Terms in this set (22)

Max buckets per account

100 (Can be increased by contacting amazon)
Bucket naming conventions
3 - 63 Characters
Only contains lowercase letters, numbers, periods and hyphens
Starts with a letter or number
Periods and hyphens can not follow each other
Must not be an IP address format
Object limit in buckets
No limit
Object size minimum
0B
Object size maximum
5 TB
Multipart Upload API
Allows upload of objects larger than 5 GB (Recommended for files larger than 100MB)
Read-after-write consistancy
Lets you retrieve objects immediately after creating them
Available only for PUTS of new objects
Will always retrieve the latest information
Potentially higher read latency
Potentially lower read throughput
Eventual consistency
May not retrieve the latest information
Lowest read latency
Used for overwrite PUTS and DELETES
Lowest read latency
Highest read throughput
Max bursts of requests per second before contacting amazon to prepare
> 300 PUT/LIST/DELETE
> 800 GET
Max consistent requests before considering partition optimization
> 100 PUT/LIST/DELETE
> 300 GET
Correct naming practice for objects
Prefix a hash value to the name OR
Reverse ID string (Varied results)
Benefits of Amazon CloudFront
Low latency
High transfer rate
Caches objects
Fewer direct requests to S3
Good for GET-intensive workloads
404 Error
Not found
403 Error
Forbidden
400 Error
Bad Request
409 Error
Conflict
500 Error
Internal Server Error
CORS
Cross origin resource sharing
Bucket permissions
Who is allowed to access a resource
What they can do with those resources
Bucket Policies
Resource-based
Should be used to manage cross-account permissions
Limited to 20 KB
Object ACL
The only way to manage access to objects not owned by the bucket owner
Uses XML format
arn:aws:s3:::bucket_name/keyname
Example s3 bucket resource arn

Terms in this set (26)

object storage
Amazon S3 is what type of storage?
NO - Amazon S3 objects are automatically replicated on multiple device in multiple
facilities within
a region.
With S3 do you have to worry about data durability or replication across availability
zones?
NO - if your request rate grows steadily, Amazon S3 automatically partitions buckets
to support very high request rates and simultaneous access by many clients.
With S3 do you have to worry about scalability?
Yes - not just within your own account
Are S3 bucket names global?
100
What's the default bucket amount per account?
Place your buckets in different regions. (Just because the names are global doesn't
mean you don't have to place it in a region)
What can you do with your buckets to minimize latency, satisfy data locality
concerns, or satisfy disaster recover and compliance needs.
0 bytes up to 5TB
What is the size range for Objects?
Unlimited
How many objects can a single bucket store?
Object = data (the file itself) + metadata (data about the file)
Every object in a bucket consists of what two parts?
1) Bucket 2) Key 3) Optional Version ID
What 3 pieces uniquely identity an Amazon S3 object.
1) Web services endpoint 2) Bucket Name 3) Object Key
What 3 pieces form the the S3 url?
"Will my dad still be there in the future?"
What does durability address?
"Can I access my data right now?"
What does availability address?
Amazon S3 is an eventually consistent system.
What type of consistency system is S3?
No. PUTS to new objects are classified as read-after-write consistency.
Is there a concern for PUTS to new objects?
YES. PUTS to existing objects as well as DELETES are actions classified as
eventual consistency.
Is there a concern for PUTS to existing objects or DELETES?
No. Updates to a single key are atomic. You will never retrieve an inconsistent mix of
data.
For reads to a single key will I ever get some old data and some new data?
Yes
Is S3 secure by default?
1) Through course-grained access controls (ACLS
2) Through fine-grained access controls (Bucket policies,IAM policies, and query
string authentication)
What two ways can you secure an S3 bucket?
READ,WRITE,FULL-CONTROL at the object or bucket level. ACLS are a legacy
access control mechanism created before IAM existed.
What type of coarse-grained permissions can you define in an S3 ACL
S3 policies are:
1) They are associated with the bucket resource instead of an IAM principle
2) They include an explicit reference to the IAM principal in the policy.
What are the differences between IAM policies and S3 bucket policies?
An Amazon S3 bucket policy
What type of control would allow me to specify what CIDR block or IP and during
what time of day can an entity access an S3 object.
Prefixes and delimiters
What allows you to organize,browse and retrieve objects objects within a bucket
hierarchically.
1) Amazon S3 Standard
2) Amazon S3 Standard - Infrequent Access
3) Amazon S3 Reduces Redundancy
Name the three Amazon S3 storage classes.
Short-term or long-term storage of frequently accessed data.
Amazon S3 Standard is best suited for?
Love-lived, less frequently accessed data. Data that is stored for longer of 30 days.
Amazon S3 Standard - Infrequent Access (Standard-IA) is best suited for?

Terms in this set (61)

What is Amazon S3?

Amazon S3 is storage for the internet. It's a simple storage service that offers software
developers a highly-scalable, reliable, and low-latency data storage infrastructure at very low
costs.
What are the technical benefits of S3?
Scalability, reliability, speed, low-cost, and simplicity
What kind of data can I store?
Virtually any kind of data in any format
How much data can I store?
The total volume of data and number of objects you can store are unlimited. Individual
Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5 TB. The
largest object that can be uploaded in a single PUT is 5 GB. For objects larger than 100 MB,
customers should consider using the Multipart Upload capability.
What storage classes does Amazon S3 offer?
S3 Standard: for general-purpose storage of frequently accessed data
S3 Infrequent Access: infrequent access for long-lived but less frequently accessed data
Glacier: long-term archive
S3 Reduced Redundancy Storage: enables customers to reduce their costs by storing
noncritical, reproducible data at lower levels of redundancy than Amazon's S3 standard
storage
How can I delete large numbers of objects?
Multi-Object Delete deletes large numbers of objects from S3. There is no charge for multi-
object delete.
What does Amazon do with my data in Amazon S3?
Amazon will store you data and track its associated usage for billing purposes. AWS will not
otherwise access your data for any purpose outside of the S3 offering, except when required
to do so by law.
How is Amazon S3 data organized?
Amazon S3 is a simple key-based object store. When you store data, you assign a unique
object key that can later be used to retrieve the data. Keys can be any string, and can be
constructed to mimic hierarchical attributes.
How do I interface with Amazon S3?
Amazon S3 provides a simple, standards-based REST web services interface that is designed
to work with any Internet-development toolkit.
How reliable is Amazon S3?
S3 Standard is designed for 99.99% availability and S3-IA is designed for 99.9% availability.
Both are backed by the S3 SLA.
What data consistency model does Amazon S3 employ?
Amazon S3 buckets in all Regions provide read-after write consistency for PUTS of new
objects and eventual consistency for overwrite PUTS and DELETES
What happens if traffic from my application suddenly spikes?
Amazon S3 was designed from the ground up to handle traffic for any Internet application.
S3's massive scale enables us to spread load evenly, so that no individual application is
affected by traffic spikes.
How can I increase the number of Amazon S3 buckets that I can provision?
By default, customers can provision up to 100 buckets per AWS account. However, you can
increase you S3 bucket limit by visiting AWS Service Limits.
Where is my data stored?
You specify a region when you create your S3 bucket. Within that region, your objects are
redundantly stored on multiple devices across multiple facilities.
How am I charged for using Versioning?
Normal S3 rates apply for every version of an object stored or requested. You are charged per
GB stored, number of GET requests, number of PUT requests, data transfer in and data
transfer out, and prices can vary based on region.
How secure is my data in S3?
By default, only the bucket and object owners originally have access to Amazon S3 resources
they create. S3 provides access control mechanisms such as bucket policies and Access
Control Lists (ACLs) to selectively grant permissions to users and groups of users. You can
securely upload and download data to S3 via SSL endpoints using HTTPS protocol. Server
Side Encryption (SSE) and SSE with customer provided keys (SSE-C) can be used to store
data at rest. You can also use your own encryption libraries to encrypt data before storing it in
S3.
How can I control access to my data stored in S3?
IAM policies, bucket policies, ACLs, and query string authentication. IAM policies can be
used to control access to S3 buckets or objects across an account. Bucket policies can define
rules for specific S3 buckets. ACLs can grant specific permissions to buckets and objects.
Query String Authentication allows customers to create a URL to an S3 bucket object that is
only valid for a limited time.
Does S3 support data access auditing?
Yes, customers can configure S3 buckets to create access log records for all requests made
against it.
What options do I have for encrypting data stored on S3?
SSE-S3, SSE-C, SSE-KMS, or a client library.
SSE-S3: integrated solution with S3 where AWS handles management of keys
SSE-C: AWS will perform encryption/decryption using customer provided keys
SSE-KMS: AWS KMS manages encryption keys
Client Library: data is encrypted prior to being placed in S3, customer handles all encryption
How does Amazon protect SSE encryption keys?
Every object is encrypted with a unique key. The object key itself is then encrypted by a
separate master key. A new master key is issued at least monthly. Encrypted data, encryption
keys and master keys are stored and secured on separate hosts for multiple layers of
protection.
What is an Amazon VPC endpoint for Amazon S3?
An Amazon VPC Endpoint for Amazon S3 is a logical entity within a VPC that allows
connectivity only to S3. The VPC Endpoint routes requests to S3 and routes responses back
to the VPC. A VPC endpoint enables you to create a private connection between your VPC
and S3 without requiring access over the Internet.
How durable is data in S3?
S3-Standard and S3-IA are designed to provide 99.999999999% durability of objects in a
given year. If you store 10,000 objects with S3 you can (on average) expect to lose 1 object
every 10,000,000 years. S3 is designed to sustain the concurrent loss of data in two facilities.
S3 best practices for backup include secure access permissions, cross-region replication,
versioning and a functioning, regularly tested backup.
What checksums does S3 employ to detect data corruption?
S3 uses a combination of Content-MD5 checksums and cyclic redundancy checks (CRCs) to
detect data corruption. S3 repairs any corruption using redundant data.
What is versioning in S3?
Versioning allows you to preserve, retrieve, and restore every version of every object stored
in an S3 bucket. Once you enable versioning for a bucket, S3 preserves existing objects
anytime you perform a PUT, POST, COPY, or DELETE operation on them. By default, GET
requests will retrieve the most recently written version. Older versions of an overwritten or
deleted object can be retrieved by specifying a version in the request.
Why should I use versioning in S3?
S3 provides customers with a highly durable storage infrastructure. Versioning offers an
additional level of protection by providing a means of recovery when customers accidentally
overwrite or delete objects. This allows you to easily recover from unintended user actions
and application failures. You can also use versioning for data retention and archiving.
How do I start using versioning?
Enable the versioning setting on your S3 bucket.
Does versioning protect me from accidental deletion of my objects?
When a user performs a DELETE operation on an object, subsequent simple (un-versioned)
requests will no longer retrieve the object. However, all versions of that object will continue
to be preserved in your Amazon S3 bucket and can be retrieved or restored. Only the owner
of an S3 bucket can permanently delete a version.
Can I setup a trash, recycle bin, or rollback window on my S3 objects to recover from deletes
and overwrites?
You can use lifecycle rules along with versioning to implement a rollback window for
objects. Ex: with a versioning enabled bucket you can set up a rule that archives all of your
previous versions to the lower-cost Glacier storage class and deletes them after 100 days,
give you a 100 day rollback window while lowering your storage costs
Why would I choose to use Standard - IA?
Standard-IA is ideal for data that is access less frequently, but requires rapid access when
needed. Standard-IA is ideally suited for long-term file storage, older data from sync and
share, backup data, and disaster recovery files.
What performance does Standard-IA offer?
Same level of performance as Standard S3 with 99.9999999% durability but 99.9%
availability.
How do I get my data into Standard-IA?
There are two ways to get data into Standard-IA from within S3. You can directly PUT into
Standard-IA by specifying STANDARD_IA in the x-amz-storage-class header (of the HTTP
request). You can also set lifecycle policies to transition objects from Standard to Standard-
IA.
How will my latency and throughput performance be impacted as a result of using Standard-
IA?
You should expect the same latency and throughput performance as Amazon S3 Standard
when using Standard-IA
Is there a minimum duration for Standard-IA?
Standard-IA is designed for long-lived, but infrequently accessed data that is retained for
months or years. Data that is deleted from Standard-IA within 30 days will be charged for a
full 30 days.
Is there a minimum object size for Standard-IA?
Standard-IA has a minimum object size of 128KB. For objects smaller than 128KB, charges
will be incurred as if the object were 128KB.
How can I store my data using the Amazon Glacier option?
You can use lifecycle rules to automatically archive sets of data from S3 based on lifetime.
Data can be directly uploaded to Glacier using the Glacier REST API, AWS SDKs, or AWS
Import/Export.
Can I use Amazon Glacier APIs to access S3 objects that I've archived to Amazon Glacier?
Because Amazon S3 maintains the mapping between your user-defined object name and
Amazon Glacier's system-defined identifier, Amazon S3 objects that are stored using the
Amazon Glacier option are only accessible through the Amazon S3 APIs or the Amazon S3
management console.
How long will it take to retrieve my objects in Amazon Glacier?
When a retrieval job is requested, data is moved from Glacier to S3-RRS. Access time of
your request depends on the retrieval option you choose: Expedited (1-5min), Standard (3-
5hrs), and Bulk (5-12hrs)
How am I charged for Glacier?
Charged per GB stored and per lifecycle transition requests. Objects stored in Glacier have a
minimum of 90 days of storage, if an object is deleted before 90 days a pro-rated charge
equal to the storage charges is incurred
What are Amazon S3 event notifications?
Amazon S3 event notifications can be send in response to actions in S3 like PUTs, POSTs,
COPYs, or DELETEs. Notification messages can be sent through either Amazon SNS, SQS,
or Lambda.
What can I do with Amazon S3 event notifications?
Amazon S3 event notifications enable you to run workflows, send alerts, or perform other
actions in response to changes in your objects stored in S3. You can use even notifications to
set up triggers to perform actions including transcoding media files when they are uploaded,
processing data files when they become available, and synchronizing Amazon S3 objects
with other data stores.
Can I host my static website on S3?
Yes, you can host your entire static website on S3 for inexpensive, highly available hosting
solution that scales automatically to meet traffic demands.
What kinds of websites should I host using S3 static website hosting?
S3 is ideal for websites that contain only static content, including HTML files, images,
videos, and client-side scripts such as JavaScript. EC2 is recommended for websites with
server-side scripting and database interaction.
Can I use my own host name with my Amazon S3 hosted website?
Yes, you can map your domain name to your S3 bucket.
Does Amazon S3 support redirects?
Yes, S3 provides multiple ways to enable redirection of web content for your static websites.
You can set rules on your bucket to enable automatic redirection. You can also configure a
redirect on an individual S3 object.
What are S3 object tags?
S3 Object Tags are key-value pairs applied to S3 Objects which can be created, updated, or
deleted at any time during the lifetime of the object. With these, you'll have the ability to
create IAM policies, setup S3 lifecycle policies, and customize storage metrics. These object-
level tags can then manage transitions between storage classes and expire objects in the
background.
Why should I use Object Tags?
Object Tags allow you to control access to objects tagged with specific key-value pairs. They
can also be used to label objects that belong to a specific project or business unit, which could
be used in conjunction with lifecycle policies to manage transitions to the S3 Standard-IA and
Glacier storage tiers.
Will my Object Tags be replicated if I use Cross-Region Replication?
Object tags can be replicated across regions using Cross-Region Replication. If cross-region
replication is already enabled, new permissions are required in order for tags to replicate.
What is S3 Analytics - Storage Class Analysis?
Storage Class Analysis allows you to analyze storage access patterns and transition the right
data to the right storage class. This feature automatically identifies infrequent access patterns
to help you transition storage to Standard-IA. You can configure a storage class analytics
policy to monitor an entire bucket, a prefix, or object tag. Storage class analysis also provides
daily visualizations of your storage usage on the AWS Management Console that you can
export to a S3 bucket to analyze using business intelligence tools, such as Amazon
QuickSight.
What is S3 Inventory?
S3 Inventory provides a schedules alternative to Amazon S3's synchronous List API. S3
Inventory provides a CSV flat-file output of your objects and their corresponding metadata
on a daily or weekly basis for an S3 bucket or a shared prefix.
How do I get started with S3 CloudWatch Metrics?
You can use the AWS Management Console to enable the generation of 1-minute Cloud
Watch metrics for your S3 bucket or configure filters for the metrics using a prefix or object
tag. Alternately, you can call the S3 PUT Bucket Metrics API to enable and configure
publication of S3 storage metrics.
What alarms can I set on my storage metrics?
You can use CloudWatch to set thresholds on any of the storage metric counts, timers, or
rates and fire an action when the threshold is breached. For example, you can set a threshold
on the percentage of 4xx Error Responses.
What is Lifecycle Management?
S3 Lifecycle management provides the ability to define the lifecycle of your object with a
predefined policy and reduce your cost of storage. You can set lifecycle transition policy to
automatically migrate Amazon S3 objects to Standard-IA and/or Glacier based on the age of
the data. You can also set lifecycle expiration policies to automatically remove objects based
on the age of the object. You can set a policy for multipart upload expiration, which expires
incomplete multipart upload based on the age of the upload.
Why would I use a lifecycle policy to expire incomplete multipart uploads?
The lifecycle policy that expires incomplete multipart uploads allows you to save on costs by
limiting the time non-completed multipart uploads are stored. For example, if your
application uploads several multipart object parts, but never commits them, you will still be
charged for that storage. This policy can lower your S3 storage bill by automatically
removing incomplete multipart uploads and the associated storage after a predefined number
of days.
What is Amazon S3 Cross-Region Replication (CRR)?
CRR is an Amazon S3 feature that automatically replicates data across AWS regions. With
CRR, every object uploaded to an S3 bucket is automatically replicated to a destination
bucket in a different AWS region that you choose. You can use CRR to provide lower-
latency data access in different geographic regions. CRR can also help if you have a
compliance requirement to store copies of data hundreds of miles apart.
How do I enable CRR?
CRR is a bucket-level configuration. You enable a CRR configuration on your source bucket
by specifying a destination bucket in a different region for replication. Versioning must be
turned on for both the source and destination buckets to enable CRR.
What does CRR replicate to the target bucket?
CRR replicates every object-level upload that you directly make to your source bucket. The
metadata and ACLs associated with the object are also part of the replication. Any change to
the underlying data, metadata, or ACLs on the object would trigger a new replication to the
destination bucket. You can either choose to replicate all objects uploaded to a source bucket
or just a subset of objects by specifying prefixes. Existing data in the bucket prior to CRR is
not replicated, you must use COPY to copy existing data to destination bucket.
Can I use CRR with lifecycle rules?
Yes, you can figure separate lifecycle rules on the source and destination buckets.
What is transfer acceleration?
Amazon S3 transfer acceleration enables fast, easy, and secure transfers of files over long
distances between your client and your Amazon S3 bucket. Transfer Acceleration leverages
Amazon CloudFront's globally distributed AWS Edge Locations. As data arrives at an AWS
Edge Location, data is routed to your Amazon S3 bucket over an optimized network path.
Who should use transfer acceleration?
Transfer Acceleration is designed to optimize transfer speeds from across the world into S3
buckets. If you are uploading to a centralized bucket from geographically dispersed locations,
or if you regularly transfer GBs or TBs of data across the continents, you may save hours or
days of data transfer time.
How should I choose between Transfer Acceleration and Amazon CloudFront's PUT/POST?
Transfer Acceleration optimized the TCP protocol and adds additional intelligence between
the client and the S3 bucket, making Transfer Acceleration a better choice if a higher
throughput is desired. If you have objects that are smaller than 1GB or if the data set is less
than 1GB in size, you should consider using Amazon CloudFront's PUT/POST commands for
optimal performance.
Can Transfer Acceleration complement 3rd party integrated software?
Yes. Software packages that connect directly into Amazon S3 can take advantage of Transfer
Acceleration when they send their jobs to Amazon S3.

Terms in this set (65)

S3
Simple Storage Service
What is S3?
Storage for the internet. Secure, durable, highly-scalable object storage. Can upload files, but
cannot install OS or software.
What can I do with S3?
Store and retrieve any amount of data, at any time, from anywhere on the web.
What size objects can be uploaded to S3?
1 byte - 5 TB. Largest object in a single PUT = 5GB.
What kind of data can be stored in S3?
Virtually any kind of data in any format.
How much storage is potentially available?
Unlimited (however much you can pay for)
How are files stored in S3?
In buckets (conceptually like folders)
True or False. Filenames in S3 do NOT have to be unique across regions.
False. S3 is a universal namespace, so names must be unique globally.
True or False. You can read immediately after adding a new object to S3.
True. Read after write consistency for PUTS of new Objects.
True or False. Updates and deletes in S3 will be visible immediately.
False. Eventual consistency for overwrite PUTS and DELETES (Updating or deleting objects
can take some time to propagate)
What are the S3 storage classes/tiers?
1. S3,
2. S3-IA,
3. S3-RRS,
4. Glacier
What is S3 standard tier?
For frequently accessed data. Low latency and high throughput. Availability = 99.99%.
Durability = 99.999999999% (11x9's). Use cases including cloud applications, dynamic
websites, content distribution, mobile and gaming applications, and big data analytics
What is S3-IA tier?
S3 Standard - Infrequent Access. Availability = 99.99%. Durability = 99.999999999%
(11x9's). Data is accessed less frequently, but requires rapid access when needed. Low per
GB storage price and per GB retrieval fee. Ideal for long-term storage, backups, and as a data
store for disaster recovery.
True or False. Data deleted from S3-IA tier within 30 days will be charged for a full 30 days.
True.
What is Glacier tier?
Secure, durable, and extremely low-cost ($0.01/GB/mo) storage service for data archiving.
Optimized for data that is rarely accessed and a retrieval time of several hours is suitable.
Charged for amount of storage, # requests, data transfer pricing
What does it cost to recover from Glacier?
Archive and Restore requests are priced from $0.05 per 1,000 requests. For large restores,
there is also a restore fee starting at $0.01 per gigabyte. Objects are restored to RRS, so you
are charged for RRS and Glacier until restored object is moved.
True or False. Data deleted from Glacier w/in 90 days are charged a fee.
True. There is a pro-rated charge of $0.03 per GB.
How much data can be restored from Glacier for free?
You can restore up to 5% of the data stored in Glacier for free each month.
What is S3-RRS tier?
Reduced Redundancy Storage. Store non-critical, reproducible data (storing thumbnails,
transcoded media, etc.) at lower levels of redundancy than S3's standard storage. Availability
= 99.99%, Durability = 99.99%. Data is replicated fewer times, so the cost is less
What are the identifying parts of an S3 object?
1. Key - The name,
2. Value - The data,
3. Version ID,
4. Metadata (system and/or user-defined),
5. ACLs
True or False. Bucket names don't have to be globally unique.
False. They must be globally unique AND lower case letters.
True or False. Uploaded objects are private by default.
True.
How many buckets can each account have?
100 by default.
True or False. All objects in a bucket are replicated when replication is enabled.
False. Pre-existing objects are not replicated, but future uploads are replicated.
True or False. Versioning is not a requirement for cross-region replication.
False. Cross-region replication requires versioning.
True or False. Versioning can only be disabled, not turned off.
True. To stop versioning completely, you must delete and recreate the bucket.
True or False. You have to pay for each version of a file.
True. Each file has its own version ID, which means it's taking up space, which has to be paid
for.
True or False. Lifecycle rules do NOT require versioning.
True, but you CAN use Lifecycle rules with versioning.
True or False. You can use multi-factor authentication with versioning.
True. Multi-factor authentication is used to enforce second authentication so objects are less
likely to be deleted accidentally.
What are lifecycle rules?
Rules you can set up to automatically transition items from one type of storage to another.
What are the types of lifecycle rules?
1. Transition to Standard - Infrequent Access Storage,
2. Archive to Glacier storage,
3. Permanently delete
Explain the 'Transition to Standard - Infrequent Access Storage Class' rule.
Must wait minimum 30 days and min 128kb file size. Fee for retrieval, but almost
instantaneous.
Explain the 'Archive to Glacier storage class' rule.
Can do 1 day after uploading (30 days after infrequently accessed). Fee for retrieval, takes 3-
5 hrs for retrieval.
Explain the 'Permanently Delete' rule.
Can do 1 day after uploading. If versioning enabled, must expire, then permanently delete.
True or False. You can use lifecycle rules for versions of objects.
True.
What is a CDN?
Content Delivery Network. Network of distributed servers that deliver webpages and content
users based on their geographic location (and other factors).
What is CloudFront used for?
Deliver your entire website, including dynamic, static, streaming, and interactive content
using a global network of edge locations.
How are request handled with CloudFront?
Requests are automatically routed to the nearest edge location, so content is delivered with
the best possible performance.
True or False. CloudFront can only be used with other AWS services.
False. CloudFront works with non-AWS origin servers, but is optimized to work with other
AWS services like S3, EC2, Elastic Load Balancing, and Route 53.
In CloudFront, what is an origin location?
Location of original, uncached, files. S3 bucket, EC2 instance, Elastic Load Balancer,
Route53, or custom
In CloudFront, what is an edge location?
Location where content will be cached. Different from Regions and Availability Zones.
True or False. Edge locations are read-only.
False. Can send the PUT messages, which will be forwarded to the Origin.
How are objects removed from edge locations?
Objects are removed for free after the TTL expires, but you can manually clear objects for a
fee.
What is a Distribution?
A collection of Edge Servers.
What are the types of distributions?
Web distribution and RTMP
What is a Web Distribution?
A distribution specifically for websites and static files (html, css, xml, etc)
What is RTMP?
Adobe's Real-Time Message Protocol. For media streaming (flash, etc). Allows an end user
to begin playing a media file before the file has finished downloading
Why would you want to restrict user access to a distribution?
If users access your objects directly in S3, they bypass the controls provided by CloudFront
signed URLs or signed cookies.

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-
restricting-access-to-s3.html
True or False. When a bucket is created it is private by default.
True.
How can you control access to a bucket.
Using bucket policies and ACLs.
True or False. There is no way to track who accesses a bucket.
False. You can configure buckets to store logs w/in the bucket or in another bucket.
What are the 3 methods of encryption?
1. SSL/TLS (in transit),
2. Server Side Encryption (SSE),
3. Client Side Encryption (CSE)
What is SSE-S3?
Server Side Encryption that is fully Amazon managed. S3 encrypts each object with a unique
key and it encrypts the key itself with a master key that it regularly rotates. Uses 256-bit
Advanced Encryption Standard (AES-256).
What is SSE-KMS?
Server Side Encryption Key Management Services. Combines secure, highly available
hardware and software to provide a key management system scaled for the cloud. AWS KMS
uses customer master keys (CMKs) to encrypt your S3 objects. Provides audit trail.
What is SSE-C?
Server Side Encryption with customer provided keys. You manage the keys, AWS manages
encryption/decryption when you write or read.
What is Client Side Encryption?
Refers to encrypting data before sending it to S3. Two options for using data encryption keys:

1. Use an AWS KMS-managed customer master key

2. Use a client-side master key
What is a Storage Gateway?
Connects an on-premises software appliance with cloud-based storage
What AWS service is the target of a Storage Gateway?
Target is typically S3 or Glacier, but also supports supports VMware ESXi or Microsoft
Hyper-v
What are the 3 types of Storage Gateways?
1. Stored volumes,
2. Cached volumes,
3. Virtual Tape Library (VTL)
What is a Gateway Stored Volume?
Keep entire dataset on-site. Storage Gateway backs this up asynchronously to S3. Can
recover locally or from EC2.
What is a Gateway Cached Volume?
Entire data set stored in S3. Only most frequently accessed data is cached on-site. If you lose
internet connectivity, cannot access all of your data.
What is a Gateway Virtual Tape Library?
VTL. Limitless collection of virtual tapes. Backed by S3 (tape library) or Glacier (tape shelf).
Exposes iSCSI interface providing your backup application with on-line access to the virtual
tapes. Supported by NetBackup, Backup Exec, Veam, etc.
What is an import/export disk?
Use any portable storage device to transport data to AWS. AWS staff imports the data to S3,
EBS, Glacier, etc., then sends the device back. Export from S3. This service is being replaced
by Snowball.
What is import/export Snowball?
Rent Amazon's portable storage device. Petabyte scale data transport solution.
50TB/snowball limit, tamper-resistant enclosure, 256-bit encryption. Import/Export to S3
only.
Where is my data stored?
You specify a region when you create your Amazon S3 bucket. Within that region, your
objects are redundantly stored on multiple devices across multiple facilities.

erms in this set (46)

BitTorrent Protocol with S3

Any publicly available data in Amazon S3 can be downloaded via the BitTorrent
protocol, in addition to the default client/server delivery mechanism. Simply add the
?torrent parameter at the end of your GET request in the REST API.
Number of S3 buckets per AWS Account
100. To get more, you have to request AWS
S3 Data Consistency Model
Read-after-write consistency for PUTS of new objects and eventual consistency for
overwrite PUTS and DELETES.
S3 Objects Size Limit
Individual objects in S3 can range in size from 0 bytes to 5 TB. The largest object
that can be uploaded as a single PUT is 5GB
S3 Storage Classes
1. S3 - Standard
2. S3 - Infrequent Access
3. Reduced Redundancy Storage
Delete large number of objects in single request
Multi-Object Delete can be used to delete large number of objects by passing
multiple object keys in a single request
How is S3 data organized?
S3 is a simple key-based object store. When data is stored, a unique object key is
assigned which can be used to retrieve the data. Keys can be any string
Interfacing with S3
S3 provides a simple REST web services interface designed to work with any
internet-development toolkit
Where is data stored?
A region is specified when an S3 bucket is created. The objects are stored in
multiple devices in multiple facilities in that region.
Factors for deciding AWS Region for storing data in S3
1. Region near to customers/datacenters to reduce access latencies.
2. Region with low storage costs
Amazon S3 costs & pricing
- You are NOT charged for data transfer within an Amazon region via a COPY
request.

- You are NOT charged for data transfer between EC2 and S3 of same region

- You are CHARGED for data transfer between buckets of different regions via
COPY request.

- You are CHARGED for data transfer between EC2 and S3 belonging to different
regions
Default Access in S3
By default, only the bucket owners and objects owners have access to the S3
resources
Access Control Mechanism in S3
You can use Access Control Lists (ACLs) or Bucket Policies to grant permissions to
users/groups
Secure Upload/Download in S3
You can securely upload/download objects in S3 via SSL endpoints using HTTPS
ServerSide Encryption for additional security at rest
For additional security, you can use SSE (ServerSide Encryption) or SSE with
customer-provided keys (SSE-C) to encrypt data at rest
Amazon S3 Access Control
Four mechanisms for controlling access:
1. IAM Policies: They can be used to grant IAM users fine-grained control to S3
bucket or objects
2. Bucket Policies: Defining rules which apply broadly across all requests to S3.
Access can be restricted to an aspect of the request, such as HTTP referrer and IP
address.
3. Access Control Lists: Can be used to grant specific permissions (READ, WRITE
etc) to specific users for an individual bucket or object.
4. Query String Authentication: Customers can create a URL to an S3 object which is
only valid for a limited time.
Does S3 support Data Access Auditing
Yes, S3 buckets can be configured to create access log records for all requests
made against it. These log records contain details about the request, such as
request type, resource specified in the request, date & time.
SSE Encryption Key Protection
With SSE, every protected object is encrypted with a unique key. This unique object
key is itself encrypted by a separate master key. A new master key is issued at least
monthly. Encrypted data, keys and master keys are stored and secured on separate
hosts for multiple layer of protection
VPC endpoint for S3
An Amazon VPC Endpoint for Amazon S3 is a logical entity within a VPC that allows
connectivity only to S3. The VPC Endpoint routes requests to S3 and routes
responses back to the VPC
Allowing ONLY specific VPC endpoints access to an S3 bucket
Access to a bucket can be limited to a specific VPC Endpoint or a set of endpoints
using S3 bucket policies. S3 bucket policies now support a condition,
aws:sourceVpce, that you can use to restrict access.
Checksums which S3 uses for checking Data Corruption
S3 uses a combination of Content-MD5 checksums and cyclic redundancy checks
(CRC) to detect data corruption. S3 performs these checksums on data at rest and
repairs the corruption using redundant data It also calculates the checksum on all
network traffic to detect corruption of data packets when storing or retrieving data.
Advantages of Versioning in S3
When a user performs DELETE operation on an object, subsequent simple (un-
versioned) requests will no longer retrieve the object. However, all versions of the
object are retained in the S3 bucket. Only the owner of the S3 bucket can
permanently delete a version.
Setting up a rollback window, recycle bin on Amazon S3 to recover from deletes and
overwrites.
By using Versioning with Lifecycle rules, you can create rollback window
MFA for additional protection of versions of an S3 object
By enabling versioning with MFA Delete on S3 bucket, two forms of authentication is
required to permanently delete the version of an object.
Minimum duration for S3-IA
Data deleted within 30 days will be charged for a full 30-day period
Minimum object size for S3-IA
Minimum object size is 128 KB. It means even a smaller object which is less than
128 KB will be charged as if the object was 128 KB.
Types of Data Retrieval for Glacier
There are three ways to retrieve data:
1. Expedited Retrieval (Most expensive) (Retrieval Time: 1-5 minutes)
2. Standard Retrieval (Retrieval Time: 3-5 hours)
3. Bulk Retrieval (Least expensive) (Retrieval Time: 5-12 hours)
Where does the archived object reside?
When an archived object is retrieved, it resides in both RRS and Glacier.
S3 Event Notifications
S3 event notifications can be sent in response to actions in S3 like PUT, POST,
COPY, DELETE. Notification can be sent through SNS, SQS or directly to Lambda.
Static website redirects in S3
S3 provides multiple ways to enable redirection of web content for static websites.
You can achieve this by setting rules on your bucket to enable automatic redirection.
You can also configure a redirect on an individual S3 object
Any additional charge for hosting static websites on S3?
No additional charge for hosting static websites on S3. Same charges of storage,
requests, and data transfer apply to your website objects.
Applying Object Tags to S3 Objects
You can add up to 10 object tags for an S3 object using either the Console, REST
API, CLI or the SDK.
Updating Object Tags on S3 Objects
Can be updated through Console, CLI, REST API or SDK. Other than the AWS
console, for all other mediums, you have to specify the full tag set while updating.
Replication of Object Tags in Cross-Region Replication
Object tags can be replicated using cross-region replication. If cross-region
replication is already enabled, new permissions are required in order for tags to
replicate.
S3 Storage Class Analytics
Storage Class Analytics can be used to analyze storage access patterns which can
then be used to transition data to appropriate storage class. You can setup a storage
class analysis policy to monitor an S3 bucket, prefix or object tag.
Configuring Storage Class Analysis Policy
Storage Class Analysis Policy can be configured either using Management Console
or through S3 PUT Bucket Analytics API
S3 Inventory
S3 Inventory is a scheduled alternative to synchronous LIST API call which simplifies
& speeds up business workflows and big data applications
Setup S3 Inventory
Using S3 PUT Bucket inventory API call, you can configure a daily or weekly
inventory for all objects in a bucket or shared prefix. You can specify a destination
S3 bucket for your inventory, the output file output format (CSV), and specific object
metadata necessary for your business application, such as: object name, size, last
modified date, storage class, version id, delete marker, noncurrent version flag,
multipart upload flag, or replication status.
S3 Inventory Use-case
S3 inventory can be used as ready-made input to big data job or workflow
application instead of the synchronous S3 LIST API, saving the time and compute
resources it takes to call and process the LIST API response.
Setup CloudWatch metrics for S3
You can use console or S3 PUT Bucket Metrics API to enable or configure filters for
metrics. Metrics are available 15 minutes after enabling.
Enabling CRR (Cross-Region Replication)
CRR is configured at bucket level. You must first turn on Versioning on both source
and destination buckets.
CRR Replications to Target bucket
CRR will also replicate meta-data and acls of the objects in source bucket. Also,
changes to meta-data , acl will also be replicated to target bucket. CRR will not
replicate the existing objects in source bucket when it is enabled.
CRR with Life Cycle rules
You can setup SEPARATE Lifecycle rules for both source and target buckets.
Does transfer acceleration support multipart uploads?
Yes. It supports multipart uploads
Is Transfer Acceleration HIPAA compliant?
Yes
Minimum Duration for Glacier
Objects that are archived to Glacier have a minimum of 90 days of storage, and
objects deleted before 90 days will be charged for a full 90-day period

Terms in this set (10)

Know what amazon s3 is and what it is commonly used for

Amazon S3 is secure, durable, and highly scalable cloud storage that can be used to store an
unlimited amount of data in almost any format using a simple web services interface.
Common use cases include backup and archive, content storage and distribution, big data
analytics, static website hosting, cloud-native application hosting, and disaster recovery.
Understand how object storage differs from block and file storage
Amazon S3 cloud object storage manages data at the application level as objects using a
REST API built on HTTP. Block storage manages data at the operating system level as
numbered addressable blocks using protocols such as SCSI or Fibre Channel. File storage
manages data as shared files at the operating system level using a protocol such as CIFS or
NFS.
Understand the basics of Amazon S3.
Amazon S3 stores data in objects that contain data and metadata. Objects are identified by a
user-defined key and are stored in a simple flat folder called a bucket. Interfaces include a
native REST interface, SDKs for many languages, an AWS CLI, and the AWS Management
Console.
Understand the durability, availability, and data consistency model of Amazon S3.
Amazon S3 standard storage is designed for 11 nines durability and four nines availability of
objects over a year. Other storage classes differ. Amazon S3 is eventually consistent, but
offers read-after-write consistency for PUTs to new objects.
Know how to enable static website hosting on Amazon S3.
To create a static website on Amazon S3, you must create a bucket with the website
hostname, upload your static content and make it public, enable static website hosting on the
bucket, and indicate the index and error page objects.
Know how to protect your data on Amazon S3.
Encrypt data in flight using HTTPS and at rest using SSE or client-side encryption. Enable
versioning to keep multiple versions of an object in a bucket. Enable MFA Delete to protect
against accidental deletion. Use ACLs Amazon S3 bucket policies and AWS IAM policies
for access control. Use pre-signed URLs for time-limited download access. Use cross-region
replication to automatically replicate data to another region.
Know the use case for each of the Amazon S3 storage classes
Standard is for general purpose data that needs high durability, high performance, and low
latency access. Standard-IA is for data that is less frequently accessed, but that needs the
same performance and availability when accessed. RRS offers lower durability at lower cost
for easily replicated data. Amazon Glacier is for storing rarely accessed archival data at
lowest cost, when three- to five-hour retrieval time is acceptable
Know how to use lifecycle configuration rules
Lifecycle rules can be configured in the AWS Management Console or the APIs. Lifecycle
configuration rules define actions to transition objects from one storage class to another based
on time.
Know how to use Amazon S3 event notifications
Event notifications are set at the bucket level and can trigger a message in Amazon SNS or
Amazon SQS or an action in AWS Lambda in response to an upload or a delete of an object.
Know the basics of amazon glacier as a standalone service
Data is stored in encrypted archives that can be as large as 40TB. Archives typically contain
TAR or ZIP files. Vaults are containers for archives, and vaults can be locked for compliance.

Terms in this set (45)

What's the min. and max. size of a file in S3?

0/5 Tb
What is the structure (format) of the address created when you create an S3 bucket?
https://s3-<Region>.amazonaws.com/<bucket name>

or
https://<bucket name>.s3-<Region>.amazonaws.com/

Example:
https://s3-us-west-2.amazonaws.com/seramrincodi1
What is the structure (format) of the address of the static website in an S3 bucket?
http://<bucket name>.s3-website-<Region>.amazonaws.com
Example:
mys3website-mrincodi.s3-website-us-west-2.amazonaws.com

Don't forget to give permission to Everyone to view/download.

What is the data consistency model for S3?
- Read after Write consistency for PUTS of new objects.
- Eventual consistency for overwrite PUTS and DELETES (can take some time to
propagate).
What do objects in S3 consist of? What are the core fundamentals of S3?
- Key (name)
- Value (content/file itself)
- Version ID
- Metadata
- Subresources:
- ACL
- Torrent
What is the availability percentage of the S3 platform?
99.9%
Upgrade to remove adverts
Only ₹83.25/month
What is the durability percentage of the S3 platform?
99.999999999 % (eleven 9's).
What are the storage tiers/classes in S3?
- S3 Standard, 99.9% availability and 11-9's durability.
- S3 IA (Infrequent Access): For data accessed less frequently, yet requiring rapid
access. Lower fee than S3, but retrieval fee needed.
- S3 RRS - Reduced Redundancy Storage: Cheaper than S3. 99.9% durability.
Usually for data that can be regenerated (for ex. thumbnails)
- Glacier: Very cheap, but for archival only. It takes 3-5 hours to retrieve from it.

https://goo.gl/B1PYiV
https://goo.gl/hJRK7S
What are you charged for when using S3?
Storage, requests, Storage Management (tags), data transfer and transfer
acceleration.

Regarding data transfer: Putting data inside S3 is free, but moving data inside S3
(like when you do replication from one region to another) is charged.

(from https://goo.gl/a7MaoD):
Amazon S3 offers three pricing options. Storage (per GB per month), data transfer in
or out (per GB per month), and requests (per x thousand requests per month).
Can you remove versioning after you have activated it to a bucket?
No, but you can suspend it (disable it).
Do I need to give permissions again to a file if I re-upload it?
Only if versioning is active for the bucket where the file is put.
In lifecycle management, what are the storage classes involved?
S3, Infrequent Access, Glacier and Deletion.
Can I give lifecycle management to a specific file?
No. You can give it to the whole bucket or to subfolders of it.
In lifecycle management, what's the minimum amount of days that an object can be
in S3 before being moved to infrequent access, and what is the minimum size for
moving it?
A minimum of 30 days is required before transitioning to the Standard - Infrequent
Access Storage Class

Lifecycle policy will not transition objects that are less than 128KB to the Standard -
Infrequent Access Storage Class.
In lifecycle management, what's the minimum amount of days that an object can be
in S3 - Infrequent Access Storage Class before transitioning to the Glacier Storage
Class?
30 days.
In lifecycle management, what's the minimum amount of days that an object can be
in S3 before being moved to Glacier?
If it has not been in Standard - Infrequent Access, any amount of days is OK.

If it has not been in Standard - Infrequent Access: an object must remain in the
Standard - Infrequent Access Storage Class for a minimum of 30 days before
transitioning to the Glacier Storage Class, so 30 days in S3 + 30 days in Infrequent
Access = 60 days.
In lifecycle management, what's the minimum amount of days that an object can be
in S3 before being automatically deleted?
Any amount, as long as it is more than the amount of days it will stay in Glacier (if
active) and/or Standard - Infrequent Access Storage (if active).
What's an Edge Location?
The end points for CloudFront, the CDN of AWS. This is where the content will be
cached.
What kind of AWS resources can be Origin Servers for CloudFront?
The origin of all the file can be:
S3 Bucket, EC2 instance, ELB or Route53.

You can also have your custom origin server outside of AWS
What is a distribution in CloudFront?
A set of Edge Locations. You create a distribution to use CloudFront.
What types of distributions can be created in CloudFront?
Web distributions for HTTP/HTTPS and RTMP Distributions for RTMP (media
streaming) and its variants.
Are edge locations read-only?
No, you can write to them.
For how long are objects cached in an Edge Location?
For the TTL of the objects there.
What's the default TTL of an object in an edge location in CloudFront?
24 hours.
Can I clear cached objects in my edge locations?
Yes, but you will be charged.
What is Transfer Acceleration?
A technology that let users upload or download files in S3 buckets, by using Edge
locations from CloudFront. It gives you a new URL location (Endpoint).
Can I use transfer acceleration for a subfolder only?
No. You can use it for the whole bucket only.
What is the URL format of a bucket using transfer acceleration?
<bucket name>.s3-accelerate.amazonaws.com

It will redirect to:

https://<bucket name>.s3-<region>.amazonaws.com
What is the format of the URL given by using Transfer Acceleration in an S3 bucket?
<Bucket name>.s3-accelerate.amazonaws.com

Example:
my-seoul-cloudfront-dist.s3-accelerate.amazonaws.com
What does CORS mean?
Cross-Origin Resource Sharing
What is CORS for?
Using CORS (Cross-Origin Resource Sharing) you can selectively allow web
applications running on other domains to access content in your Amazon S3 bucket.
Where do I change the CORS configuration for an S3 bucket?
In Properties -> Permissions -> Edit CORS configuration. Enter the URL of the
website that can access the ST resources, inside the AllowedOrigin XML tags.

Example:
<AllowedOrigin>http://myindexwebsitemrincodi.s3-website-us-west-
2.amazonaws.com</AllowedOrigin>
How do I upload another page from a different S3 resource, in HTML? (Ignore)
<script>
$("#get-html-from-other-s3").load("http://mycorstestbucketmrincodi.s3-website-us-
west-2.amazonaws.com/loadpage.html")
</script>
What does Cross-Region Replication do?
It replicates every future upload of every object to another bucket in another region.
What does Cross-Region Replication needs in order to be available?
That versioning is active in both the source and the destination buckets.
How can you setup access control to your buckets?
By using bucket policies (bucket level) or Access Control Lists (object level).
What are the types of encryption available in S3?
In transition: SSL/TSL

At rest:
- Server side encryption.
- S3 managed keys (SSE-S3)
- AWS Key-management service (SSE-KMS)
- Server-side encryption with customer-provided keys (SSE-C)
- Client-side encryption.
Types of storage gateway? (Ignore)
Should not be in the exam, but see slideshow 37 (S3 tips), after the 13th minute.
Types of snowball (Ignore)?
Should not be in the exam, but see slideshow 37 (S3 tips), after the 14:30 mark.
What is multipart upload for S3?
Multipart upload allows you to upload a single object as a set of parts. It makes
uploading to S3 much faster.
If you encrypt a bucket on S3 what encryption does AWS use?
Advanced Encryption Standard (AES) 256
What is the largest size file you can transfer to S3 using a PUT operation?
5Gb. After that you must use a multipart upload.
What can I do If I want to enable a user to download my private data directly from
S3?
If you want to enable a user to download your private data directly from S3, you can
insert a pre-signed URL into a web page before giving it to your user. (? See Exam
4: S3 quiz).
AWS command to create a new S3 bucket.
aws s3 mb s3://newbucket
What is another name for AWS Snowball?
AWS Import/export

Terms in this set (101)

What does S3 mean?

Simple Storage Service
What is object based storage?
Flat files like photos/videos/images. Excludes items involving running an OS or
database. [Block based storage]
What's the range for the size of a file that can be stored on S3?
0 bytes to 5TB
T/F - S3 storage is unlimited
True
What does it mean when S3 is labeled as a universal namespace?
Bucket names must be unique globally
What is the URL format for an S3 bucket?
https://s3-[region].amazonaws.com/[bucketname]
When a file is uploaded to S3 successfully, what HTTP code will be returned?
200
What is Read after Write consistency? And what does it apply to on S3?
Being able to immediately read an object, without having to worry about propagation
time. This applies to PUTS of new objects, so whenever a new object is uploaded to
S3, it is instantly readable to users
What is Eventual Consistency? What does it apply to on S3?
Requires time for changes to propagate for objects. This applies to overwrite PUTS
and DELETES, meaning if you overwrite or delete an object on S3, it takes to for it to
finally change/disappear.
S3 Object consist of what?
Key - Name of the object
Value - Data which is made up of a sequence of bytes.
Version ID - Versioning
Metadata - Data about data stored
Subresources - Access Control List / Torrent
11x9?
99.999999999% durability for S3 info
Storage Tiers Types?
S3
S3
99.99% availability, 99.999999999% durability. Stored redundantly across multiple
devices in multiple facilities to sustain loss
S3 - IA
Infrequently Accessed - For data that doesn't need to be accessed as frequently, but
requires rapid access when needed. Lower fee than S3, but retrieval fee charged
S3 One Zone - IA
Similar to IA except it's only stored on one zone, hence, providing an even cheaper
cost.
RRS (No longer relevant to AWS?)
Reduced Redundancy Storage - Provide 99.99 durability and 99.99 availability over
a year.
Glacier
Very cheap, takes 3-5 hours to restore. Arhival purposes. Standard retrieval time
takes 3-5 hours. Expedited
Durability difference between S3/IA/OZIA/Glacier
All 99.999999999%
Availability difference between S3/IA/OZIA/Glacier
99.99%/99.9%/99.5%/NA
Retrieval fee differences between Standard/IA/OZIA/Glacier?
Only standard is free. All others are charged by the GB.
What are you charged for using Standard S3?
-Storage by the GB
-Number of Requests
-Storage Management Pricing (Tagging/Metadata)
-Data Transfer Pricing (Cross-region replication)
-Transfer Acceleration
GRATT
Concurrent Facility Fault Tolerance difference between S3/IA/RRS/Glacier
2/2/1/NA
Which types of storage tiers support HTTPS?
All
Which types of storage tier support lifecycle management polices?
All
Minimum Storage Size difference between S3/IA/Glacier
NA/128KB/NA
Minimum Storage Duration difference between S3/IA/Glacier
NA/30 Days/90 Days
Retrieval Fee difference between S3/IA/Glacier
NA/per GB/per GB
What are you generally charged for?
Storage/Requests/Storage Management Pricing/Data Transfer Pricing/Transfer
Acceleration
What other service assists with S3 Transfer Acceleration?
Cloudfront
What is Cross Region Replication?
Copy files to other regions. Syncs
What setting must be enabled on the bucket in order to begin using Cross Region
Replication?
Versioning
If you have just finished setting up Cross Region Replication on a bucket, and do not
add any new files, will the cross region replication take place
No, it only replicates based off of new files it detects in the bucket
Types of Server Side Encryption
Amazon S3 Managed Keys (SSE-S3)
KMS (SSE-KMS)
Customer Provided Keys (SSE-C)
Can MFA be implemented for object deletion on S3?
Yes
Once you set up a bucket for cross-replication to another region, how do you initiate
the cross-replication?
AWS CLI
aws s3 cp --recursive s3://sourcebucket s3://destinationbucket

You can also modify/add a file to the bucket, which will begin the process. This does
not work when it comes to deleting, for security purposes as you wouldn't want
someone who has access to the other bucket to be able to be deleting objects off of
your bucket.
What are delete markers in S3 Versioning?
When deleting a file, a file isn't truly deleted, it's just marked as delete but can still be
recovered via versioning. If you delete the delete marker, you undo the deletion, but
if you delete all versions of the file, you will completely delete the file.
AWS CLI
AWS Command Line Interface
What does AWS CLI require in order for you to start using it?
AWS Access and Secret Access Key
Does Lifecycle Management require versioning to function?
No it's optional
What are the minimum life-cycle transition rules for IA, OZIA, and Glacier?
IA - At least 30 days after creation
OZIA - At least 30 days after creation or last transition
Glacier - At least 30 days after last transition, or 1 day after creation
Expiration time for a current version of a file is:
the summation of all transition times +1.
CDN
Content Delivery Network
Edge Location
Location where content is cached, separate to AWS region/AZ
Origin
Origin of all files
Distribution
Name given to CDN which consists of collection of edge locations
Once you setup a brand new Cloudfront property for a brand new site, will
performance be improved for all users?
Everyone except the 1 first that hits the site first, because initially the edge servers
will not contain any cached content.
Web Distribution vs RTMP
Web Distribution is for websites while RTMP is for media streaming
T/F - Edge locations can be written to
True, Edge locations can be read/written from. If written to, then the file will be
replicated back to origin
TTL
Time to live
Origin Access Identity
Creates a new user that can access the bucket directly. Should be used if you
decide to restrict access to bucket so users can't bypass cloudfront and hit bucket
directly
Why is manual cache clearing not always advised?
You get charged for it
Is it possible to restrict who sees your side via cloudfront? Via countries
Yes to both - pre-signed cookies/Geo restrictions
What is invalidation in Cloudfront?
Clearing cache on edge server
T/F - By default, all newly created buckets are private
True
Bucket Polices
Applies to bucket entirely
Access Control Lists
More specific control rules within the bucket
What are 2 ways you can security your S3 bucket?
Bucket policies and ACL
T/F - S3 Buckets supports logging
True
4 Methods of Encryption for S3
- In Transit
- At Rest
Encryption In Transit
SSL/TLS - TLS is the replacement to SSL
Storage Gateway
Connects on-premise DC to replicate to S3 or Glacier. Download software as VM
image.
Encryption At Rest
Server Side Encryption - S3
- Managed Keys (SS3-S3) [Each object encrypted with unique key. Encrypts key w/
master key, master key commonly rotated. AES 256 bit encryption]
- AWS Key Management Service (Managed Keys - SSE-KMS) [Similar to SS3-S3.
Uses envelope key which protects data encryption key from unauthorized access.
Provides audit trail of when key was used and by who. Can create/manage key.
Cheaper than SS3-S3.
- Server Side Encryption w/ Customer Provided Keys (SSE-C). User manages
encryption keys. AWS manages encryption; encrypts as it writes to disk, and
decrypts as it reads.

Client Side Encryption

- Encrypt data on client side and then upload to S3
What types of Storage Gateways are there?
File Gateway (NFS) - Flat files in S3
Volumes Gateways (iSCSI) - Block-based storage for DB/OS [Stored vs Cached
Volumes]
Tape Gateway (VTL) - Create virtual tapes. backup/archiving service
File Gateway
Storage in S3 buckets and accessed through NFS mount point. Flat files, stored
directly on S3
Volume Gateway - Stored Volumes
iSCSI Block protocol. Virtual hard disk. Create complete back-up copy. Copy
incrementally uploaded to S3 as snapshot of volumes/EBS snapshots
Volume Gate - Cached Volumes
S3 acts as main primary data storage while data that's frequently accessed is still on-
prem, reducing the amount of scaling needed on on-prem infrastructure. 1GB - 32TB
for Cached Volumes
Volume Gate - Tape Gateway
Used for backup and common backup apps like NetBackup, Backup Exec, Veeam.
Virtual tape stored in S3.
What are the 3 types of Snowball?
Snowball
Snowball Edge
Snowmobile
Snowball
Transfer large amounts of data out of on-prem to AWS. Once data transfer job is
complete/verified, AWS performs software erasure. Can import to S3, as well as
export from S3.
Snowball Edge
Takes into consideration the existing application setup configuration to minimize
setup once moved to AWS. Able to run Lambda
Snowmobile
Huge data transfer via semi-trailer truck
What is Import Export?
It is the service that came before Snowball before things became unmanageable.
Send in your own disks to AWS
What service does Snowball import and export to?
S3
You have been asked by your company to create an S3 bucket with the name
"acloudguru1234" in the EU West region. What would be the URL for this bucket?

https://s3-acloudguru1234.amazonaws.com/

https://s3.acloudguru1234.amazonaws.com/eu-west-1

https://s3-eu-west-1.amazonaws.com/acloudguru1234
https://s3-us-east-1.amazonaws.com/acloudguru1234
3
The difference between S3 and EBS is that EBS is object based where as S3 is
block based.

true

false
False
What does S3 stand for?

Simplified Serial Sequence

Simple SQL Service

Straight Storage Service

Simple Storage Service

4
What does RRS stand for when talking about S3?

Redundancy Reduced System

Reduced Redundancy Storage

Relational Reaction Storage

Regional Rights Storage

2
What is Amazon Glacier?

An AWS service designed for long term data archival.

A tool that allows to "freeze" an EBS volume.

It is a tool used to resurrect deleted EC2 snapshots.

A highly secure firewall designed to keep everything out.

1
What is the minimum file size that I can store on S3?

1KB

1MB

0 bytes

1 byte
3
S3 has eventual consistency for which HTTP Methods?

PUTS of new Objects and DELETES

UPDATES and DELETES

overwrite PUTS and DELETES

PUTS of new objects and UPDATES

3
You work for a health insurance company that amasses a large number of patients'
health records. Each record will be used once when assessing a customer, and will
then need to be securely stored for a period of 7 years. In some rare cases, you may
need to retrieve this data within 24 hours of a claim being lodged. Given these
requirements, which type of AWS storage would deliver the least expensive
solution?

S3 - RRS

Glacier

S3

S3 - IA
2
One of your users is trying to upload a 7.5GB file to S3. However, they keep getting
the following error message: "Your proposed upload exceeds the maximum allowed
object size.". What solution to this problem does AWS recommend?

Log in to the S3 console, click on the bucket and then click properties. You can then
increase your maximum object size to 1TB.

Design your application to use the Multipart Upload API for all objects.

Design your application to use large object upload API for this object.

Raise a ticket with AWS to increase your maximum object size.

2
How many S3 buckets can I have per account by default?

10

20

100

50
3
What is the availability on S3 Standard?
100%

99.99%

99.90%

99%
2
You work for a busy digital marketing company who currently store their data on
premise. They are looking to migrate to AWS S3 and to store their data in buckets.
Each bucket will be named after their individual customers, followed by a random
series of letters and numbers. Once written to S3 the data is rarely changed, as it
has already been sent to the end customer for them to use as they see fit. However
on some occasions, customers may need certain files updated quickly, and this may
be for work that has been done months or even years ago. You would need to be
able to access this data immediately to make changes in that case, but you must
also keep your storage costs extremely low. The data is not easily reproducible if
lost. Which S3 storage class should you choose to minimise costs and to maximize
retrieval times?
S3 - IA

Glacier

S3 - RRS

S3
1
You work for a major news network in Europe. They have just released a new mobile
app that allows users to post their photos of newsworthy events in real time. Your
organization expects this app to grow very quickly, essentially doubling its user base
each month. The app uses S3 to store the images, and you are expecting sudden
and sizable increases in traffic to S3 when a major news event takes place (as users
will be uploading large amounts of content.) You need to keep your storage costs to
a minimum, and it does not matter if some objects are lost. With these factors in
mind, which storage media should you use to keep costs as low as possible?

S3 - Infrequently Accessed Storage

Glacier

S3 - Provisioned IOPS

S3 - Reduced Redundancy Storage (RRS)

4
What is the availability on RRS?

100%

99.99%
99.90%

99%
2
What is AWS Storage Gateway?

It allows a direct MPLS connection in to AWS.

None of the above.

It's an on-premise virtual appliance that can be used to cache S3 locally at a

customers site.

It allows large scale import/exports in to the AWS cloud without the use of an internet
connection.
3
You run a meme creation website that stores the original images in S3 and each
meme's meta data in DynamoDB. You need to decide upon a low-cost storage
option for the memes, themselves. If a meme object is lost, a Lambda function will
automatically recreate it using the original file from S3 and the metadata from
DynamoDB. Which storage solution should you use to store the non-critical, easily
reproducible memes in the most cost effective way?

S3

S3 - RRS

S3 - 1Zone-IA

Glacier

S3 - IA
3
You need to use an Object based storage solution to store your critical, non
replaceable data in a cost effective way. This data will be frequently updated and will
need some form of version control enabled on it. Which S3 storage solution should
you use?

S3

Glacier

S3 - RRS

S3 - IA
1
S3 has what consistency model for PUTS of new objects

Write After Read Consistency

Usual Consistency

Eventual Consistency

Read After Write Consistency

4
You run a popular photo sharing website that depends on S3 to store content. Paid
advertising is your primary source of revenue. However, you have discovered that
other websites are linking directly to the images in your buckets, not to the HTML
pages that serve the content. This means that people are not seeing the paid
advertising, and you are paying AWS unnecessarily to serve content directly from
S3. How might you resolve this issue?

Use EBS rather than S3 to store the content.

Use security groups to blacklist the IP addresses of the sites that link directly to your
S3 bucket.

Use CloudFront to serve the static content.

Remove the ability for images to be served publicly to the site and then use signed
URLs with expiry dates.
4
What is the durability on RRS?

100%

99.99%

99.90%

99%
2
You are a solutions architect who works with a large digital media company. The
company has decided that they want to operate within the Japanese region and they
need a bucket called "testbucket" set up immediately to test their web application on.
You log in to the AWS console and try to create this bucket in the Japanese region
however you are told that the bucket name is already taken. What should you do to
resolve this?

Raise a ticket with AWS and ask them to release the name "testbucket" to you.

Change your region to Korea and then create the bucket "testbucket".

Bucketnames are global, not regional. This is a popular bucket name and is already
taken. You should choose another bucket name.

Run a WHO IS request on the bucket name and get the registered owners email
address. Contact the owner and ask if you can purchase the rights to the bucket.
3
Which of the following options allows users to have secure access to private files
located in S3? (Choose 3)

CloudFront Origin Access Identity

Public S3 buckets

CloudFront Signed Cookies

CloudFront Signed URLs

134
You have been asked to advise on a scaling concern. The client has a elegant
solution that works well. As the information base grows they use CloudFormation to
spin up another stack made up of an S3 bucket and supporting compute instances.
The trigger for creating a new stack is when the PUT rate approaches 100 PUTs per
second. the problem is that as the business grows that number of buckets is growing
into the hundreds and will soon be in the thousands. You have been asked what can
be done to reduce the number of buckets without changing the basic architecture.

Refine the key hashing to randomise the name Key to achieve the potential of 300
PUTs per second.

Upgrade all buckets to S3 provisioned IOPS to achieve better performance.

Change the trigger level to around 3000 as S3 can now accommodate much higher
PUT and GET levels.

Set up multiple accounts so that the per account hard limit on S3 buckets is avoided.
3
Regional Edge Cache
Used by Cloudfront to offload your origin by caching content that has been ejected
from an Edge location. Ejected when content is not really being accessed anymore
by users. If users begin accessing the content again, instead of having the edge
server reach the origin again, it can retrieve it from the regional cache for quicker
times.
S3 Object Lock
Write once, read many [WORM]. Can set a certain amount of time, or indefinitely, for
a file to not be deletable.
Cloudfront's TTL for a certain object is set to 0 seconds for a certain object, however,
when the user requests the object, it turns out the TTL is actually a day. Why?
Cloudfront TTL rule is overridden if object has cache control header
OAI
Origin Access Identity. Used on bucket policy.
Signed URL/Cookie
Specify expiration, IP, and trust signers (CloudFront Key Pairs)

Terms in this set (105)

What is Amazon S3?

Amazon Simple Storage Service is a web service that you can use to store and
retrieve any amount of data, at any time, from anywhere in the world.
What is a Bucket?
A bucket is a container for objects stored in S3. Every object is contained in a
bucket.
How is the object named photos/puppy.jpg stored in the johnsmith bucket
addressed?
The object is addressable using the URL
http://johnsmith.s3.amazponaws.com/photo/puppy.jpg
What is an Object?
Objects are the fundamental entities stored in S3. Objects consist of object data and
metadata.
Which portion of an object is opaque to S3?
The data portion is opaque to S3.
What is Metadata?
The Metadata is a set of name-value pairs that describe the object. These include
some default metadata such as the date last modified.
What is a key?
A key is a unique identifier for an object within a bucket.
How many keys does a every object in a bucket have?
Every object in a bucket has exactly one key.
What combination identify every object in an Amazon S3 bucket?
The combination of bucket + key + version (optional) and the object itself identify an
object in an S3 bucket.
Every object in an S3 bucket, can be uniquely addressed. How is an object
addressed?
Every object in an S3 bucket can be uniquely addressed through the combination of
the web service endpoint, bucket name, key and optionally a version. For example,
in the URL http://doc.se3.amazon.com/2006-03-03-01/AmazonS3wsdl, "doc" is the
name of the bucket and "2006-03-01/AmazonS3.wsdl" is the key.
In the URL http://doc.s3.amazonaws.com/2006-03-01/AmazonS3.wsdl, can you
state which is the name of the bucket, and which is the key?
"doc" is the name of the bucket and "2006-03-01/AmazonS3.wsdl" is the key.
You can choose the geographical region where Amazon S3 will store the buckets
you create. What should you base your decision on which region to select on?
You choose a region to either optimise latency, minimise costs, or address
regulatory requirements.
What does Amazon S3 provide in terms of data consistency for PUTS of new objects
in your Amazon S3 bucket?
Amazon S3 provides read-after-write consistency for PUTS of new objects in your
S3 bucket in all regions.
What are the three storage classes designed for for different use cases?
Amazon S3 STANDARD and Amazon S3 STANDARD_IA and GLACIER.
What type of data access use cases is suitable for the STANDARD storage class?
The STANDARD storage class is suitable for general purpose storage and frequently
accessed data.
What type of data access use cases is suitable for the STANDARD_IA storage
class?
The STANDARD_IA class is suitable for long-lived, but less frequently accessed
data.
What type of data access use cases is suitable for the GLACIER Storage class?
The G:ACIER storage class is suitable for long-term archived data.
What does a bucket policy provide?
A bucket policy provides centralised access control to buckets and objects.
From a permissions perspective, what is the difference between a bucket policy and
an Access Control List?
A bucket policy can either add or deny permissions across all or a Subset of objects
within a bucket. Access Control Lists can only grant permission on individual objects
in a bucket.
Every interaction with S3 is either......
Authenticated or anonymous.
What must authenticated requests to S3 include?
Authenticated requests to S3 must include a signature value that authenticates the
request sender.
Every interaction with Amazon S3 is either authenticated or anonymous.
Authenticated requests must include a signature value that authenticates the request
sender. Where is the signature value generated from?
The signature value is generated from the requesters AWS keys (access key ID and
secret access key)
Your attempting to create a bucket named "Bucket" but keep receiving an error.
What is the problem?
Amazon S3 bucket names are globally unique regardless of the AWS region in which
you create the bucket.
By default, how many buckets can you create in each AWS account?
By default, you can create up to 100 buckets in each AWS account. If you need
additional buckets, you can increase your bucket limit by submitting a service limit
increase.
You would like to access your bucket programatically. What are the two URL styles
that S3 supports?
Amazon S3 supports both virtual-hosted-style and path-style URLs to access a
bucket.
Can you explain what a virtual-hosted-style URL is, what it looks like and when to
use it?
In a virtual-hosted-style URL, the bucket name is part of the domain name in the
URL. For example, "http://bucket.s3.amazonaws.com". With Virtual-hosted-style
URLs, DNS has sufficient information to route your request directly to the Region
where your bucket exists.
Can you explain what a Path-style URL is, what it looks like and when to use it?
In a path-style URL, you use the region-specific endpoint when attempting to access
a bucket. For example, you have a bucket called mybucket that resides in the EU
(Ireland) region, you want to use path-style syntax, and the object is named
puppy.jpg, the correct URI is http://s3-eu-west-
1.amazonaws.com/mybucket/puppy.jpg.
Who owns a bucket?
A bucket is owned by the AWS account that created it.
What two naming rules must you comply with when naming your bucket?
The bucket name must be unique across all existing bucket names in S3. It is also
recommended that all bucket names comply with DNS naming conventions.
You can set default encryption on a bucket so that all objects are encrypted when
they are store din the bucket. What should you enable?
You should enable default encryption for for S3 buckets.
What are objects encrypted with in an S3 bucket?
The objects are encrypted using server-side encryption with either Amazon S3
managed keys (SSE-S3) or AWS KMS managed keys (SSE-KMS)
When you use server-side encryption, how does Amazon S3 encrypt your objects?
When you are using server-side encryption, S3 encrypts an object before saving it to
disk in its data centres and decrypts it when you download the objects.
You would like to host static websites in Amazon S3. What must you do?
You must configure your bucket for website hosting.
What is Amazon S3 Transfer Acceleration?
S3 Transfer acceleration enables fast, easy and secure transfers of files over long
distances between your client and S3 bucket.
What does Amazon S3 Transfer Acceleration take advantage of? How does it work?
S3 transfer acceleration takes advantage of Amazon CloudFront's globally
distributed locations. As the data arrives at an edge location, data is routed to S3
over an optimised network path.
In general, who pays for all Amazon S3 storage and data transfer costs associated
with their bucket?
In general, bucket owners pay for all Amazon S3 storage and data transfer costs
associated with their bucket.
You would like to ensure that the requester instead of the bucket owner pays the
cost of the request and the data download from the bucket. What should you do?
You should configure a bucket to be a Requestor Pays bucket.
If you enable Requestor Pays on a bucket, what type of access is not allowed?
If you enable Requestor Pays on a bucket, anonymous access tot hat bucket is no
longer allowed. All requests must be authenticated.
Each Amazon S3 has 3 fields that identify it. What are they?
Each Amazon S3 object has data, a key and metadata.
What uniquely identifies an object in a bucket?
The object key (or key name) uniquely identifies the object in a bucket.
There are two kinds of metadata. What are they?
There are two kinds of metadata. System-defined metadata and user-defined
metadata.
Can you describe what system-defined metadata is? Can you give an example?
For each object stored in a bucket, S3 maintains a set of system metadata. For
example, metadata such as object creation data is system controlled where only
Amazon S3 can modify the value.
Can you describe what user-defined metadata is? Can you give an example?
When uploading an object, you can also assign metadata to the object. You provide
this optional information as a key-value pair.
What are the storage classes for performance-sensitive frequently accessed
objects?
STANDARD and REDUCED_REDUNDANCY (RRS).
What are the storage classes for long lived and infrequently accessed objects?
STANDARD_IA and ONEZONE_IA
If you don't specify the storage class when you upload an object to a bucket, what
storage class does S3 assign to the object by default?
Standard storage class. The standard storage class is the default storage class.
What is the REDUCED_REDUNDANCY (RRS) storage class designed for?
The REDUCED_REDUNDANCY (RRS) storage class is designed for noncritical,
reproducible data that can be stored with less redundancy that the STANDARD
storage class.
You have backups that are accessed infrequently, but still require millisecond
access. Which storage class should you select?
You can select from either STANDARD_IA or ONEZONE_IA.
What is the difference between the STANDARD_IA and ONEZONE_IA storage
classes?
Objects stored using the STANDARD_IA storage class are stored by S3 redundantly
across multiple geographically separated zones. STANDARD_IA objects are resilient
to the loss of an availability zone. Objects stored using the ONEZONE_IA storage
class are stored by s3 in only one Availability zone. The data is not resilient to the
physical loss of an Availability zones resulting from disasters such a earthquakes
and floods.
When should you use the GLACIER storage class?
The GLACIER storage class is suitable for archiving data where data access is
infrequent. Archived objects are not available for real-time access and you first must
restore the objects before you can access them.
What is the durability and availability percentages for the STANDARD storage class?
99.999999999% (11 9's) durability and 99.99% (4 9's) availability.
What is the durability and availability percentages for the STANDARD_IA storage
class?
99.999999999% (11 9's) durability and 99.9% (3 9's) availability.
What is the durability and availability percentages for the G:ACIER storage class?
99.999999999% (11 9's) durability and 99.99% (4 9's) availability.
What is versioning?
Use versioning to keep multiple versions of an object in one bucket.For example, you
could store my-image.jpg (version 11) and my-image.jpg (version 111) in a single
bucket.
What does versioning protect you from?
Versioning protects you from the consequences of unintended overwrites and
deletions.
What is the default state for versioning? What can you do to enable versioning?
By default, versioning is disabled. You must explicitly enable versioning on your
bucket.
What does Object Lifecycle Management allow you to do?
Objet lifecycle management allows you to customise your data retention approach
and control storage costs.
Regardless of whether you have enabled versioning, what does each object in your
bucket have?
Regardless of whether you have enabled versioning, each object in your bucket has
a version ID. If you have not enabled versioning, S3 sets the value of the version ID
to null. If you have enabled versioning, S3 assigns a unique version ID value for the
object.
What is the purpose of a version ID?
Regardless of whether you have enabled versioning, each object in your bucket has
a version ID. If you have not enabled versioning, S3 sets the value of the version ID
to null. If you have enabled versioning, S3 assigns a unique version ID value for the
object.
What would you use Object Tagging for? Can you give an example?
Use object tagging to categorise storage. Suppose an object contains protected
health information (PHI) data, you might tag the object using the following key-value
pair PHI=True
How do object tags enable fine-grained access control of permissions?
Object tags enable fine-grained access control permissions by granting IAM
permissions to read only objects with specific tags.
What should configure to manage your objects so that they are stored cost
effectively throughout their lifecycle?
You should configure Object Lifecycle.
What is a Lifecycle Configuration?
A lifecycle configuration is a set of rules that define actions that S3 applies to a group
of objects.
There are the two types of lifecycle configuration actions. Can you list them?
Transition actions and Expiration actions.
There are the two types of lifecycle configuration actions. Can you list and describe
each?
Transition actions define when objects transition to another storage class. For
example, you might choose to transition objects to the STANDARD_IA storage class
30 days after you created them, or archive objects to the GLACIER storage class
one year after creating them. Expiration actions define when objects expire, S3
deletes expired objects on your behalf.
When should you use object lifecycle configuration?
You should use lifecycle configuration rules for objects that have well defined
lifecycle. For example, if you upload periodic logs to a bucket, your application might
need them for a week or a month. After that, you might want to delete them.
What is Cross-Origin Resource Sharing (CORS)?
Cross-origin resource sharing is a mechanism that allows restricted resources (e,g
fonts) on a web page to be requested from another domain outside the domain from
which the first resource was served.
How can you configure CORS on an S3 bucket?
To configure your bucket to allow cross-origin requests, you create a CORS
configuration, which is an XML document with rules that identify the origins that you
will allow to access your bucket and the operations (HTTP methods) will support for
each origin.
You would like to analyse storage access patterns to help you decide when to
transition the right data to the right storage class. What can you use?
Amazon S3 Analytics Storage Class Analytics. This feature observes data access
patterns to help you determine when to transition less frequently accessed
STANDARD storage to the STANDARD_IA storage class.
What is Amazon S3 Analytics Storage Class Analytics?
Amazon S3 Analytics Storage Class Analytics is a feature that observes data access
patters in your bucket over a period of time to help you determine when to transition
less frequently accessed STANDARD storage to the STANDARD_IA storage class.
By default, what is the access status of all S3 resource - buckets and objects?
By default all S3 resources are private and can only be accessed by the resource
owner.
What are the two access policy options available to you to grant permissions to your
S3 resources?
Bucket based policies and user based policies.
What are the components of an access policy?
Resources, Actions, Effect and Principal.
A Resource is one component of an access policy. Can you describe what a
resource and provide an example?
Buckets and objects are the S3 resources for which you can allow or deny
permissions. In a policy, you use the Amazon Resource Name (ARN) to identify the
resource.
An Action is one component of an access policy. Can you describe what an action is
and provide an example?
For each resource (bucket or object) S3 supports a set of operations. You identify
which operations that you will allow or deny.
An Effect is one component of an access policy. Can you describe what an Effect is
and provide an example?
What the effect will be when the user requests the specific action-this will be either
allow or deny. If you do not explicitly grant access to allow a resource, access is
implicitly denied.
A Principal is one component of an access policy. Can you describe what a principal
is and provide an example?
The principal is the account or user who is allowed access to the actions and
resources in the statement. Ina bucket policy, the principal is the user, account,
service or other entity who is the recipient of the permissions.
What is an S3 Access Control List (ACL)?
An S3 access control list (ACL), identifies which AWS accounts or groups are
granted access and the type of access to buckets an objects.
What does an S3 Access Control List (ACL) enable you to do?
Amazon S3 access control lists (ACLs) enable you to manage access to buckets and
objects. Each bucket and object has an ACL attacked to it as a sub resource.
When you create a bucket or an object, what does S3 create to grant the resource
owner full control over the resource?
Amazon S3 created a default ACL that grants the resource owner full control over
the resource.
How does Amazon S3 provide highly durable storage?
S3 provides highly durable storage infrastructure by redundantly storing objects on
multiple devices across multiple availability zones.
How does S3 regularly verify the integrity of data stored? How does S3 detect data
corruption and repair the data?
S3 regularly verifies integrity of data stored using checksums. If S3 detects data
corruption, it is repaired using redundant data.
What percentage of durability and availability is S3's standard storage offering
designed to provide?
S3's standard storage is designed to provide 11 9's durability and 4 9's availability.
What does availability refer to?
Availability refers to system up time.
What does durability refer to?
Durability refers to long term data protection from corruption.
Data protection refers to protecting data while in-transit and at rest. How can you
protect data while in-transit as it travels from and to Amazon S3?
You can protect data in transit by using SSL or by using client-side encryption.
What options do you have of protecting data at rest in S3?
You can use Server-Side Encryption or Client-Side Encryption.
Can you describe what Service-Side Encryption is about?
Server-Side Encryption is about data encryption at rest-that is, Aamzon S3 encrypt
your data at the object level as it writes it to diss in its data centres and decrypts it for
you when you access it. .
You have three options for encrypting data-at-rest. What are your options and what
determines which option you select?
You have three options for server-side encryption of data-at-rest. You can use S3
Managed Keys, KMS managed Keys and Customer provided keys. The option that
you select depends on how you choose to manage encryption keys.
What does AWS KMS use to encrypt to your S3 objects?
AWS KMS uses the customer master keys (CMKs) to encrypt your S3 objects.
How is a default customer master key (CMK) created for. you?
The its time you add an SSE-KMS encrypted object to a bucket, a default CM is
created for you automatically. This key will then be used for encrypting your objects.
Server-side encryption is about protecting data at rest. You would like to encrypt
objects stored in S3 using S3 managed encryption keys. How does S3 do this?
Amazon S3 encrypts each object with a unique key. As an additional safeguard, it
encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-
side encryption uses one of the strongest block ciphers available, 256-bit Advanced
Encryption Standard (AES-256), to encrypt your data.
Server-Side Encryption is about protecting data at rest. You would like to use server-
side encryption with your own keys. How can you do this?
Using server-side encryption with customer provided keys (SSE-C) allows you to set
your own encryption keys. With the encryption key you provide as part of your
request, S3 manages both the encryption, as it writes to disks and decryption when
you access your objects.
How does Amazon S3 store the encryption key that you provide?
Amazon S3 does not store the encryption key you provide. Instead, they store a
randomly salted HMAC value of the encryption key in order to validate future
requests.
What does client-side encryption refer to?
Client-side encryption refers to encrypting data before sending it to Amazon S3.
What two options for using data encryption keys with client-side encryption do you
have?
You can use an AWS KMS-managed customer master key or use a client-side
master key.
When using the AWS KMS-managed customer master key for client-side data
encryption, What do don't you have to worry about?
When using the AWS KMS-managed customer master key for client-side data
encryption, you don't have to worry about providing any encryption keys to the S3
encryption client. Instead, you provide only an AWS KMS customer master key ID
(CMK ID), and the client does the rest.
When using a client-side master key for client-side data encryption, what must you
provide?
You provide a client side master key to the Amazon S3 encryption client. The client
uses this master key only to encrypt the data encryption key that it generates
randomly.
What is versioning?
Versioning is a means of keeping multiple variants of an object in the same bucket.
What can yours versioning to do?
You can use versioning to preserve, retrieve and restore every object stored in your
Amazon S3 bucket.
What does versioning enable you to recover from?
Versioning enables you to easily recover from both unintended user actions and
application failures
What is Cross-region replication?
Cross-region replication is a bucket level configuration that enables automatic,
asynchronous copying of objects across buckets in different AWS regions. Although
by default, Amazon S3 stores your data across multiple geographically distant AZ,
compliance requirements might dictate that you store data at even further distances.
What does Amazon S3 not replicate across regions?
Objects created with server-side encryption using customer-provided encryption
keys (SS-C) and objects created with server-side encryption using AWS KMS-
managed encryption keys (SSE-KMS).
What is Amazon DevPay?
Amazon DevPay enables you to charge customers for using your Amazon S3
product through Amazons authentication and billing infrastructure. Once a mont,
Amazon bills your customers for you. AWS then deducts the fixed Amazon DevPay
transaction fee and pays you the difference. AWS then separately charges you for
the Amazon S3 usage costs incurred by your customers and the percentage-based
Amazon DevPay fee.
You would like to track requests for access to your bucket. What should you enable?
You should enable access logging.

Terms in this set (61)

What is Amazon S3?

Amazon S3 is storage for the internet. It's a simple storage service that offers software
developers a highly-scalable, reliable, and low-latency data storage infrastructure at very low
costs.
What are the technical benefits of S3?
Scalability, reliability, speed, low-cost, and simplicity
What kind of data can I store?
Virtually any kind of data in any format
How much data can I store?
The total volume of data and number of objects you can store are unlimited. Individual
Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5 TB. The
largest object that can be uploaded in a single PUT is 5 GB. For objects larger than 100 MB,
customers should consider using the Multipart Upload capability.
What storage classes does Amazon S3 offer?
S3 Standard: for general-purpose storage of frequently accessed data
S3 Infrequent Access: infrequent access for long-lived but less frequently accessed data
Glacier: long-term archive
S3 Reduced Redundancy Storage: enables customers to reduce their costs by storing
noncritical, reproducible data at lower levels of redundancy than Amazon's S3 standard
storage
How can I delete large numbers of objects?
Multi-Object Delete deletes large numbers of objects from S3. There is no charge for multi-
object delete.
What does Amazon do with my data in Amazon S3?
Amazon will store you data and track its associated usage for billing purposes. AWS will not
otherwise access your data for any purpose outside of the S3 offering, except when required
to do so by law.
How is Amazon S3 data organized?
Amazon S3 is a simple key-based object store. When you store data, you assign a unique
object key that can later be used to retrieve the data. Keys can be any string, and can be
constructed to mimic hierarchical attributes.
How do I interface with Amazon S3?
Amazon S3 provides a simple, standards-based REST web services interface that is designed
to work with any Internet-development toolkit.
How reliable is Amazon S3?
S3 Standard is designed for 99.99% availability and S3-IA is designed for 99.9% availability.
Both are backed by the S3 SLA.
What data consistency model does Amazon S3 employ?
Amazon S3 buckets in all Regions provide read-after write consistency for PUTS of new
objects and eventual consistency for overwrite PUTS and DELETES
What happens if traffic from my application suddenly spikes?
Amazon S3 was designed from the ground up to handle traffic for any Internet application.
S3's massive scale enables us to spread load evenly, so that no individual application is
affected by traffic spikes.
How can I increase the number of Amazon S3 buckets that I can provision?
By default, customers can provision up to 100 buckets per AWS account. However, you can
increase you S3 bucket limit by visiting AWS Service Limits.
Where is my data stored?
You specify a region when you create your S3 bucket. Within that region, your objects are
redundantly stored on multiple devices across multiple facilities.
How am I charged for using Versioning?
Normal S3 rates apply for every version of an object stored or requested. You are charged per
GB stored, number of GET requests, number of PUT requests, data transfer in and data
transfer out, and prices can vary based on region.
How secure is my data in S3?
By default, only the bucket and object owners originally have access to Amazon S3 resources
they create. S3 provides access control mechanisms such as bucket policies and Access
Control Lists (ACLs) to selectively grant permissions to users and groups of users. You can
securely upload and download data to S3 via SSL endpoints using HTTPS protocol. Server
Side Encryption (SSE) and SSE with customer provided keys (SSE-C) can be used to store
data at rest. You can also use your own encryption libraries to encrypt data before storing it in
S3.
How can I control access to my data stored in S3?
IAM policies, bucket policies, ACLs, and query string authentication. IAM policies can be
used to control access to S3 buckets or objects across an account. Bucket policies can define
rules for specific S3 buckets. ACLs can grant specific permissions to buckets and objects.
Query String Authentication allows customers to create a URL to an S3 bucket object that is
only valid for a limited time.
Does S3 support data access auditing?
Yes, customers can configure S3 buckets to create access log records for all requests made
against it.
What options do I have for encrypting data stored on S3?
SSE-S3, SSE-C, SSE-KMS, or a client library.
SSE-S3: integrated solution with S3 where AWS handles management of keys
SSE-C: AWS will perform encryption/decryption using customer provided keys
SSE-KMS: AWS KMS manages encryption keys
Client Library: data is encrypted prior to being placed in S3, customer handles all encryption
How does Amazon protect SSE encryption keys?
Every object is encrypted with a unique key. The object key itself is then encrypted by a
separate master key. A new master key is issued at least monthly. Encrypted data, encryption
keys and master keys are stored and secured on separate hosts for multiple layers of
protection.
What is an Amazon VPC endpoint for Amazon S3?
An Amazon VPC Endpoint for Amazon S3 is a logical entity within a VPC that allows
connectivity only to S3. The VPC Endpoint routes requests to S3 and routes responses back
to the VPC. A VPC endpoint enables you to create a private connection between your VPC
and S3 without requiring access over the Internet.
How durable is data in S3?
S3-Standard and S3-IA are designed to provide 99.999999999% durability of objects in a
given year. If you store 10,000 objects with S3 you can (on average) expect to lose 1 object
every 10,000,000 years. S3 is designed to sustain the concurrent loss of data in two facilities.
S3 best practices for backup include secure access permissions, cross-region replication,
versioning and a functioning, regularly tested backup.
What checksums does S3 employ to detect data corruption?
S3 uses a combination of Content-MD5 checksums and cyclic redundancy checks (CRCs) to
detect data corruption. S3 repairs any corruption using redundant data.
What is versioning in S3?
Versioning allows you to preserve, retrieve, and restore every version of every object stored
in an S3 bucket. Once you enable versioning for a bucket, S3 preserves existing objects
anytime you perform a PUT, POST, COPY, or DELETE operation on them. By default, GET
requests will retrieve the most recently written version. Older versions of an overwritten or
deleted object can be retrieved by specifying a version in the request.
Why should I use versioning in S3?
S3 provides customers with a highly durable storage infrastructure. Versioning offers an
additional level of protection by providing a means of recovery when customers accidentally
overwrite or delete objects. This allows you to easily recover from unintended user actions
and application failures. You can also use versioning for data retention and archiving.
How do I start using versioning?
Enable the versioning setting on your S3 bucket.
Does versioning protect me from accidental deletion of my objects?
When a user performs a DELETE operation on an object, subsequent simple (un-versioned)
requests will no longer retrieve the object. However, all versions of that object will continue
to be preserved in your Amazon S3 bucket and can be retrieved or restored. Only the owner
of an S3 bucket can permanently delete a version.
Can I setup a trash, recycle bin, or rollback window on my S3 objects to recover from deletes
and overwrites?
You can use lifecycle rules along with versioning to implement a rollback window for
objects. Ex: with a versioning enabled bucket you can set up a rule that archives all of your
previous versions to the lower-cost Glacier storage class and deletes them after 100 days,
give you a 100 day rollback window while lowering your storage costs
Why would I choose to use Standard - IA?
Standard-IA is ideal for data that is access less frequently, but requires rapid access when
needed. Standard-IA is ideally suited for long-term file storage, older data from sync and
share, backup data, and disaster recovery files.
What performance does Standard-IA offer?
Same level of performance as Standard S3 with 99.9999999% durability but 99.9%
availability.
How do I get my data into Standard-IA?
There are two ways to get data into Standard-IA from within S3. You can directly PUT into
Standard-IA by specifying STANDARD_IA in the x-amz-storage-class header (of the HTTP
request). You can also set lifecycle policies to transition objects from Standard to Standard-
IA.
How will my latency and throughput performance be impacted as a result of using Standard-
IA?
You should expect the same latency and throughput performance as Amazon S3 Standard
when using Standard-IA
Is there a minimum duration for Standard-IA?
Standard-IA is designed for long-lived, but infrequently accessed data that is retained for
months or years. Data that is deleted from Standard-IA within 30 days will be charged for a
full 30 days.
Is there a minimum object size for Standard-IA?
Standard-IA has a minimum object size of 128KB. For objects smaller than 128KB, charges
will be incurred as if the object were 128KB.
How can I store my data using the Amazon Glacier option?
You can use lifecycle rules to automatically archive sets of data from S3 based on lifetime.
Data can be directly uploaded to Glacier using the Glacier REST API, AWS SDKs, or AWS
Import/Export.
Can I use Amazon Glacier APIs to access S3 objects that I've archived to Amazon Glacier?
Because Amazon S3 maintains the mapping between your user-defined object name and
Amazon Glacier's system-defined identifier, Amazon S3 objects that are stored using the
Amazon Glacier option are only accessible through the Amazon S3 APIs or the Amazon S3
management console.
How long will it take to retrieve my objects in Amazon Glacier?
When a retrieval job is requested, data is moved from Glacier to S3-RRS. Access time of
your request depends on the retrieval option you choose: Expedited (1-5min), Standard (3-
5hrs), and Bulk (5-12hrs)
How am I charged for Glacier?
Charged per GB stored and per lifecycle transition requests. Objects stored in Glacier have a
minimum of 90 days of storage, if an object is deleted before 90 days a pro-rated charge
equal to the storage charges is incurred
What are Amazon S3 event notifications?
Amazon S3 event notifications can be send in response to actions in S3 like PUTs, POSTs,
COPYs, or DELETEs. Notification messages can be sent through either Amazon SNS, SQS,
or Lambda.
What can I do with Amazon S3 event notifications?
Amazon S3 event notifications enable you to run workflows, send alerts, or perform other
actions in response to changes in your objects stored in S3. You can use even notifications to
set up triggers to perform actions including transcoding media files when they are uploaded,
processing data files when they become available, and synchronizing Amazon S3 objects
with other data stores.
Can I host my static website on S3?
Yes, you can host your entire static website on S3 for inexpensive, highly available hosting
solution that scales automatically to meet traffic demands.
What kinds of websites should I host using S3 static website hosting?
S3 is ideal for websites that contain only static content, including HTML files, images,
videos, and client-side scripts such as JavaScript. EC2 is recommended for websites with
server-side scripting and database interaction.
Can I use my own host name with my Amazon S3 hosted website?
Yes, you can map your domain name to your S3 bucket.
Does Amazon S3 support redirects?
Yes, S3 provides multiple ways to enable redirection of web content for your static websites.
You can set rules on your bucket to enable automatic redirection. You can also configure a
redirect on an individual S3 object.
What are S3 object tags?
S3 Object Tags are key-value pairs applied to S3 Objects which can be created, updated, or
deleted at any time during the lifetime of the object. With these, you'll have the ability to
create IAM policies, setup S3 lifecycle policies, and customize storage metrics. These object-
level tags can then manage transitions between storage classes and expire objects in the
background.
Why should I use Object Tags?
Object Tags allow you to control access to objects tagged with specific key-value pairs. They
can also be used to label objects that belong to a specific project or business unit, which could
be used in conjunction with lifecycle policies to manage transitions to the S3 Standard-IA and
Glacier storage tiers.
Will my Object Tags be replicated if I use Cross-Region Replication?
Object tags can be replicated across regions using Cross-Region Replication. If cross-region
replication is already enabled, new permissions are required in order for tags to replicate.
What is S3 Analytics - Storage Class Analysis?
Storage Class Analysis allows you to analyze storage access patterns and transition the right
data to the right storage class. This feature automatically identifies infrequent access patterns
to help you transition storage to Standard-IA. You can configure a storage class analytics
policy to monitor an entire bucket, a prefix, or object tag. Storage class analysis also provides
daily visualizations of your storage usage on the AWS Management Console that you can
export to a S3 bucket to analyze using business intelligence tools, such as Amazon
QuickSight.
What is S3 Inventory?
S3 Inventory provides a schedules alternative to Amazon S3's synchronous List API. S3
Inventory provides a CSV flat-file output of your objects and their corresponding metadata
on a daily or weekly basis for an S3 bucket or a shared prefix.
How do I get started with S3 CloudWatch Metrics?
You can use the AWS Management Console to enable the generation of 1-minute Cloud
Watch metrics for your S3 bucket or configure filters for the metrics using a prefix or object
tag. Alternately, you can call the S3 PUT Bucket Metrics API to enable and configure
publication of S3 storage metrics.
What alarms can I set on my storage metrics?
You can use CloudWatch to set thresholds on any of the storage metric counts, timers, or
rates and fire an action when the threshold is breached. For example, you can set a threshold
on the percentage of 4xx Error Responses.
What is Lifecycle Management?
S3 Lifecycle management provides the ability to define the lifecycle of your object with a
predefined policy and reduce your cost of storage. You can set lifecycle transition policy to
automatically migrate Amazon S3 objects to Standard-IA and/or Glacier based on the age of
the data. You can also set lifecycle expiration policies to automatically remove objects based
on the age of the object. You can set a policy for multipart upload expiration, which expires
incomplete multipart upload based on the age of the upload.
Why would I use a lifecycle policy to expire incomplete multipart uploads?
The lifecycle policy that expires incomplete multipart uploads allows you to save on costs by
limiting the time non-completed multipart uploads are stored. For example, if your
application uploads several multipart object parts, but never commits them, you will still be
charged for that storage. This policy can lower your S3 storage bill by automatically
removing incomplete multipart uploads and the associated storage after a predefined number
of days.
What is Amazon S3 Cross-Region Replication (CRR)?
CRR is an Amazon S3 feature that automatically replicates data across AWS regions. With
CRR, every object uploaded to an S3 bucket is automatically replicated to a destination
bucket in a different AWS region that you choose. You can use CRR to provide lower-
latency data access in different geographic regions. CRR can also help if you have a
compliance requirement to store copies of data hundreds of miles apart.
How do I enable CRR?
CRR is a bucket-level configuration. You enable a CRR configuration on your source bucket
by specifying a destination bucket in a different region for replication. Versioning must be
turned on for both the source and destination buckets to enable CRR.
What does CRR replicate to the target bucket?
CRR replicates every object-level upload that you directly make to your source bucket. The
metadata and ACLs associated with the object are also part of the replication. Any change to
the underlying data, metadata, or ACLs on the object would trigger a new replication to the
destination bucket. You can either choose to replicate all objects uploaded to a source bucket
or just a subset of objects by specifying prefixes. Existing data in the bucket prior to CRR is
not replicated, you must use COPY to copy existing data to destination bucket.
Can I use CRR with lifecycle rules?
Yes, you can figure separate lifecycle rules on the source and destination buckets.
What is transfer acceleration?
Amazon S3 transfer acceleration enables fast, easy, and secure transfers of files over long
distances between your client and your Amazon S3 bucket. Transfer Acceleration leverages
Amazon CloudFront's globally distributed AWS Edge Locations. As data arrives at an AWS
Edge Location, data is routed to your Amazon S3 bucket over an optimized network path.
Who should use transfer acceleration?
Transfer Acceleration is designed to optimize transfer speeds from across the world into S3
buckets. If you are uploading to a centralized bucket from geographically dispersed locations,
or if you regularly transfer GBs or TBs of data across the continents, you may save hours or
days of data transfer time.
How should I choose between Transfer Acceleration and Amazon CloudFront's PUT/POST?
Transfer Acceleration optimized the TCP protocol and adds additional intelligence between
the client and the S3 bucket, making Transfer Acceleration a better choice if a higher
throughput is desired. If you have objects that are smaller than 1GB or if the data set is less
than 1GB in size, you should consider using Amazon CloudFront's PUT/POST commands for
optimal performance.
Can Transfer Acceleration complement 3rd party integrated software?
Yes. Software packages that connect directly into Amazon S3 can take advantage of Transfer
Acceleration when they send their jobs to Amazon S3.
S3
Simple Storage Service
What is S3?
Storage for the internet. Secure, durable, highly-scalable object storage. Can upload
files, but cannot install OS or software.
What can I do with S3?
Store and retrieve any amount of data, at any time, from anywhere on the web.
What size objects can be uploaded to S3?
1 byte - 5 TB. Largest object in a single PUT = 5GB.
What kind of data can be stored in S3?
Virtually any kind of data in any format.
How much storage is potentially available?
Unlimited (however much you can pay for)
How are files stored in S3?
In buckets (conceptually like folders)
True or False. Filenames in S3 do NOT have to be unique across regions.
False. S3 is a universal namespace, so names must be unique globally.
True or False. You can read immediately after adding a new object to S3.
True. Read after write consistency for PUTS of new Objects.
True or False. Updates and deletes in S3 will be visible immediately.
False. Eventual consistency for overwrite PUTS and DELETES (Updating or deleting
objects can take some time to propagate)
What are the S3 storage classes/tiers?
1. S3,
2. S3-IA,
3. S3-RRS,
4. Glacier
What is S3 standard tier?
For frequently accessed data. Low latency and high throughput. Availability =
99.99%. Durability = 99.999999999% (11x9's). Use cases including cloud
applications, dynamic websites, content distribution, mobile and gaming applications,
and big data analytics
What is S3-IA tier?
S3 Standard - Infrequent Access. Availability = 99.99%. Durability = 99.999999999%
(11x9's). Data is accessed less frequently, but requires rapid access when needed.
Low per GB storage price and per GB retrieval fee. Ideal for long-term storage,
backups, and as a data store for disaster recovery.
True or False. Data deleted from S3-IA tier within 30 days will be charged for a full
30 days.
True.
What is Glacier tier?
Secure, durable, and extremely low-cost ($0.01/GB/mo) storage service for data
archiving. Optimized for data that is rarely accessed and a retrieval time of several
hours is suitable. Charged for amount of storage, # requests, data transfer pricing
What does it cost to recover from Glacier?
Archive and Restore requests are priced from $0.05 per 1,000 requests. For large
restores, there is also a restore fee starting at $0.01 per gigabyte. Objects are
restored to RRS, so you are charged for RRS and Glacier until restored object is
moved.
True or False. Data deleted from Glacier w/in 90 days are charged a fee.
True. There is a pro-rated charge of $0.03 per GB.
How much data can be restored from Glacier for free?
You can restore up to 5% of the data stored in Glacier for free each month.
What is S3-RRS tier?
Reduced Redundancy Storage. Store non-critical, reproducible data (storing
thumbnails, transcoded media, etc.) at lower levels of redundancy than S3's
standard storage. Availability = 99.99%, Durability = 99.99%. Data is replicated fewer
times, so the cost is less
What are the identifying parts of an S3 object?
1. Key - The name,
2. Value - The data,
3. Version ID,
4. Metadata (system and/or user-defined),
5. ACLs
True or False. Bucket names don't have to be globally unique.
False. They must be globally unique AND lower case letters.
True or False. Uploaded objects are private by default.
True.
How many buckets can each account have?
100 by default.
True or False. All objects in a bucket are replicated when replication is enabled.
False. Pre-existing objects are not replicated, but future uploads are replicated.
True or False. Versioning is not a requirement for cross-region replication.
False. Cross-region replication requires versioning.
True or False. Versioning can only be disabled, not turned off.
True. To stop versioning completely, you must delete and recreate the bucket.
True or False. You have to pay for each version of a file.
True. Each file has its own version ID, which means it's taking up space, which has
to be paid for.
True or False. Lifecycle rules do NOT require versioning.
True, but you CAN use Lifecycle rules with versioning.
True or False. You can use multi-factor authentication with versioning.
True. Multi-factor authentication is used to enforce second authentication so objects
are less likely to be deleted accidentally.
What are lifecycle rules?
Rules you can set up to automatically transition items from one type of storage to
another.
What are the types of lifecycle rules?
1. Transition to Standard - Infrequent Access Storage,
2. Archive to Glacier storage,
3. Permanently delete
Explain the 'Transition to Standard - Infrequent Access Storage Class' rule.
Must wait minimum 30 days and min 128kb file size. Fee for retrieval, but almost
instantaneous.
Explain the 'Archive to Glacier storage class' rule.
Can do 1 day after uploading (30 days after infrequently accessed). Fee for retrieval,
takes 3-5 hrs for retrieval.
Explain the 'Permanently Delete' rule.
Can do 1 day after uploading. If versioning enabled, must expire, then permanently
delete.
True or False. You can use lifecycle rules for versions of objects.
True.
What is a CDN?
Content Delivery Network. Network of distributed servers that deliver webpages and
content users based on their geographic location (and other factors).
What is CloudFront used for?
Deliver your entire website, including dynamic, static, streaming, and interactive
content using a global network of edge locations.
How are request handled with CloudFront?
Requests are automatically routed to the nearest edge location, so content is
delivered with the best possible performance.
True or False. CloudFront can only be used with other AWS services.
False. CloudFront works with non-AWS origin servers, but is optimized to work with
other AWS services like S3, EC2, Elastic Load Balancing, and Route 53.
In CloudFront, what is an origin location?
Location of original, uncached, files. S3 bucket, EC2 instance, Elastic Load
Balancer, Route53, or custom
In CloudFront, what is an edge location?
Location where content will be cached. Different from Regions and Availability
Zones.
True or False. Edge locations are read-only.
False. Can send the PUT messages, which will be forwarded to the Origin.
How are objects removed from edge locations?
Objects are removed for free after the TTL expires, but you can manually clear
objects for a fee.
What is a Distribution?
A collection of Edge Servers.
What are the types of distributions?
Web distribution and RTMP
What is a Web Distribution?
A distribution specifically for websites and static files (html, css, xml, etc)
What is RTMP?
Adobe's Real-Time Message Protocol. For media streaming (flash, etc). Allows an
end user to begin playing a media file before the file has finished downloading
Why would you want to restrict user access to a distribution?
If users access your objects directly in S3, they bypass the controls provided by
CloudFront signed URLs or signed cookies.

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-
content-restricting-access-to-s3.html
True or False. When a bucket is created it is private by default.
True.
How can you control access to a bucket.
Using bucket policies and ACLs.
True or False. There is no way to track who accesses a bucket.
False. You can configure buckets to store logs w/in the bucket or in another bucket.
What are the 3 methods of encryption?
1. SSL/TLS (in transit),
2. Server Side Encryption (SSE),
3. Client Side Encryption (CSE)
What is SSE-S3?
Server Side Encryption that is fully Amazon managed. S3 encrypts each object with
a unique key and it encrypts the key itself with a master key that it regularly rotates.
Uses 256-bit Advanced Encryption Standard (AES-256).
What is SSE-KMS?
Server Side Encryption Key Management Services. Combines secure, highly
available hardware and software to provide a key management system scaled for the
cloud. AWS KMS uses customer master keys (CMKs) to encrypt your S3 objects.
Provides audit trail.
What is SSE-C?
Server Side Encryption with customer provided keys. You manage the keys, AWS
manages encryption/decryption when you write or read.
What is Client Side Encryption?
Refers to encrypting data before sending it to S3. Two options for using data
encryption keys:

1. Use an AWS KMS-managed customer master key

2. Use a client-side master key
What is a Storage Gateway?
Connects an on-premises software appliance with cloud-based storage
What AWS service is the target of a Storage Gateway?
Target is typically S3 or Glacier, but also supports supports VMware ESXi or
Microsoft Hyper-v
What are the 3 types of Storage Gateways?
1. Stored volumes,
2. Cached volumes,
3. Virtual Tape Library (VTL)
What is a Gateway Stored Volume?
Keep entire dataset on-site. Storage Gateway backs this up asynchronously to S3.
Can recover locally or from EC2.
What is a Gateway Cached Volume?
Entire data set stored in S3. Only most frequently accessed data is cached on-site. If
you lose internet connectivity, cannot access all of your data.
What is a Gateway Virtual Tape Library?
VTL. Limitless collection of virtual tapes. Backed by S3 (tape library) or Glacier (tape
shelf). Exposes iSCSI interface providing your backup application with on-line
access to the virtual tapes. Supported by NetBackup, Backup Exec, Veam, etc.
What is an import/export disk?
Use any portable storage device to transport data to AWS. AWS staff imports the
data to S3, EBS, Glacier, etc., then sends the device back. Export from S3. This
service is being replaced by Snowball.
What is import/export Snowball?
Rent Amazon's portable storage device. Petabyte scale data transport solution.
50TB/snowball limit, tamper-resistant enclosure, 256-bit encryption. Import/Export to
S3 only.
Where is my data stored?
You specify a region when you create your Amazon S3 bucket. Within that region,
your objects are redundantly stored on multiple devices across multiple facilities.

S3
Provides secure, durable, highly scalable object storage
- object based, not operating system
- data is spread across multiple devices and facilities
- read after write consistency for PUTS of new objects
- universal namespace therefore must be unique
Consistency
Immediate read after write for PUTS however overwrites or DELETES will take some
time to propagate
Key value storage
Key (name of object)
Value (data)
Version ID
Metadata
Basic Characteristics
99.99% availability
11X9s durability
Lifecycle management
Versioning
Encryption
Secure data using access control lists and bucket policies
Storage Tiers
- S3 - designed to sustain the loss of two facilities concurrently
- IA - infrequently accessed, requires rapid access when needed
- Reduced redundancy storage - way to store objects that is okay being lost
- Glacier - cheap but archival
Charges
Storage, requests, data transfer pricing
Upgrade to remove adverts
Only ₹83.25/month
Versioning
Allows you to retrieve and preserve every version, cannot be disable once can only
be suspended
- only way to get rid of is to delete the bucket
Cross Region Replication
Files will be replicated to another region
- needs versioning enabled on both source and destination region buckets
Lifecycle rule
helps manage cost by applying rules to buckets and moving to different storage
- permanently delete after a certain time
- object has to wait a min of 30 dats to move to IA storage however waits only one to
move to glacier
EX: social media site
Cloud Front
content delivery network - system of distributed servers that deliver webpages and
other web content to a user based on geographic locations of the user, origin of the
web page, and a content delivery server
Edge location
Location where content can be cached
- separate to an AWS region
- Objects are cached for the TTL (time to live)
- Clear cached objects but will be charged
Distribution
name given to the CDN which consists of a collection of edge locations
Cloud Front Characteristics
You can have multiple origins to a distribution
- can restrict bucket access
- default root object
- HTTP methods - get, head, options, put, post, patch, delete
-- Selecting this would mean that when users upload file to cloud distribution it goes
to edge before server
TTL
time to live
- default is 24 hours
- Always in seconds
S3 encryption
By default all newly created buckets are private
- Encryption:
- In transit: when information is sent to and from buckets
- At rest - service side encryption
-- S3 managed keys - each object is encrypted with a unique key
-- SSE KMS - key management service - uses an envelope key that protects the
data encryption key and provides an audit trail
- client side
Storage Gateway
service that connects on premise software appliance with cloud based storage to
provide seamless integration between on premise IT environment
Gateway stored volumes
Keep entire data set on site, storage gateway backs up to Amazon S3
- stored locally
Gateway cached Volumes
only most frequently accessed data is stored locally
Gateway Virtual tape library
- each virtual tape can be stored in a virtual tape library backed by AWS
Import / export Disk
accelerates moving large amount of data into and out of the AWS cloud using
portable storage devices for transport
Import / export Snowball
petabyte scale data transport solution that uses secure appliances to transfer large
amounts of data into and out of AWS
- multiple layers of security designed to protect your data
- always use instead of disk
Transfer acceleration
utilized the cloud front edge network to accelerate uploads to S3 - instead of using a
bucket you can use a distinct url to upload directly to edge location