AWS Solutions Architect Exam

AWS CloudWatch

A monitoring service to monitor AWS resources as well as the applications that run on AWS Monitor things like: - EC2 - DynamoDB - RDS DB Instances - Custom metrics generated by applications and services - Any log files your applications generate - Used to create billing alarms

What is Least Privilege?

A principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization. The minimum permissions for the user to perform their job. AWS recommends this.

How can you increase performance if you have a high request rate in S3?

Add a hexadecimal hash prefix to a key name.

How can an app on an EC2 instance act like a user and move files from S3?

1) Simulate a user by using keys and secret access keys, but this is a huge security risk if you store this info on your EC2 instance. 2) Use IAM Roles (and attach Policies) to allow it to communicate with the S3 bucket.

How many buckets can you have?

100 buckets per account, but you can ask AWS to increase the number.

What are the IAM credentials?

4. Programmatic access using access and secret access keys. Console access using passwords and user name. X.509 certificates. MFA.

What is the availability and durability for S3 Standard?

99.99% availability (how often you can access objects in S3) and 99.999999999 or eleven nines durability (the likelihood your data will be lost is very low). Designed to sustain loss of two AWS facilities.

What is the S3 availability & durability

99.99% available and eleven nines durability

What are cross-account permissions?

A bucket owner can grant cross-account permissions to another AWS account to upload objects but in this case, the account which uploaded is still the owner of the resource it uploaded. The bucket owner will pay for the resources in S3, can deny access to objects in the bucket, can delete, archive, or restore objects regardless of who owns the object.

What is S3 Versioning?

A subresource that allows you to preserve, and restore every version of an object stored. Can be used for archival. Integrates with Lifecycle rules.

How can you request an STS token?

API or SDKs or CLI or Microsoft Powershell. Cannot generate STS tokens via the console.

GovCloud

AWS regions for US government and private companies; like GovCloud (US-West) Regions

What type of encryption does Glacier automatically use at rest?

AWS-256-bit symmetric keys

What are the subresources for your object in S3?

Access control lists which grant permission to an object. And torrent, which allows you to use Bit Torrent on an object which will reduce load on your S3 object.

What does the STS API actions return?

Access keys, session token, duration, and users.

AWS Programmatic Access

Allows the user to get access via the command line by giving an access key and a secret access key. You can delete a user's programmatic access and create a new access/secret access key if they lose their credentials. Cannot access the management console with access/secret access keys.

What is an IAM principal?

An entity that can take an action on an AWS resource, such as users, roles, federated users, applications.

What STS action is used for cross-account access?

AssumeRole

What are the STS API actions?

AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity, GetSessionToken, GetFederationToken

What STS action is used for federation?

AssumeRoleWithSAML or AssumeRoleWithWebIdentity or GetFederationToken

By default, what is S3 Public Access like?

By default, object are private in S3. You must edit public access setting for the bucket first and then the bucket will have "Objects can be public." At that point, you can make objects public.

How is an S3 object uniquely identified through an address?

By the service endpoint (region), bucket name (in universal namespace), and the object key (or name). Optionally, can have version ID if versioning is enabled.

How can principals send requests?

Console, CLI, SDKs, API and ask for the action and resources.

What is the benefit of using temporary credentials?

Don't need to use an IAM user. Don't need to embed security credentials on an app.

What is the durability and availability for Glacier?

Durability is eleven nines but no availability guarantees.

What are the retrieval methods for Glacier?

Expedited (minutes), Standard (3-5 hours), Bulk (5-12 hours)

How does S3 evaluate a request for an S3 resource operation?

First will evaluate the user context to see if the user has the proper policies to allow the request, then checks the bucket context to see if the bucket owner has allowed the request from a bucket policy, bucket ACL, and object ACL standpoint.

What is the largest object in S3?

Objects can't exceed 5TB. But can be multi-part uploaded.

What STS action is used for MFA?

GetSessionToken

What happens when you transition object to Glacier from other classes or via lifecycle rules?

Glacier adds 32KB of overhead (indexing and archive metadata) to the object. Glacier recommends combining small objects into a large zip/tar file because you are charged for the 32KB overheads

How does synchronicity work with Glacier?

Glacier archives with synchronous uploads and asynchronous retrieval. On upload, it will synchronously replicated to multiple locations.

What is IAM Role Delegation?

Granting permissions to someone to allow access to resources that you control. Can be across different AWS account or within the same account. Granted through permission policies.

IAM Groups

Groups are collections of users and they inherit the permissions of the group.

AWS Power User

Has access to all AWS resources except management of users and groups in IAM.

How can you name an S3 bucket?

Have universal namespace, so much be globally unique because they have domain names. Name: https://s3-region-name.amazonaws.com/bucket-name Must start with a lowercase letter and only contain valid characters If you delete the bucket, the name will be available to others or you again.

IAM Policies

IAM Policies are used to setup permissions for users, groups, or roles within AWS. The Policy documents are written in JSON. IAM Policies can grant temporary access to users.

How consistent is IAM?

IAM is eventually consistent across AWS data centers around the world. It takes time to update.

PCI DSS Compliance

IAM supports PCI DSS Compliance: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.

IAM has Identify Federation

Identity Federation is when a user can sign into AWS using their Microsoft Active Directory, Facebook, LinkedIn, etc. using existing active directory accounts.

Deleting Groups

If you delete a group through the management console, it will automatically remove the users and permissions associated. You can't delete a group via command line unless you first remove the users.

What are the costs associated with Glacier?

If you delete your data before 90 days, you are charged a deletion fee because they expect you to have older data in there. You also pay for restores (copies of your data) from Glacier, the requests and the copy. Any overheads (32 or 40KB) involved in indexing and archive metadata for lifecycle rules or transitioning objects.

What does SSO allow?

Single sign on eliminates the need for users to sign into your organization's site and AWS separately

What does high availability mean?

It means that you need to have your application spread across multiple AZs.

When you delegate access to other accounts/users, what services do you use?

It uses IAM and STS for the temporary access.

Is STS global or region specific?

It's global and has a global endpoint sts.amazonaws.com but you can optionally send to specific endpoints in any AWS region.

What are the subresources for a bucket?

Lifecycle management, static website hosting, versioning, access control lists, and bucket policies, CORS, logging. These are all configuration parameters for your S3 bucket.

What is IAM logging?

Logging sign-in details use CloudTrail.

What do newly created users on AWS have?

New users have no permissions at creation, you have to grant them permissions using Policies. Users can have both or one or the other.

Can you nest (have groups within groups) groups?

No you cannot nest IAM groups at all.

Will AWS store your object in multiple regions?

No, objects within an S3 bucket will never move across regions, unless you do so manually or enable cross region replication. AWS keeps your object within one region by default.

Can you selectively change password policies for specific users, like if they can modify their passwords?

No, the password policy applies to all users. If you want to grant some users different policies, you have to use an IAM Policy to grant those permissions.

Does logging onto an EC2 instance via SSH use IAM?

No, this requires you to use the EC2 key name and key (.pem) file. This doesn't require you to use your AWS IAM access and secret access key.

When you retrieve Glacier data, are you changing storage classes?

No, you are only getting a copy of the data from Glacier so it still has the original copy. You will be paying for the copy and for Glacier as long as the restore (holding the copy) is in place. Then you're just paying for Glacier.

Can you update objects in Glacier?

No, you need to pull it out of Glacier, update it, and then re-upload it.

Does Glacier archive metadata?

No, you'd need to maintain a client-side database to maintain this information.

Do ACLs provide access to individual IAM users?

No. They only provide access to accounts.

Is bucket ownership transferable to other accounts?

Nope

When should you use object ACLs?

Object ACLs are the only want to manage access to object not owned by the bucket owner. When you need to be very granular with permissions at the object level because bucket policies are limited to 20kb.

S3 Objects

Objects are key-value pairs. Additionally, there is version ID, metadata (like tags), and sub-resources like Access Control Lists and Torrent.

Who has access to the S3 resource?

Only the resource owner (AWS root account that creates the resource or bucket and objects) can access the resource. IAM users do not own the object, the AWS account above the IAM user does.

When should you use bucket ACLs?

Only to grant write permission to the Log Delivery group to write access log objects to your bucket.

IAM User Access Types

Programmatic Access or AWS Management Console access.

What are the sizes of objects in Glacier?

Small as 1 byte and large as 40 TB. If it's less than 4GB it can upload in one shot, but if it's greater than 4 GB you have to use multi-part upload.

What are the Amazon S3 predefined groups?

The Authenticated Users group (anyone who can sign on to AWS) and the All Users group (anyone in the world has access. Both of these are very open so think before granting access at these levels. Also Log Delivery groups

What is the Data Consistency Model for S3?

Read after *Write* (strong) consistency for PUTS of new Objects. Eventual Consistency for *overwrite* PUTS and DELETES (can take some time to propagate throughout distributed architecture).

What is the difference between Read access for buckets vs. objects?

Read for buckets allows the grantee to read a list of the objects in the bucket. Read for objects allows the grantee to read the object data and the metadata.

What are the types of access with access control lists?

Read, Write, Read_ACP (reading the ACL), Write_ACP (write the ACL), and Full_Control

What is the availability and durability with RR?

Reduced Redundancy has 99.99% availability and durability

What are S3 Buckets?

Region specific containers of objects that have universal namespace. Doesn't provide actual folders but you can use the AWS console to simulate folder.

AWS Global Infrastructure

Regions with two or more AZs, Availability Zones made up of data centers, and Edge Locations for CloudFront (Amazon's CDN)

IAM Roles

Roles can be assigned to AWS resources. For example, you can give an EC2 instance the role of only communicating with an S3 bucket. Roles use temporary credentials instead of long term credentials like IAM users.

S3 Storage Tiers

S3 regular: 99.99 availability with 11 9s of Durability S3 - IA: Charged lower pricing than normal S3, but you are charged to retrieve it. Also the Availability is 99.9. one 9 less than Regular S3 - One-Zone IA: same but in one zone S3 - Intelligent Tier: uses ML to control cost RR - Reduced Redundancy: No longer there (for non-critical and reproducible data) Glacier: archival and takes hours to retrieve Glacier Deep Archive: retrieval takes 12 hours

Which AWS services allow resource-based policies for cross account access?

S3, Glacier, SNS, SQS

S3 Encryption

Server side encryption using SSE-S3 (Amazon S3 Managed Keys), KMS (SSE-KMS), and Customer Provided Keys (SSE-C). This is encryption at rest. There is also client side encryption. So encrypt on your local machine and upload to S3. This is also encryption at rest. Encryption in transit is when you use HTTPS with SSL & TLS to move data.

What is AWS S3?

Simple Storage Service that give secure, durable, and highly available, object-based storage. There is unlimited storage. Files are stored in buckets. S3 has distributed data-store architecture where object are redundantly stored in multiple locations. Get a HTTP 200 code if successful upload.

What are the S3 charges?

Storage: charged to store in S3 Requests: charged for accessing the data from S3 Retrieval: from Glacier or IA Storage Management Pricing: There is a new option where you can manage your pricing in S3 to help control costs. Basically a charge for the tags. Data Transfer Pricing: Data coming into S3 is free, but may need to replicate data to different regions based on your end user location. There is a charge for this. Transfer Acceleration: This is good for users who upload objects to S3 but are not close to the Region where bucket resides. Transfer Acceleration uploads the bucket to the CloudFront Edge Locations and then the objects are transferred by AWS to the S3 bucket.

AWS Root Account

The AWS Root Account is the main account with full admin access and it should be very secure. Use multi-factor authentication through a virtual device or Yubi Key. AWS recommends locking away your root account, creating yourself an admin account, and never using the root account.

How does S3 provide high data durability?

The S3 object is saved redundantly across multiple AWS devices within the region specified.

What are access control lists?

They are subresources attached to a bucket or object that defines which AWS account or S3 group has access and what type of access.

What is one-time access credentials?

Think about using MFA.

How does federation work?

This is accomplished using SAML (Security Assertion Markup Language 2.0) and allows federated users single sign-on (SSO) access to the AWS Management Console.

IAM Password Policy

You can set requirements for passwords like length (default 6), characters, duration, rotation policy (expiration), etc. This has nothing to do with access or secret access keys. Applies to all users.

How do you secure your S3 data?

Two subresources: Access Control Lists and Bucket Policies. Access Control Lists control access for individual files and Bucket Policies control access at the bucket level. S3 buckets can be configured to create access logs so you know all requests made to the S3 bucket.

What are the access policy options?

User based access: Granting access to accounts or individual users. Can make the resource public meaning there is anonymous access. Can also allow access to authenticated users, users who have AWS credentials. Resource based access: at the Bucket or Object level.

What are the types of policies?

User/Identity based policies and Resource based policies.

IAM Users

Users are persistent identities set up through the IAM service to represent individual people or applications. You may create separate IAM users for each member of your operations team so they can interact with the console and use the CLI. You might also create dev, test, and production users for applications that need to access AWS Cloud services (although you will see later in this chapter that IAM roles may be a better solution for that use case). IAM in general is universal and doesn't apply to regions.

How does OIDC federation work?

Uses Amazon, Facebook, or Google, should use Cognitio.

S3 Bucket Properties

Versioning, server access logging for security, static website hosting, object-level logging using CloudTrail data events, encryption, tags, Transfer Acceleration, etc. Permissions (ACLs and Bucket Policy). Management: Lifecycle management,

What does STS work with?

When a user uses an app, they are exchanging an ID token for a Cognito Token and that's exchanged for a STS token.

What is permission delegation?

When an account (A) grants another account (B) permissions, the first account (A) can delegate those permissions to individual users.

When should you use roles?

When you have an app on an EC2 instance that needs to send requests to AWS. When do you have a mobile app that sends requests to AWS. Federation relationships between your corporate network and AWS using SAML.

What are Glacier Byte Ranges?

When you initiate a HTTP request, you can specify the Byte Range of the object. This is is very helpful if you've compressed multiple objects in a tar/zip file and you only want to retrieve one or some of the objects from Glacier.

When should you use a bucket policy?

When you want to manage cross-account permissions for all Amazon S3 permissions.

How is strong consistency achieved?

Whenever there is an update made to an object, it will be propagated and updated on all storage nodes (all distributed architecture) before the data is made available for read by clients. Blocking or holding mechanism is involved.

Does Glacier store data redundantly?

Yes, like S3, Glacier stores data across multiple facilities, on multiple devices within each facility synchronously.

What are the types of user-access policies?

You can use AWS IAM to manage access to your S3 resources with users, groups, or roles. You can't grant public access using user access.

What is AWS Security Token Service?

You can use AWS STS to provide temporary security credentials to trusted users. Like with federated users.

What are the types of resource-based policies?

You have ACL-based access policies (which grant permissions to specific grantees for either buckets or objects associated with the ACL) or Bucket Policies (which grant IAM users or other accounts permissions for the bucket and objects within it)

You cannot revoke an STS token so how do you control credentials you've already given?

You issue a new STS token to lower the permissions.

How should you group files in Glacier?

You should group a large number of small objects into a smaller number of large objects to reduce overhead charges. You should also group them in a way that allows you to access individual files by using compression.