Storage & Access Flashcards
What is EBS?
Elastic Block Storage is a storage volume you can attach to your instances while the run to persist data.
- It’s a network drive, NOT a physical drive
- locked to a single AZ, but can be copied using a snapshot
- provisioned by size in GBs and IOPS (I/O Ops Per Sec)
- can be attached to only one instance at a time
- EBS root volume is removed when EC2 instance is terminated
What are the EBS types?
- GP2 (SSD): General purpose,
can be used for boot volume,
3 IOPS/GB, min 100, max 3000,
1GB-16TB - IO1 (SSD): Highest performing for high throughput workloads,
can be used for boot volume,
provisioned IOPS, min 100, max 64,000 (Nitro) or 32,000 (other)
4GB-16TB (no tie to IOPS) - ST1 (HDD): low cost designed for frequent intensive workload
500GB-16TB
500MB/sec throughput - SC1 (HDD): lowest cost less frequent workloads
500GB-16TB
250MB/sec throughput
What are the characteristics of an EBS snapshot?
- they are incremental (only changed blocks) snapshots of the data on the volume
- they use IO so should not be done while app is running
- stored in S3
- can be copied across AZ or Region
- can make AMI from snapshot
- can be automated using Data Lifecycle Manager
How does EBS Encryption work?
- Leverages keys from KMS
- includes data at rest and in-flight and snapshots
- steps
- create snapshot
- encrypt snapshot using copy
- create new EBS from snapshot which will automatically encrypt the volume
- Attach the encrypted volume to the original instance
What is an IS?
Instance Store is ephemeral block storage, physically attached to the machine
- provides better I/O performance than any of the EBS types
- up to 7.5TB, or 30TB with stripping
- backups are our responsibility
- can’t be resized
- lost once the instance is stopped or terminated
What are the EBS RAID options?
RAID 0: 1 logical volume but multiple volumes are combined to make a larger volume
RAID1: 1 logical volume but writes data to two or more volumes for fault tolerance
RAID5: not recommended for EBS
RAID6: not recommended for EBS
What is EFS?
A managed Network File System (NFS) that can be mounted on many EC2s.
- Multi AZ
- access controlled by security groups
- scales automatically
- pay per use
What are the performance modes of EFS?
- General purpose (default)
- Max I/O
What are storage tiers?
A lifecycle management feature for moving storage after N days.
- Standard for frequently accessed files
- Infrequent Access (EFS-IA) for lower cost storage of files rarely accessed
How can i instantiate an EBS volumes quickly?
Restore from a snapshot
What is S3?
Simple Storage Service which is a bucket storage system.
- must have a globally unique name
- buckets are defined at Region level
What is an S3 Key?
A full path to the buckets file composed of a prefix + object name.
- e.g. s3://my-bucket/my_file.txt
- Note: the ‘/’ does not indicate a folder path, it is simply a very long prefix name.
What is the largest object size that can be uploaded in a S3?
5TB. Anything larger will require a multi-part upload
What are the components of an S3 bucket?
- Metadata (list of text key/value pairs for system or user)
- Tags (unicode key/value pair for security or lifecycle)
- Version ID (if versioning is enabled provides easy rollback to previous version)
What happens to existing files in an S3 bucket when versioning is turned on?
Nothing, the version will remain as null.
What happens to existing files in an S3 bucket when versioning is suspended?
Nothing, all previous version will remain available.
What are the 4 methods of encryption for S3?
- SSE-S3
- SSE-KMS
- SSE-C: Client Encryption Key Management on AWS
- Client side encryption
What is SSE-S3?
AWS encryption of S3 objects
- uses AES-256 keys
- handled by AWS
- server side encryption
What is SSE-KMS?
AWS encryption Key Management Service
- handled by AWS
- provides user control and audit trail
- server side encryption
What is SSE-C
AWS Client Encryption Key Management
- keys fully managed by the customer outside of AWS
- S3 does not store the key provided by user
- key passed in (HTTPS only) header for every request made
- server side encryption
What is Client side encryption?
Encryption and Decryption done on client side
- encryption done before adding to S3
- decryption done after retrieving from S3
- client side encryption
What is another name for encryption in-flight?
SSL/TLS
What are the types of S3 Security?
USER BASED:
- IAM policies
RESOURCE BASED:
- Bucket Policies
- Object Access Control List (ACL)
- Bucket Access Control List (ACL) - less common
What are the settings in an S3 Bucket Policy?
Resources (i.e. buckets and objects)
Actions (Set of API methods: i.e. get, put, etc.)
Effect (allow or deny)
Principal (account or user)f
How can we combat Company data leaks on an S3 bucket?
Block public access to buckets and objects granted through
- NEW access control lists (ACLs)
- ANY access control lists (ACLs)
- NEW public bucket or access point policies
What are the most common features supported by S3?
- Networking (i.e. VPC endpoints without internet)
- Logging (stored in another S3 bucket)
- Auditing (API calls logged in CloudTrail)
- MFA (multi-factor authentication)
- Pre-signed URLs for a limited duration (max 3600 sec)
Can S3 host a website?
Yes, but be sure to make it public if needed externally
i.e. .s3-website..amazonaws.com
What is CORS?
Cross-Origin Resource Sharing which means you can visit other websites through a main site using CORS header in the request and the other website MUST allow access.
i.e. http://www.example.com to http://other.example.com
