Please enable JavaScript.
Coggle requires JavaScript to display documents.
S3 Object Lock, S3・101, S3 Performance, Cross Region Replication, S3…
S3 Object Lock
S3 Object lock
:zap:
Can use to store objects using a write once, read many (WORM) model
it can help you prevent objects from being deleted or modified for a fixed amount of time or indefinitely
:zap:
can use to meet regulator requirements that require WORM storage or add an extra layer of protection against object changes and deletion
:zap:
Governance Mode
:zap:
:star: Users can't overwrite or delete an object version or alter its lock settings unless they have special permissions
:zap:
protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings ore delete the object if necessary
:zap:
Compliance Mode
:zap:
:star: a protected object version can't be overwritten or delete by any user, including the root uses in your AWS account.
:zap:
When an object is locked in compliance mode, its retention mode can't be changed and its retention period can't be shortened.
:zap:
Compliance mode ensures an object version can't be overwritten or deleted for the duration of retention period
:zap:
:star: Retention Periods
:zap:
protects an object version for a fixed amount of time. When you place a retention period on an object version, Amazon S3 stores a timestamp in the object version's metadata to indicate when the retention period expires
:zap:
After the retention period expires, the object version can be overwritten or deleted unless you also placed a legal hold on the object version
:zap:
:star: Legal Holds
-
:zap:
Like a retention period, a legal hold prevents an object version from being overwritten or deleted
:zap:
However, a legal hold doesn't have an associated retention period and remains in effect until removed. Legal holds can be freely placed and removed by any user who has the s3:PutObjectLegalHold permission
Exam tips
:zap:
Use S3 Object Lock to store objects using a write once, read many (WORM) model
-
-
Glacier Vault Lock
:zap:
Allows you to easily deploy and enforce compliance controls for individual S3 Glacier vaults with a Vault Lock policy
:zap:
You can specify controls, such as WORM, in a Vault Lock policy and lock the policy from future edits. Once locked, the policy can no longer be changed
S3・101
-
-
-
-
-
-
-
-
:zap:
S3 Storage Classess
-
:zap:
S3 Glacier
can reliably store any amount for data at costs that are competitive with or cheaper than on-premises configurable from minutes to hours
a secure, durable and low-cost storage class for data arching
-
-
:zap:
S3 - IA
-
:zap:
for data that is accessed less frequently, but requires rapid access when needed
-
S3 Performance
Exam tips
-
-
-
:zap:
If using SSE-KMS to encrypt your objects in S3, you must keep in mind the KMS limits
-
:zap:
Region specific, however it's either 5,500, 10,00 or 30,000 requests per second
:zap:
Currently, you cannot request a quota increase for KMS
-
-
KMS Request Rates
:zap:
Limitations
:zap:
If you are using SSE-KMS to encrypt your objects in S3, you must keep in mind the KMS limits
:zap:
when you upload a file, you will call GenerateDataKey in the KMS API
:zap:
When you download a file, you will call Decrypt in the KMS API
-
-
-
:zap:
Downloads
S3 Byte-Range Fetches
-
If there's failure in the download, it's only for a specific byte range
-
-
Can be used to just download partial amounts of the file (e.g., header information)
-
S3 Versioning
-
-
-
Once enabled, Versioning cannot be disabled, only suspended
-
Versioning's MFA Delete capability, which uses multi factor authentication, can be used to provide an additional layer of security
AWS DataSync
-
-
Replication can be done hourly, daily, or weekly
-
-
-
-
S3 Select
what is ?
-
By using S3 Select to retrieve only the data needed by your application, you can achieve drastic performance increase in many cases, you can get as much as a 400% improvement
-
Glacier Select
:zap:
Some companies in highly regulated industries e.g., financial services, healthcare, and others
-
:zap:
Many S3 users have lifecycle polices designed to save on storage costs by moving their data into Glacier when they no longer need to access it on a regular basis
-
Exam Tips
Remember that S3 Select is used to retrieve only a subset of data from an object by using simple SQL expressions
-
-
-
CloudFront
Key Terminology
-
:zap:
Origin
This is the origin of all the files that the CDN will distribute. This can be an S3 Bucket, an EC2 Instance, an Elastic Load Balancer or Route 53
-
-
-
:zap:
-
-
:zap:
You can clear cached objects, but you will be charged
What is ?
A content delivery network (CDN) is a system of distributed servers (network) that deliver webpages and other web content to a user based on the geographic locations of the user, the origin of the webpage, and a content delivery server
can be used to deliver you entire website, including dynamic, static, streaming, and interactive content using a global network of edge locations. Requests for your content are automatically routed to the nearest edge location, so content is delivered with the best possible performance
Storage Gateway
Types of Storage Gateway
:dizzy:
File Gateway (NFS & SMB)
:zap:
Files are stored as objects in your S3 buckets, accessed through a Network File System (NFS) mount point
:zap:
Ownership, permissions, and timestamps are durably stored in S3 in the user-metadata of the object associated with the file
:zap:
Once objects are transferred to S3 the can be managed as native S3 objects, and bucket policies such as versioning, lifecycle management, and cross-region replication apply directly to objects stored in you bucket
:zap:
Volume Gateway (iSCSI)
:flag-za:
what is ?
-
:zap:
Data written to these volumes can be asynchronously backed up as point-in-time snapshots of you volumes, and stored in the cloud as Amazon EBS snapshots
:zap:
Snapshots are incremental backups that capture only changed blocks. All snapshots storage is also compressed to minimize your storage charges
types
Stored Volumes
:zap:
let you store your primary data locally, while asynchronously backing up that data to AWS.
:zap:
Stored volumes provide your on-premises applications with low-latency access to their entire datasets, while providing durable, off-site backups.
:zap:
You can create storage volumes and mount them as iSCSI devices from your on-premises application servers
-
:zap:
This data is asynchronously backed up to Amazon Simple Storage Service (Amazon S3) in the form of Amazon Elastic Block Store (Amazon EBS) snapshots.
-
Cached Volumes
:zap:
Let you use Amazon S3 as you primary data storage while retaining frequently accessed data locally in your storage gateway
:zap:
Cached volumes minimize the need to scale you on-premises storage infrastructure, while still providing your application with low-latency access to their frequently accessed data.
:zap:
You can create storage volumes up to 32 TB in size and attach to them as iSCSI devices from your on-premises application servers.
:zap:
Your gateway stores data that you write to these volumes in Amazon S3 and retains recently read data in your on-premises storage gateway's cache and upload buffer storage.
-
:zap:
Tape Gateway (VTL)
What is
:zap:
Offers a durable, cost-effective solution to archive your data in the AWS cloud.
:zap:
The VTL interface it provides lets you leverage your existing tape-based backup application infrastructure to store data on virtual tape cartridges that you create on your tape gateway.
:zap:
Each tape gateway is preconfigured with a media changer and tape drives, which are available to your existing client backup application as iSCSI derives.
:zap:
You add tape cartridges as you need to archive your data. Supported by NetBackup, Backup Exec, Veeam ...
Exam tips
:zap:
File Gateway
For flat files, stored directly on S3
-
-
What is ?
is as service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization's on-premises IT environment and AWS's storage infrastructure. The service enables you to securely store data to the AWS cloud for scalable and cost-effective storage
AWS Storage Gateways software appliance is available for download as a virtual machine (VM) image that you install on a host in your datacenter. Storage Gateway supports either VMware ESXi or Microsoft Heyper-V. Once you've installed your gateway and associated it with your AWS account through the activation process, you can use the AWS Management Console to create the storage gateway option that is right for you
-
-
Athena vs Macie
Athena ?
:zap:
Interactive query service which enables you to analyses and query data located in S3 using standard SQL
:zap:
Serverless, nothing to provision, pay per query / per TB scanned
-
-
:zap:
Can Athena be used for ?
:zap:
Can bed used to query log files stored in S3, e.g. ELB logs, S3 access logs etc
-
-
-
Macie ?
:zap:
What is PII
-
:zap:
This data cloud be exploited by criminals, used in identity theft and financial fraud
:zap:
Home address, email address SSN
:zap:
Passport number, deriver's license number
:zap:
D.O.B, phone number, bank account, credit card number
:zap:
What is Macie
:zap:
Security service which uses Machine Learning and NLP (Natural Language Processing) to discover, classify and protect sensitive data stored in S3
-
:zap:
Dashboards, reporting and alerts
-
-
-
S3 & IAM Summary
S3
-
-
-
-
:zap:
S3 is a universal namespace. That is, names must be unique globally
-
-
:zap:
By default, all newly created buckets are *PRIVATE. You can setup access control to your buckets using
-
:zap:
S3 buckets can be configured to create access logs which log all requests made to the S3 bucket. This can be sent to another bucket and even another bucket in another account
-
-
IAM
-
:zap:
So far
-
The *"root account" is simply the account created when first setup your AWS account. It has complete Admin access
-
-
These are not the same as a password. You cannot use the Access key ID & Secret Access Key to Login in to the console. You can use this to access AWS via the APIs and Command line, however
You only get to view these once. If you lose them, you have to regenerate them. So, save them in a secure location.
-
-
IAM
Key Features
-
-
-
Identity Federation (Active Directory, Facebook, Linked ...)
-
-
-
-
-
-
-
S3 Transfer Acceleration
what is ?
-
Instead of uploading directly to your S3 bucket, you can use a distinct URL to upload directly to an edge location which will then transfer that file to S3. You will get a distinct URL to upload to : abc.s3-accelerate.amazonaws.com
