directly to AWS Lambda to invoke AWS Lambda functions.

Question 87

Best Practice

Answer 87

If you are using Amazon S3 in a GET-intensive mode, such as a static website hosting, for best performance you should consider using an Amazon CloudFront distribution as a caching layer in front of your Amazon S3 bucket.

Question 88

Glacier Archives

Answer 88

In Amazon Glacier, data is stored in archives. An archive can contain up to 40TB of data, and you can have an unlimited number of archives. Each archive is assigned a unique archive ID at the time of creation. (Unlike an Amazon S3 object key, you cannot specify a user-friendly archive name.) All archives are automatically encrypted, and archives are immutable—after an archive is created, it cannot be modified.

Question 89

Glacier Vaults

Answer 89

Vaults are containers for archives. Each AWS account can have up to 1,000 vaults. You can control access to your vaults and the actions allowed using IAM policies or vault access policies.

Question 90

Vaults Locks

Answer 90

You can easily deploy and enforce compliance controls for individual Amazon Glacier vaults with a vault lock policy. You can specify controls such as Write Once Read Many (WORM) in a vault lock policy and lock the policy from future edits. Once locked, the policy can no longer be changed.

Question 91

Glacier data retrieval

Answer 91

You can retrieve up to 5% of your data stored in Amazon Glacier for free each month, calculated on a daily prorated basis. If you retrieve more than 5%, you will incur retrieval fees based on your maximum retrieval rate. To eliminate or minimize those fees, you can set a data retrieval policy on a vault to limit your retrievals to the free tier or to a specified data rate.

Question 92

Amazon Glacier versus Amazon Simple Storage Service (Amazon S3)

Answer 92

Amazon Glacier is similar to Amazon S3, but it differs in several key aspects. Amazon Glacier supports 40TB archives versus 5TB objects in Amazon S3. Archives in Amazon Glacier are identified by system-generated archive IDs, while Amazon S3 lets you use “friendly” key names. Amazon Glacier archives are automatically encrypted, while encryption at rest is optional in Amazon S3. However, by using Amazon Glacier as an Amazon S3 storage class together with object lifecycle policies, you can use the Amazon S3 interface to get most of the benefits of Amazon Glacier without learning a new interface.