S3
Basics
- Key-value store
- Object -level storage (not block based storage as EBS is)
- Resources are buckets, which are by default private
- Unlimited storage
Buckets
- By default are private
- Names are globally unique. You can't have two buckets with the same name even in different region
- Buckets are though created in within single region. They don't exist globally, only their names exist.
- Can't be nested. You can have bucket within bucket (eg. subfolders)
- Ownership can't be transferred. Owner is always the AWS root account.
- Buckets have no limit for object amount. You can have unlimited amount of objects within single bucket.
- Default limit for buckets is 100, which can be raised by contacting AWS Support
- Offers versioning and three levels for storing data (Standard, IA and Glacier)
Objects
- Single object maximum size is 5GB
- Supports 5TB for object size
- Objects larger than 5GB can be uploaded by using Multipart-upload API
- Pre-signed URL's can be used to share objects in private buckets
- Successful upload of object returns HTTP 200 -message
Security
- Bucket access be restricted by using S3 ACL or S3 bucket policy
- Cloudfront can be used to do regional restriction
Following topics are exam questions collected through Internet and should be evaluated as so. Answers are mine and have been checked with answers collected through the internet, but might still be wrong.
S3 performance
If an application is storing hourly log files from thousands of instances from a high traffic web site, which naming scheme would give optimal performance on S3?A. Sequential
B. HH-DD-MM-YYYY-log_instanceID
C. YYYY-MM-DD-HH-log_instanceID
D. instanceID_log-HH-DD-MM-YYYY
E. instanceID_log-YYYY-MM-DD-HH
You are designing a web application that stores static assets in an Amazon Simple Storage Service (S3) bucket. You expect this bucket to immediately receive over 150 PUT requests per second. What should you do to ensure optimal performance?
A. Use multi-part upload.
B. Add a random prefix to the key names.
C. Amazon S3 will automatically manage performance at this scale.
D. Use a predictable naming scheme, such as sequential numbers or date time sequences, in the key names
Why?
http://docs.aws.amazon.com/AmazonS3/latest/dev/request-rate-perf-considerations.html
Using a sequential prefix, such as timestamp or an alphabetical sequence, increases the likelihood that Amazon S3 will target a specific partition for a large number of your keys, overwhelming the I/O capacity of the partition. If you introduce some randomness in your key name prefixes, the key names, and therefore the I/O load, will be distributed across more than one partition.
S3 bucket limits
Your application is trying to upload a 6 GB file to Simple Storage Service and receive a “Your proposed upload exceeds the maximum allowed object size.” error message. What is a possible solution for this?A. None, Simple Storage Service objects are limited to 5 GB
B. Use the multi-part upload API for this object
C. Use the large object upload API for this object
D. Contact support to increase your object size limit
E. Upload to a different region
You have an application running on an Amazon Elastic Compute Cloud instance, that uploads 5 GB video objects to Amazon Simple Storage Service (S3). Video uploads are taking longer than expected, resulting in poor application performance. Which method will help improve performance of your application?
A. Enable enhanced networking
B. Use Amazon S3 multipart upload
C. Leveraging Amazon CloudFront, use the HTTP POST method to reduce latency.
D. Use Amazon Elastic Block Store Provisioned IOPs and use an Amazon EBS-optimized instance
A media company produces new video files on-premises every day with a total size of around 100GB after compression. All files have a size of 1-2 GB and need to be uploaded to Amazon S3 every night in a fixed time window between 3am and 5am. Current upload takes almost 3 hours, although less than half of the available bandwidth is used. What step(s) would ensure that the file uploads are able to complete in the allotted time window?
A. Increase your network bandwidth to provide faster throughput to S3
B. Upload the files in parallel to S3 using multipart upload
C. Pack all files into a single archive, upload it to S3, then extract the files in AWS
D. Use AWS Import/Export to transfer the video files
Why?
S3 transfers are limited to 5GB, but by using Multipart Upload API 5TB objects can be uploaded to S3
https://aws.amazon.com/blogs/aws/amazon-s3-multipart-upload/
Using S3 as static website
Company C is currently hosting their corporate site in an Amazon S3 bucket with Static Website Hosting enabled. Currently, when visitors go to http://www.companyc.com the index.html page is returned. Company C now would like a new page welcome.html to be returned when a visitor enters http://www.companyc.com in the browser. Which of the following steps will allow Company C to meet this requirement? Choose 2 answersA. Upload an html page named welcome.html to their S3 bucket
B. Create a welcome subfolder in their S3 bucket
C. Set the Index Document property to welcome.html
D. Move the index.html page to a welcome subfolder
E. Set the Error Document property to welcome.html
An Amazon S3 bucket, “myawsbucket” is configured with website hosting in Tokyo region,
what is the region-specific website endpoint?
A. www.myawsbucket.ap-northeast-1.amazonaws.com
B. myawsbucket.s3-website-ap-northeast-l.amazonawscom
C. myawsbucket.amazonaws.com
D. myawsbucket.tokyo.amazonaws.com
Why?
AWS websites always have text "website" on the URL
S3 encryption cipher
What type of block cipher does Amazon S3 offer for server side encryption?A. RC5
B. Blowfish
C. Triple DES
D. Advanced Encryption Standard
Why?
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
S3 bucket policies and pre-signed URL's
Company A has an S3 bucket containing premier content that they intend to make available to only paid subscribers of their website. The S3 bucket currently has default permissions of all objects being private to prevent inadvertent exposure of the premier content to non-paying website visitors. How can Company A provide only paid subscribers the ability to download a premier content file in the S3 bucket?A. Apply a bucket policy that grants anonymous users to download the content from the S3 bucket
B. Generate a pre-signed object URL for the premier content file when a paid subscriber requests a download
C. Add a bucket policy that requires Multi-Factor Authentication for requests to access the S3 bucket objects
D. Enable server side encryption on the S3 bucket for data protection against the non-paying website visitors
You run an ad-supported photo sharing website using S3 to serve photos to visitors of your
site. At some point you find out that other sites have been linking to the photos on your site, causing loss to your business. What is an effective method to mitigate this?
A. Store photos on an EBS volume of the web server
B. Remove public read access and use signed URLs with expiry dates.
C. Use CloudFront distributions for static content.
D. Block the IPs of the offending websites in Security Groups.
Why? http://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
"Anyone who receives the pre-signed URL can then access the object. For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a pre-signed URL."
S3 bucket limits
What is the maximum number of S3 Buckets available per AWS account?A. There is no limit
B. 100 per account
C. 100 per IAM user
D. 100 per region
E. 500 per account
Why?
http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html
Amazon Simple Storage Service (Amazon S3) Limits
Resource Default Limit
Buckets 100 per account
For information about additional documented limits, see Amazon S3 limits in the Amazon Simple Storage Service Developer Guide.
S3 security token
When uploading an object, what request header can be explicitly specified in a request to Amazon S3 to encrypt object data when saved on the server side?A. x-amz-storage-class
B. Content-MD5
C. x-amz-security-token
D. x-amz-server-side-encryption
Why?
http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html
If you are signing your request using temporary security credentials (see Making Requests), you must include the corresponding security token in your request by adding the x-amz-security-token header.
S3 data restriction
Which features can be used to restrict access to data in S3? Choose 2 answersA. Set an S3 Bucket policy.
B. Enable IAM Identity Federation.
C. Set an S3 ACL on the bucket or the object.
D. Create a CloudFront distribution for the bucket
E. Use S3 Virtual Hosting
Why?
https://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc
This week we’ll discuss another frequently asked about topic: the distinction between IAM policies, S3 bucket policies, S3 ACLs, and when to use each. They’re all part of the AWS access control toolbox, but differ in how they’re used.
A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content for a web-based property. The customer is storing objects using the Standard Storage class. Where are the customers objects replicated?
A. A single facility in eu-west-1 and a single facility in eu-central-1
B. A single facility in eu-west-1 and a single facility in us-east-1
C. Multiple facilities in eu-west-1
D. A single facility in eu-west-1
Why? https://aws.amazon.com/s3/faqs/ "You specify a region when you create your Amazon S3 bucket. Within that region, your objects are redundantly stored on multiple devices across multiple facilities"
A customer wants to leverage Amazon Simple Storage Service (S3) and Amazon Glacier as part of their backup and archive infrastructure. The customer plans to use third-party software to support this integration. Which approach will limit the access of the third party software to only the Amazon S3 bucket named “companybackup”?
A. A custom bucket policy limited to the Amazon S3 API in thee Amazon Glacier archive “company-backup”
B. A custom bucket policy limited to the Amazon S3 API in “company-backup”
C. A custom IAM user policy limited to the Amazon S3 API for the Amazon Glacier archive “company-backup”.
D. A custom IAM user policy limited to the Amazon S3 API in “company-backup”.
Why? Although this can be done by B, you're still missing the IAM user needed hence making the D more precise answer.
What are characteristics of Amazon S3? Choose 2 answers
A. S3 allows you to store objects of virtually unlimited size.
B. S3 offers Provisioned IOPS.
C. S3 allows you to store unlimited amounts of data.
D. S3 should be used to host a relational database.
E. Objects are directly accessible via a URL.
Why? S3 objects are limited to 5TB size. S3 doesn't provide Provisioned IOPS and you should store RDBMS datafiles on S3.
You are working with a customer who has 10 TB of archival data that they want to migrate to Amazon Glacier. The customer has a 1-Mbps connection to the Internet. Which service or feature provides the fastest method of getting the data into Amazon Glacier?
A. Amazon Glacier multipart upload
B. AWS Storage Gateway
C. VM Import/Export
D. AWS Import/Export
Why? http://docs.aws.amazon.com/amazonglacier/latest/dev/uploading-archive-mpu.html
You need to configure an Amazon S3 bucket to serve static assets for your public-facing web application. Which methods ensure that all objects uploaded to the bucket are set to public read? Choose 2 answers
A. Set permissions on the object to public read during upload.
B. Configure the bucket ACL to set all objects to public read.
C. Configure the bucket policy to set all objects to public read.
D. Use AWS Identity and Access Management roles to set the bucket to public read.
E. Amazon S3 objects default to public read, so no action is needed.
Why? https://aws.amazon.com/articles/5050 "You can use ACLs to grant permissions to individual AWS accounts; however, it is strongly recommended that you do not grant public access to your bucket using an ACL."
A company is storing data on Amazon Simple Storage Service (S3). The company’s security policy mandates that data is encrypted at rest. Which of the following methods can achieve this? Choose 3 answers
A. Use Amazon S3 server-side encryption with AWS Key Management Service managed keys.
B. Use Amazon S3 server-side encryption with customer-provided keys.
C. Use Amazon S3 server-side encryption with EC2 key pair.
D. Use Amazon S3 bucket policies to restrict access to the data at rest.
E. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key.
F. Use SSL to encrypt the data while in transit to Amazon S3.
Why? Other ones are not about securing data at rest.
A. S3 allows you to store objects of virtually unlimited size.
B. S3 offers Provisioned IOPS.
C. S3 allows you to store unlimited amounts of data.
D. S3 should be used to host a relational database.
E. Objects are directly accessible via a URL.
Why? S3 objects are limited to 5TB size. S3 doesn't provide Provisioned IOPS and you should store RDBMS datafiles on S3.
You are working with a customer who has 10 TB of archival data that they want to migrate to Amazon Glacier. The customer has a 1-Mbps connection to the Internet. Which service or feature provides the fastest method of getting the data into Amazon Glacier?
A. Amazon Glacier multipart upload
B. AWS Storage Gateway
C. VM Import/Export
D. AWS Import/Export
Why? http://docs.aws.amazon.com/amazonglacier/latest/dev/uploading-archive-mpu.html
You need to configure an Amazon S3 bucket to serve static assets for your public-facing web application. Which methods ensure that all objects uploaded to the bucket are set to public read? Choose 2 answers
A. Set permissions on the object to public read during upload.
B. Configure the bucket ACL to set all objects to public read.
C. Configure the bucket policy to set all objects to public read.
D. Use AWS Identity and Access Management roles to set the bucket to public read.
E. Amazon S3 objects default to public read, so no action is needed.
Why? https://aws.amazon.com/articles/5050 "You can use ACLs to grant permissions to individual AWS accounts; however, it is strongly recommended that you do not grant public access to your bucket using an ACL."
A company is storing data on Amazon Simple Storage Service (S3). The company’s security policy mandates that data is encrypted at rest. Which of the following methods can achieve this? Choose 3 answers
A. Use Amazon S3 server-side encryption with AWS Key Management Service managed keys.
B. Use Amazon S3 server-side encryption with customer-provided keys.
C. Use Amazon S3 server-side encryption with EC2 key pair.
D. Use Amazon S3 bucket policies to restrict access to the data at rest.
E. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key.
F. Use SSL to encrypt the data while in transit to Amazon S3.
Why? Other ones are not about securing data at rest.
Which of the following are valid statements about Amazon S3? Choose 2 answers
A. S3 provides read-after-write consistency for any type of PUT or DELETE.
B. Consistency is not guaranteed for any type of PUT or DELETE.
C. A successful response to a PUT request only occurs when a complete object is saved.
D. Partially saved objects are immediately readable with a GET after an overwrite PUT.
E. S3 provides eventual consistency for overwrite PUTS and DELETES.
Which features can be used to restrict access to data in S3? Choose 2 answers
A. Set an S3 ACL on the bucket or the object.
B. Create a CloudFront distribution for the bucket.
C. Set an S3 bucket policy.
D. Enable IAM Identity Federation
E. Use S3 Virtual Hosting
Why? Ruling out the wrong B,D and E leaves correct answer.
You run an ad-supported photo sharing website using S3 to serve photos to visitors of your site. At some point you find out that other sites have been linking to the photos on your site, causing loss to your business. What is an effective method to mitigate this?
A. Remove public read access and use signed URLs with expiry dates.
B. Use CloudFront distributions for static content.
C. Block the IPs of the offending websites in Security Groups.
D. Store photos on an EBS volume of the web server.
A. S3 provides read-after-write consistency for any type of PUT or DELETE.
B. Consistency is not guaranteed for any type of PUT or DELETE.
C. A successful response to a PUT request only occurs when a complete object is saved.
D. Partially saved objects are immediately readable with a GET after an overwrite PUT.
E. S3 provides eventual consistency for overwrite PUTS and DELETES.
Which features can be used to restrict access to data in S3? Choose 2 answers
A. Set an S3 ACL on the bucket or the object.
B. Create a CloudFront distribution for the bucket.
C. Set an S3 bucket policy.
D. Enable IAM Identity Federation
E. Use S3 Virtual Hosting
Why? Ruling out the wrong B,D and E leaves correct answer.
You run an ad-supported photo sharing website using S3 to serve photos to visitors of your site. At some point you find out that other sites have been linking to the photos on your site, causing loss to your business. What is an effective method to mitigate this?
A. Remove public read access and use signed URLs with expiry dates.
B. Use CloudFront distributions for static content.
C. Block the IPs of the offending websites in Security Groups.
D. Store photos on an EBS volume of the web server.
Which set of Amazon S3 features helps to prevent and recover from accidental data loss?
A. Object lifecycle and service access logging
B. Object versioning and Multi-factor authentication
C. Access controls and server-side encryption
D. Website hosting and Amazon S3 policies
Why? Ruling out the wrong ACD.
You have an application running on an Amazon Elastic Compute Cloud instance, that uploads 5 GB video objects to Amazon Simple Storage Service (S3). Video uploads are taking longer than expected, resulting in poor application performance. Which method will help improve performance of your application?
A. Enable enhanced networking
B. Use Amazon S3 multipart upload
C. Leveraging Amazon CloudFront, use the HTTP POST method to reduce latency.
D. Use Amazon Elastic Block Store Provisioned IOPs and use an Amazon EBS-optimized instance
Why? S3 multipart upload is the only option which speeds up S3 upload from following options.
A customer wants to track access to their Amazon Simple Storage Service (S3) buckets and also use this information for their internal security and access audits. Which of the following will meet the Customer requirement?
A. Enable AWS CloudTrail to audit all Amazon S3 bucket access.
B. Enable server access logging for all required Amazon S3 buckets.
C. Enable the Requester Pays option to track access via AWS Billing
D. Enable Amazon S3 event notifications for Put and Post.
Why? http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html Although server access logs are confusing name, they provide the functionality
A company is deploying a two-tier, highly available web application to AWS. Which service provides durable storage for static content while utilizing lower overall CPU resources for the web tier?
A. Amazon EBS volume
B. Amazon S3
C. Amazon EC2 instance store
D. Amazon RDS instance
Why? From following, S3 doesn't use CPU resources and can be used to store static content.
You are designing a web application that stores static assets in an Amazon Simple Storage Service (S3) bucket. You expect this bucket to immediately receive over 150 PUT requests per second. What should you do to ensure optimal performance?
A. Use multi-part upload.
B. Add a random prefix to the key names.
C. Amazon S3 will automatically manage performance at this scale.
D. Use a predictable naming scheme, such as sequential numbers or date time sequences, in the key names
Why? Using random prefix in file name will increase upload speed.
What is the Reduced Redundancy option in Amazon S3?
A. Less redundancy for a lower cost.
B. It doesn’t exist in Amazon S3, but in Amazon EBS.
C. It allows you to destroy any copy of your files outside a specific jurisdiction.
D. It doesn’t exist at all
Why? https://aws.amazon.com/s3/reduced-redundancy/
Can Amazon S3 uploads resume on failure or do they need to restart?
A. Restart from beginning
B. You can resume them, if you flag the “resume on failure” option before uploading.
C. Resume on failure
D. Depends on the file size
Why? A, unless using Multi-Part upload which would mean that C is correct.
What is the durability of S3 RRS?
A. 99.99%
B. 99.95%
C. 99.995%
D. 99.999999999%
Why? https://aws.amazon.com/s3/reduced-redundancy/
What is Amazon Glacier?
A. You mean Amazon “Iceberg”: it’s a low-cost storage service.
B. A security tool that allows to “freeze” an EBS volume and perform computer forensics on it.
C. A low-cost storage service that provides secure and durable storage for data archiving and backup.
D. It’s a security tool that allows to “freeze” an EC2 instance and perform computer forensics on it.
Why? https://aws.amazon.com/glacier/ "Amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup."
A. Object lifecycle and service access logging
B. Object versioning and Multi-factor authentication
C. Access controls and server-side encryption
D. Website hosting and Amazon S3 policies
Why? Ruling out the wrong ACD.
You have an application running on an Amazon Elastic Compute Cloud instance, that uploads 5 GB video objects to Amazon Simple Storage Service (S3). Video uploads are taking longer than expected, resulting in poor application performance. Which method will help improve performance of your application?
A. Enable enhanced networking
B. Use Amazon S3 multipart upload
C. Leveraging Amazon CloudFront, use the HTTP POST method to reduce latency.
D. Use Amazon Elastic Block Store Provisioned IOPs and use an Amazon EBS-optimized instance
Why? S3 multipart upload is the only option which speeds up S3 upload from following options.
A customer wants to track access to their Amazon Simple Storage Service (S3) buckets and also use this information for their internal security and access audits. Which of the following will meet the Customer requirement?
A. Enable AWS CloudTrail to audit all Amazon S3 bucket access.
B. Enable server access logging for all required Amazon S3 buckets.
C. Enable the Requester Pays option to track access via AWS Billing
D. Enable Amazon S3 event notifications for Put and Post.
Why? http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html Although server access logs are confusing name, they provide the functionality
A company is deploying a two-tier, highly available web application to AWS. Which service provides durable storage for static content while utilizing lower overall CPU resources for the web tier?
A. Amazon EBS volume
B. Amazon S3
C. Amazon EC2 instance store
D. Amazon RDS instance
Why? From following, S3 doesn't use CPU resources and can be used to store static content.
You are designing a web application that stores static assets in an Amazon Simple Storage Service (S3) bucket. You expect this bucket to immediately receive over 150 PUT requests per second. What should you do to ensure optimal performance?
A. Use multi-part upload.
B. Add a random prefix to the key names.
C. Amazon S3 will automatically manage performance at this scale.
D. Use a predictable naming scheme, such as sequential numbers or date time sequences, in the key names
Why? Using random prefix in file name will increase upload speed.
What is the Reduced Redundancy option in Amazon S3?
A. Less redundancy for a lower cost.
B. It doesn’t exist in Amazon S3, but in Amazon EBS.
C. It allows you to destroy any copy of your files outside a specific jurisdiction.
D. It doesn’t exist at all
Why? https://aws.amazon.com/s3/reduced-redundancy/
Can Amazon S3 uploads resume on failure or do they need to restart?
A. Restart from beginning
B. You can resume them, if you flag the “resume on failure” option before uploading.
C. Resume on failure
D. Depends on the file size
Why? A, unless using Multi-Part upload which would mean that C is correct.
What is the durability of S3 RRS?
A. 99.99%
B. 99.95%
C. 99.995%
D. 99.999999999%
Why? https://aws.amazon.com/s3/reduced-redundancy/
What is Amazon Glacier?
A. You mean Amazon “Iceberg”: it’s a low-cost storage service.
B. A security tool that allows to “freeze” an EBS volume and perform computer forensics on it.
C. A low-cost storage service that provides secure and durable storage for data archiving and backup.
D. It’s a security tool that allows to “freeze” an EC2 instance and perform computer forensics on it.
Why? https://aws.amazon.com/glacier/ "Amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup."
Pega training
ReplyDeletePhp training
Power bi training
Power shell training
Puppet training
Servicenow training
Shareplex training
Sharepoint training
Snaplogic training