S3 Flashcards
(119 cards)
1
Q
- Backup and storage
- Disaster Recovery
- Archive
- Hybrid Cloud storage * Application hosting
- Media hosting
- Data lakes & big data analytics * Software delivery
- Static website
A
Amazon S3 Use cases
2
Q
Amazon S3 allows people to store __________ in ___________.
A
objects (files)
“buckets” (directories)
3
Q
Buckets must have a ___________ (across all regions all accounts)
A
globally unique name
4
Q
What level are Buckets defined at?
A
region level
5
Q
Amazon S3 Objects (files) have a ______?
A
Key
6
Q
What is the max size of an Object?
A
5TB (5000GB)
7
Q
If uploading more than 5GB, must use _____________?
A
“multi-part upload”
8
Q
3 things that an object can have other than the body??
A
- Metadata (list of text key / value pairs – system or user metadata)
- Tags (Unicode key / value pair – up to 10) – useful for security / lifecycle
- Version ID (if versioning is enabled)
9
Q
2 ways to grant access to a S3 bucket?
A
User-Based
Resource-Based
10
Q
Which API calls should be allowed for a specific user
A
IAM Policies (User-Based)
11
Q
What are the 3 Resource-Based Amazon S3 – Security?
A
Bucket Policies
Object Access Control List (ACL)
Bucket Access Control List (ACL)
12
Q
Bucket wide rules from the S3 console - allows cross account
A
Bucket Policies (Resource-Based)
13
Q
Which resouce based security is finer grain and can be disabled
A
Object Access Control List (ACL) (Resource-Based)
14
Q
Which resouce based security is less common and can be disabled
A
Bucket Access Control List (ACL) (Resource-Based)
15
Q
an IAM principal can access an S3 object if …..
A
- The user IAM permissions ALLOW it OR the resource policy ALLOWS it
- AND there’s no explicit DENY
16
Q
S3 Bucket Policies JSON based policies (4)
A
- Resources: buckets and objects
- Effect: Allow / Deny
- Actions: Set of API to Allow or Deny
- Principal:The account or user to apply the policy to
17
Q
Bucket Policies JSON based policies - buckets and objects
A
Resources
18
Q
Bucket Policies JSON based policies - Allow / Deny
A
Effect
19
Q
Bucket Policies JSON based policies - Set of API to Allow or Deny
A
Actions
20
Q
Bucket Policies JSON based policies - The account or user to apply the policy to
A
Principal
21
Q
Use S3 bucket for policy to:
A
- Grant public access to the bucket
- Force objects to be encrypted at upload
- Grant access to another account (Cross Account)
22
Q
Can be set at the account level
A
Bucket settings for Block Public Access
23
Q
S3 can host __________ and have them accessible on the Internet
A
static websites
24
Q
f you get a _________ error, make sure the bucket policy allows public reads!
A
403 Forbidden
25
Amazon S3 - Versioning is enabled at what level???
Bucket Level
26
2 best practices to version your buckets
* Protect against unintended deletes (ability to restore a version)
* Easy roll back to previous version
27
Any file that is not versioned prior to enabling versioning will
have version ______
“null”
28
Suspending versioning does OR does not delete the previous versions
DOES NOT
29
2 types of Amazon S3 – Replication
* Cross-Region Replication (CRR)
* Same-Region Replication (SRR)
30
When using S3 replication, you must enable Versioning in _______ AND ________ buckets
source
destination
31
Can buckets be in different AWS accounts??
YES
32
Replication copying what kind of synchronized???
asynchronous
33
DO you need to give proper IAM permissions to S3
YES
34
Compliance, lower latency access, replication across accounts
CRR
35
Log aggregation, live replication between production and test accounts
SRR
36
After you enable Replication, only __________ are replicated
new objects
37
You can replicate existing objects using __________?
S3 Batch Replication
38
Replicates existing objects and objects that failed replication
S3 Batch Replication
39
* Can replicate delete markers from source to target (optional setting)
* Deletions with a version ID are not replicated (to avoid malicious deletes)
Replication DELETE operations
40
There is no _________ of replication
“chaining”
* If bucket 1 has replication into bucket 2, which has replication into bucket 3
* Then objects created in bucket 1 are not replicated to bucket 3
41
S3 Storage Classes (7)
* Amazon S3 Standard - General Purpose
* Amazon S3 Standard-Infrequent Access (IA)
* Amazon S3 One Zone-Infrequent Access
* Amazon S3 Glacier Instant Retrieval
* Amazon S3 Glacier Flexible Retrieval
* Amazon S3 Glacier Deep Archive
* Amazon S3 Intelligent Tiering
42
Can you move between classes manually or using S3 Lifecycle configurations
YES
43
* 99.99% Availability
* Used for frequently accessed data
* Low latency and high throughput
* Sustain 2 concurrent facility failures
* Use Cases: Big Data analytics, mobile & gaming applications, content distribution...
S3 Standard – General Purpose
44
* For data that is less frequently accessed, but requires rapid access when needed
* Lower cost than S3 Standard
S3 Storage Classes – Infrequent Access
45
* 99.9% Availability
* Use cases: Disaster Recovery, backups
Amazon S3 Standard-Infrequent Access (S3 Standard-IA)
46
* High durability (99.999999999%) in a single AZ; data lost when AZ is destroyed
* 99.5% Availability
* Use Cases: Storing secondary backup copies of on-premises data, or data you can recreate
Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)
47
2 types of S3 Storage Classes – Infrequent Access
Amazon S3 Standard-Infrequent Access (S3 Standard-IA)
Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)
48
3 types of Amazon S3 Glacier Storage Classes
Amazon S3 Glacier Instant Retrieval
Amazon S3 Glacier Flexible Retrieval (formerly Amazon S3 Glacier)
Amazon S3 Glacier Deep Archive
49
* Low-cost object storage meant for archiving / backup
* Pricing: price for storage + object retrieval cost
Amazon S3 Glacier Storage Classes
50
* Millisecond retrieval, great for data accessed once a quarter
* Minimum storage duration of 90 days
Amazon S3 Glacier Instant Retrieval
51
* Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours) – free
* Minimum storage duration of 90 days
Amazon S3 Glacier Flexible Retrieval
52
* Standard (12 hours), Bulk (48 hours)
* Minimum storage duration of 180 days
Amazon S3 Glacier Deep Archive
53
* Small monthly monitoring and auto-tiering fee
* Moves objects automatically between Access Tiers based on usage
* There are no retrieval charges
S3 Intelligent-Tiering
54
5 types of S3 Intelligent-Tiering
Frequent Access tier
Infrequent Access tier
Archive Instant Access tier
Archive Access tier
Deep Archive Access tier
55
S3 Intelligent-Tiering - (automatic): default tier
Frequent Access tier
56
S3 Intelligent-Tiering - (automatic): objects not accessed for 30 days
Infrequent Access tier
57
S3 Intelligent-Tiering - (automatic): objects not accessed for 90 days
Archive Instant Access tier
58
S3 Intelligent-Tiering - (optional): configurable from 90 days to 700+ days
Archive Access tier
59
S3 Intelligent-Tiering - (optional): config. from 180 days to 700+ days
Deep Archive Access tier
60
2 types of Amazon S3 – Lifecycle Rules
Transition Actions
Expiration actions
61
configure objects to move to another storage class
* Move objects to Standard IA class 60 days after creation
* Move to Glacier for archiving after 6 mont
Transition Actions
62
configure objects to expire (delete) after some time
* Access log files can be set to delete after a 365 days
* Can be used to delete old versions of files (if versioning is enabled)
* Can be used to delete incomplete Multi-Part uploads
Expiration actions
63
Can rules be created for a certain prefix
YES
64
Can rules be created for certain objectsTags
YES
65
* Help you decide when to transition objects to the right storage class
* Recommendations for Standard and Standard IA
* Does NOT work for One-Zone IA or Glacier
* Report is updated daily
* 24 to 48 hours to start seeing data analysis
* Good first step to put together Lifecycle Rules (or improve them)!
Amazon S3 Analytics – Storage Class Analysis
66
In general, ______________ pay for all Amazon S3 storage and data transfer costs associated with their bucket
Bucket owners
67
The requester instead of the bucket owner pays the cost of the request and the data download from the bucket
Requester Pays buckets
68
* Helpful when you want to share large datasets with other accounts
* The requester must be authenticated in AWS (cannot be anonymous)
S3 – Requester Pays
69
For S3 Event Notifications, is Object name filtering possible??
YES
70
How many "S3 events" can you create??
As many as you want
71
S3 event notifications typically deliver events in _______ but can sometimes take __________?
seconds
a minute or longer
72
What are the 4 places S3 Event Notifications can send notifications?
SNS
SQS
Lambda Functions
Eventbridge
73
* Advanced filtering options with JSON rules (metadata, object size, name...)
* Multiple Destinations – ex Step Functions, Kinesis Streams / Firehose...
* Capabilities – Archive, Replay Events, Reliable delivery
S3 Event Notifications with Amazon EventBridge
74
Your application can achieve at least ________ PUT/COPY/POST/DELETE or _______ GET/HEAD requests per second per prefix in a bucket.
3500
5500
75
What is the limits to the number of prefixes in a bucket??
No limits
76
* recommended for files > 100MB, must use for files > 5GB
* Can help parallelize uploads (speed up transfers)
Multi-Par t upload
77
* Increase transfer speed by transferring file to an AWS edge location which will forward the data to the S3 bucket in the target region
* Compatible with multi-part upload
S3 Transfer Acceleration
78
* Retrieve less data using SQL by performing server-side filtering
* Can filter by rows & columns (simple SQL statements)
* Less network transfer, less CPU cost client-side
S3 Select & Glacier Select
79
What are examples of S3 batch operations?
* Modify object metadata & properties
* Copy objects between S3 buckets
* Encrypt un-encrypted objects
* Modify ACLs, tags
* Restore objects from S3 Glacier
* Invoke Lambda function to perform custom action on each object
80
Perform bulk operations on existing S3 objects with a single request
S3 Batch Operations
81
What does a S3 Batch Operation job consist of?? (3)
a list of objects
the action to perform
optional parameters
82
S3 Batch Operations manages (4)
retries
tracks progress
sends completion notifications
generate reports
83
You can use ___________ to get object list and use ________ to filter your objects
S3 Inventory
S3 Select
84
You can encrypt objects in S3 buckets using one of 4 methods
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)
Server-Side Encryption with Customer-Provided Keys (SSE-C)
Client-Side Encryption
85
* Encryption using keys handled, managed, and owned by AWS * Object is encrypted server-side
* Encryption type is AES-256
* Must set header "x-amz-server-side-encryption": "AES256"
* Enabled by default for new buckets & new objects
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
85
* Encryption using keys handled and managed by AWS KMS (Key Management Service)
* KMS advantages: user control + audit key usage using CloudTrail
* Object is encrypted server side
* Must set header "x-amz-server-side-encryption": "aws:kms"
Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)
86
* Server-Side Encryption using keys fully managed by the customer outside of AWS * Amazon S3 does NOT store the encryption key you provide
* HTTPS must be used
* Encryption key must provided in HTTP headers, for every HTTP request made
Server-Side Encryption with Customer-Provided Keys (SSE-C)
87
* Use client libraries such as Amazon S3 Client-Side Encryption Library
* Clients must encrypt data themselves before sending to Amazon S3
* Clients must decrypt data themselves when retrieving from Amazon S3
* Customer fully manages the keys and encryption cycle
Client-Side Encryption
88
SSE-KMS Limitation
* If you use SSE-KMS, you may be impacted by the KMS limits
* When you upload, it calls the GenerateDataKey KMS API
* When you download, it calls the Decrypt KMS API
* Count towards the KMS quota per second (5500, 10000, 30000 req/s based on region)
* You can request a quota increase using the Service Quotas Console
89
Encryption in flight is also called?
SSL/TLS
90
Amazon S3 – Encryption in transit (SSL/TLS) - HTTPS is mandatory for _______
SSE-C
91
Amazon S3 – Encryption in transit (SSL/TLS) - HTTPS is ________
recommended
92
Can you for encryption in Transit??
YES
93
What does CORS stand for??
Cross-Origin Resource Sharing
94
The requests won’t be fulfilled unless the other origin allows for the requests, using_________?
CORS Headers
95
If a client makes a cross-origin request on our S3 bucket, What do we need to do??
enable the correct CORS headers
96
Which CORS, You can allow for ____________
specific origin or for * (all origins)
97
Amazon S3 – MFA Delete will be required to ......
* Permanently delete an object version
* Suspend Versioning on the bucket
98
Amazon S3 – MFA Delete will NOT be required to ......
* Enable Versioning
* List deleted versions
99
To use MFA Delete, Versioning must be __________ on the bucket
enabled
100
Only the bucket ______________ can enable/disable MFA Delete
owner (root account)
101
S3 Access Logs - The target logging bucket ________ be in the same AWS region
MUST
102
How can you generate pre-signed URLs?
S3 Console, AWS CLI or SDK
103
What are the pre-signed URL's expirations?
* S3 Console – 1 min up to 720 mins (12 hours)
* AWS CLI – configure expiration with --expires-in parameter in seconds (default 3600 secs, max. 604800 secs ~ 168 hours)
104
Examples of Amazon S3 – Pre-Signed URLs
* Allow only logged-in users to download a premium video from your S3 bucket
* Allow an ever-changing list of users to download files by generating URLs dynamically
* Allow temporarily a user to upload a file to a precise location in your S3 bucket
105
* Adopt a WORM (Write Once Read Many) model
* Create a Vault Lock Policy
* Lock the policy for future edits
(can no longer be changed or deleted)
* Helpful for compliance and data retention
S3 Glacier Vault Lock
106
* Adopt a WORM (Write Once Read Many) model
* Block an object version deletion for a specified amount of time
S3 Object Lock
107
2 types of Retention Modes for S3 Object Lock
Retention mode - Compliance
Retention mode - Governance
108
* Object versions can't be overwritten or deleted by any user, including the root user
* Objects retention modes can't be changed, and retention periods can't be shortened
Retention mode - Compliance
109
* Most users can't overwrite or delete an object version or alter its lock settings
* Some users have special permissions to change the retention or delete the object
Retention mode - Governance
110
S3 Object Lock - protect the object for a fixed period, it can be extended
Retention Period
111
* protect the object indefinitely, independent from retention period
* can be freely placed and removed using the s3:PutObjectLegalHold IAM permission
Legal Hold
112
Simplify security management for S3 Buckets
Access Points
113
Each Access Point has (2)
* its own DNS name (Internet Origin or VPC Origin)
* an access point policy (similar to bucket policy) – manage security at scale
114
We can define the access point to be accessible ________?
only from within the VPC
115
You must create a __________ to access the
Access Point (Gateway or Interface Endpoint)
VPC Endpoint
116
The VPC Endpoint Policy __________ allow access to the target bucket and Access Point
MUST
117
To change the object before it is retrieved by the caller application
AWS Lambda Functions
118
