1. S3 and IAM Flashcards
What do S3 objects consist of?
S3 objects consist of:
- A key - which is the name of the object.
- A value - which is the data and it is made up of a sequence of bytes.
- A version id - allows you to have multiple versions of your file.
- Metadata - data about the data you are storing.
What message notifies you of a successful S3 bucket upload?
When you successfully upload to S3 you get an http 200 message.
What can you use to guard against accidental deletions in S3?
You can turn on MFA delete to guard against accidental deletions.
When can you read objects in an S3 bucket in relation to when you have added / made changes?
S3 has eventual consistency for overwrite PUTS but read after write consistency for new objects.
What is used to secure the data in the buckets?
Access Control Lists and Bucket Policies are used to secure the data in the buckets.
To what do Access Control Lists apply?
ACLs apply to individual files
To what do bucket policies apply?
Bucket policies apply to all contents of the bucket
What are the S3 Storage Classes?
- S3 Standard
- IA (infrequently accessed)
- One zone IA
- Intelligent tiering
- Glacier instant retrieval
- Glacier flexible retrieval
- Glacier deep archive
When would you use S3 IA?
You would use S3 IA for data you don’t access so often, but requires rapid access when needed. Cheaper than standard but a retrieval fee is charged.
What is intelligent about S3 Intelligent Tiering?
S3 Intelligent Tiering uses machine learning to move individual objects around based upon how you use/access your data
Should S3 Standard be the default choice?
Try to avoid S3 standard as much as possible. If you are going to use it then it makes sense to use S3 Intelligent tiering instead as no uplift in the cost.
What is the benefit of using S3 replication?
S3 replication enables high availability and backups.
What is S3 Transfer Acceleration?
S3 Transfer Acceleration enables quick and secure transfer of files over long distances between users and bucket locations.
It takes advantage of AWS CloudFront edge locations. This means it will be utilising AWS own backbone network.
What should be used in order to create an audit of requests made to the buckets?
Access logs can be used to create an audit for all requests made to the bucket.
These logs can then be sent to other buckets or buckets in other accounts.
In what 3 ways can bucket access be restricted?
Bucket access can be restricted using:
- bucket policies - apply across the whole bucket
- object policies - apply to individual files
- IAM policies to users and groups
How is S3 data encryption in transit achieved?
Encryption in transit is achieved using SSL/TLS and HTTPS
What Key Management services are used to manage S3 server-side encryption?
Server side encryption (on AWS):
- S3 Managed keys - known as SSE-S3
- AWS Key Management Service - known as SSE-KMS
- Server side encryption with customer keys - known as SSE-C
What are S3 Lifecycle Management Rules used for?
Lifecycle Management rules can be set so that S3 objects can be managed according to the defined rules set up.
eg, archiving old versions based on number of days old to different buckets, types of buckets, or tagged versions to different buckets, delete old versions of objects after x days etc etc.
What are the 3 different ways to share S3 buckets across accounts?
- Using bucket policies & IAM (applies to the entire bucket)
- Using bucket ACLs & IAM (individual objects)
- Cross-account IAM roles
What are S3 object locks used for?
S3 object locks can be used to meet regulatory requirements or to just add an extra layer of protection against object changes and deletion.
What are the S3 object lock modes?
- Governance mode
- Compliance mode
What does S3 Glacier Vault Lock allow?
S3 Glacier Vault Lock allows you to deploy and enforce compliance controls for individual Glacier vaults with a vault lock policy.
How does making documents public work with versioned objects?
Each version of an object needs to be made public individually. Just because one version of an object is public does not mean that the next version will be.
How do deletes work with versioned objects?
If you delete a versioned object it will just be a delete marker on the object, old versions will still exist.