It can be used to manage your objects so that they are stored using the most cost effective S3 option throughout their lifecycle.
S3 Lifecycle Policies
What should you use in order to protect against accidental or malicious deletions of your version-controlled S3 buckets?
MFA Delete.
Why do you need a valid code from your MFA device?
- to enable permanent deletion of an S3 object.
- to suspend or reactivate versioning on the S3 bucket.
What can be used to Encrypt data in transit to s3?
SSL/TLS
Encrypts data between your PC and S3. (https)
What are the two different types of Encryption At-Rest for S3?
Server Side Encryption
Client Side Encryption
Three ways of Server Side Encryption for S3:
SSE-S3
SSE-KMS
SSE-C
Can a client encrypt data before uploading it to s3?
Yes!
By using Client side encryption.
Characteristics of SSE-S3:
- AWS Takes care of everything, you don’t need to worry about it.
- S3 Managed Keys
- AES256
Characteristics of SSE-KMS:
- KMS managed Keys
- Envelope key → The key that encrypts your data’s encryption key.
- Audit trail → records the use of your encryption key.
Characteristics of SSE-C:
- AWS manages the encryption and decryption activities
- Client manages the keys used.
- Rotation and all.
- x-amz-server-side-encryption: AES256
- x-amz-server-side-encryption: ams:kms
What do these parameters do?
When these parameters are included in the header of the PUT request, it simply tells S3 to encrypt the objects at the time of upload and using the specified encryption method.
How can you enforce the use of SSE for S3?
By using a bucket policy which denies any S3 PUT request which doesn’t include the x-amz-server-side-encryption parameter in the request header.
S3
Durable, immediately available, frequently accessed
S3 Standard
S3
Durable, immediately available, infrequently accessed
S3 IA
S3
Durable, immediately available, infrequently accessed, data store in a single AZ
S3 One Zone IA
S3
Data that is easily reproducible, such as thumbnails
S3 Reduced Redundancy Storage
S3
Archived data, where you can wait 3 - 5 hours before accessing the data
S3 Glacier
What do these represent?
- Key (name)
- Value (data)
- Version ID
- Metadata
- Subresources - bucket specific configuration:
- Bucket policies, ACL
- CORS - used to enable different resources within AWS to access your S3 buckets
Core fundamentals of an S3 object
Which types of root volumes can be used for EC2 instances?
EBS
Instance Store
True or False
The only time instance store persists data is when the instance is rebooted intentionally or not.
True
What’s the best practice to follow when changing EC2 volume type?
- Stop the instance
- Take a snapshot of the volume
- Use the snapshot to create a new volume
KMS or CloudHSM?
- Shared hardware, multi-tenant managed service
- Suitable for applications for which multi-tenancy is not an issue
- Free-tier eligible
- Encrypt data store in AWS, including EBS volumes, S3, RDS, DynamoDB, etc.
- Symmetric Keys only.
KMS
KMS or CloudHSM?
- Dedicated Hardware Security Module instance, hardware is not shared with other tenants, no Free-tier
- It’s under your exclusive control within your own VPC
- FIPS 140-2 Level 3 Compliance (US Government standard for HSMs)
- Includes tamper-evident physical security mechanisms
- Suitable for applications which have a contractual or regulatory requirement for dedicated hardware managing cryptographic keys
- Symmetric or Asymmetric keys.
CloudHSM
What is Block device mapping?
specifies which EBS volumes to attach to the instance at launch time
