AWS Certified Solutions Architect Associate
Table of content
- Table of content
- About the exam
- Learning resources
- Active learning
- Fundamentals
- Identity & Governance
- ACM (AWS Certificate Manager)
- Networking
- Compute
- ECS
- Storage
- Integration
- KMS (Key Management Service)
- Cloud Formation
- CloudWatch & Observability
- Tips
About the exam
https://aws.amazon.com/certification/certified-solutions-architect-associate/
Learning resources
Main resource: https://learn.cantrill.io/p/aws-certified-solutions-architect-associate-saa-c02
Practice exams (dojo): https://portal.tutorialsdojo.com/product/aws-certified-solutions-architect-associate-practice-exams/
Active learning
Basic questions for active learning. Start the session by answering all the questions and mark the answers with emojis depending on the result (see the table below).
Bolded items are either important to understand or there is high likelihood that they will appear on the exam.
Answer Status | Description |
---|---|
👍 | You've answered correctly first time, skip repetition for the next session |
✋ | You've answered the question only partially right, include the question in the next session |
👎 | You've answered the question wrong and had to lookup the answer. Start from those questions in the next session |
You can easily add emojis to markdown by typing :emojiname:
- thumbs up:
:+1:
- thumbs down:
:-1:
- hand:
:hand:
Easiest way to to learn yourself is to:
- clone this repository
- make a copy of this file
- use this regex expression to select and remove (replace with empty) all the
<details>
tags (they contain the answers to the questions)<(details)>(.|\n)*?</details>
, remember to toggle "use regular expressions" in the search box if you are using VS Code. If you are using vim/nvim use this command instead:g/<details>/,/<\/details>/d _
- save the file as a learning session, grade yourself for answers
- IMPORTANT: lookup in the original file if you don't know the answer at all
- leave the files with dates of each learning session and start next session from the ones you didn't know the answers for
Fundamentals
Cloud Environment
- On-Demand Self Service
- Broad Network Access
- Resource Pooling (multi-tenancy)
- Rapid elasticity
- Measured Service (pay as you go)
AWS Fundamentals
- What is the difference between public and private services?
- Describe different types of high availability (regional, zonal, etc)
Identity & Governance
Accounts
- An account is a container, what it can contain?
click to see the answer
- identities (users)
- resources
- What is required to create AWS account?
click to see the answer
- payment method
- How are resources grouped?
Details
click to see the answer
Into accounts - Can the same email address be used with multiple accounts?
Details
click to see the answer
No - Can account root user login into multiple accounts?
Details
click to see the answer
No - What are called the things that you can create inside of the account?
click to see the answer
- Users
- Groups
- Roles
- What is the default access mode for an account for external actors?
Details
click to see the answer
Only identies created inside an account can be granted access to the resources in this account. Cross-permissions are possible with IAM roles - What set of permissons does new IAM Identity starts with?
Details
click to see the answer
None, every new identity starts with zero permissions until granted. - What are the 3 alarm states?
click to see the answer
- OK
- ALARM
- INSUFFICIENT DATA
IAM
-
How/where to allow IAM user access to billing information?
-
How is IAM resilient?
-
What identity objects IAM let us create?
click to see the answer
- user
- group
- role
-
Does users type represents only human users?
-
What is the necessary condition for a policy to have an effect?
-
Is IAM authentication service as well as identity management and authorization?
-
How much does IAM cost?
-
Why IAM account aliases must be globally uniq?
-
How many access keys can IAM user have?
-
What variable to setup for the aws cli to designate a default profile?
click to see the answer
export AWS_DEFAULT_PROFILE=
-
Can external identiy be used to access AWS resources?
-
When to use IAM Role?
-
When does principal became authenticated identity?
-
How can you login into an IAM group?
click to see the answer
No, IAM groups are for helping with organizing IAM user access to AWS resources.
-
Can IAM groups be nested?
-
Can IAM user be a member of more than one group?
-
Can you reference an IAM Group from a resource policy?
-
What are the two types of authentication for IAM?
click to see the answer
Username/password or Access Keys
-
What does ARN stand for?
-
What is the ARN structure?
click to see the answer
arn:partition:service:region:account-id:resource-type:resource-id
-
How many IAM users can be created in an account?
click to see the answer
5000
-
How many IAM groups can a user be a member of?
click to see the answer
10
-
What does SCP stand for
click to see the answer
Service Control Policies
-
How do you call a nested grouping within an organization?
click to see the answer
Organization Units
-
Is the root "management" account of an organization affected by SCP?
click to see the answer
No
-
What is the main role of an SCP?
click to see the answer
To limit what an account can do. Only Deny.
-
Can you attach an identity policy to someone's else account?
click to see the answer
No
-
What is more preferable, Roles or IAM User?
click to see the answer
Always prefer IAM roles if possible.
Cognito
-
What functionality does cognito provide?
click to see the answer
For web applications. This looks a bit like Okta/Auth0
- Authentication
- Authorization
- User management
-
What are identity pools?
-
Can the JWT tokens be used to access AWS resources?
click to see the answer
No
ACM (AWS Certificate Manager)
- What is origin access identit?
- Can/Should you reuse one OAI?
TODO: pick up here
Policies
-
What are 2 main types of policies?
click to see the answer
Inline, Managed
-
When to use inline policy?
click to see the answer
For exceptions to the managed policy.
Networking
Networking Fundamentals
-
How many layers are there in OSI model? 👍
-
What groups are OSI layers divided into? 👍
-
Does the device on a higher layer include the capabilities of the devices in layers below it? Why? 👍
-
If a network consists of 5 participants and a HUB, when participant 1 broadcasts a signal, how many participants will receive it? 👍
-
In a network with a HUB, what happens when participants transmit a broadcast at once? 👍
-
Describe on a high level frame components 👍
-
What is a backoff period? 👎
-
What does MAC stands for? :hand:
-
What layer switch belongs to?
-
What layer does router belong to?
-
What are the two components of an IP address?
-
How does subnet mask and its prefix indicate which octets describe network?
-
What does ARP stand for?
-
What is the high level structure of a TCP packet?
-
How does TCP ensures packets delivery reliability?
-
What does NAT do?
-
What is static NAT?
-
What is dynamic NAT?
-
What does PAT stand for?
-
The larger the CIDR value the .... the network.
-
Explain briefly what are network classes
click to see the answer
Class A through E, A is the biggest, D, E are reserved. Important note: network classes are replaced by CIDR
- Class A: 10.0.0.0 - 10.255.255.255 - single network
- Class B: 172.16.0.0. - 172.19.255.255 - 16 networks This is also the default VPC range.
- Class C: 192.168.0.0 - 192.168.255.0 - 256 networks
-
Explain what are CIDR networks and how to calculate CIDR
click to see the answer
- /16 networks have fixed value in first and second octet
- To create two networks from 10.0.0.0/16 use 2x 10.0.0.0/17 by halving the third and fourth octets.
-
What CIDR represents all IP addresses
click to see the answer
0.0.0.0/0
-
What CIDR represents 1 IP address
click to see the answer
1.2.3.4/32
VPC
-
How many default VPCs per region/per account are there?
click to see the answer
1
-
What are the CIDR limits for AWS VPC
click to see the answer
- minimum /28
- maximum /16
-
Can you launch an AWS service directly into a VPC?
click to see the answer
No, services use subnets to be launched from
-
What is a good default number or VPCs subnets and why?
click to see the answer
- 4 is a good number because it will cover most of the AZs.
- /16 network subdivided into 16 subnets gives 16 subnets of CIDR size /20 - 4091 IPs per subnet
-
What is the level of isolation & resiliency for a VPC?
click to see the answer
Regional
-
What is the default setting for the in and outgoing traffic in a VPC?
click to see the answer
IN and OUT traffic is blocked by default
-
What are the VPC's tenancy models?
click to see the answer
- Default - shared hardware
- Dedicated tenancy - dedicated hardware Comes with a cost premium and all resources also must be on the dedicated hardware
-
What settings to use to enable DNS hostnames for entities with public IP addresses in a VPC and switch on DNS support?
click to see the answer
- enableDnsHostnames
- enableDnsSupport
-
What is the subnet resiliency level?
click to see the answer
AZ resilient
-
Can a subnet be in multiple AZs?
click to see the answer
No
-
Can the subnet be moved into another AZ?
click to see the answer
No
-
Can a subnet overlap with other subnets?
click to see the answer
No
-
Can you use all the available IP addresses in a subnet?
click to see the answer
No, there are 5 that are reserved.
- first address cannot be used
- second address cannot be used (used by VPC router)
- third address cannot be used (used for DNS)
- fourth address cannot be used (reserved)
- last IP address cannot b used (broadcast address)
-
Are there any charges for creating VPCs and Subnets?
click to see the answer
No
-
How to get VPC router into your VPC?
click to see the answer
VPC router is a global service available by default in every VPC, so no need to configure anything.
-
What is the role of VCP Router
click to see the answer
It routes traffic between subnets of a VPC
-
How many route tables can a subnet have associated with it?
click to see the answer
1
-
What does the route table control?
click to see the answer
Route table controls the destination of the data leaving the subnet. In can be within a subnet or a gateway address.
-
What is the resiliency mode of an internet gateway?
click to see the answer
Regionally resilient
-
How many IGW can a VPC have?
click to see the answer
0 or 1
-
What happens is a VPC has an IGW?
click to see the answer
This VPC is publicly available.
-
List actions required to make a subnet public
click to see the answer
- Create IGW
- Attach IGW to the VPC
- Create a custom route table
- Associate the route table with the VPC
- Configure default routes in the route table to point to IGW
- Configure VPC to auto-allocate IPv4 and optionally IPv6 addresses withing the subnet
-
Where is the public IP of a service (for example EC2) running in a VPC maintained?
click to see the answer
In the IGW, NOT in the VPC where the service is located
-
What does NACL stand for?
click to see the answer
Network Access Control List. Works similar as Azure security group. Once it matches it stops.
-
Is Security Group stateless or stateful?
click to see the answer
Stateful. Security group is more like Azure private endpoint.
-
What is the implicit setting for a security group?
click to see the answer
Implicit deny - everything is denied by default and only things you allow are allowed.
-
In a security group is traffic and response separate?
click to see the answer
No, a security group is stateful, so traffic and response to it is covered by the same rule.
-
Why would you use NACL in combination with an SG?
click to see the answer
NACL allows for adding an explicit DENY rule
-
If the traffic is not crossing the boundary of a subnet, would you use NACL or SG?
click to see the answer
Use SG, NACL has no effect within subnet
-
What does IP masquerading do?
click to see the answer
Hides whole private CIDR IP block behind a single public IP
-
What is the resiliency level of a NAT Gateway?
click to see the answer
AZ
-
Does a NAT Gateway work with IPv6?
click to see the answer
No
-
What SSH option is used to connect secrely to a Bastion server?
click to see the answer
SSH Agent Forwarding
ssh -A
-
What are points of failure for VPN site-to-site connection?
click to see the answer
@startuml
box "AWS VPC"
"router" -> "AWS Public zone"
end box
box "AWS Public Zone"
participant "Virtual Gateway" as vgw
participant "VPN" as vpn
vgw <-> vpn
vpn -> "Endpoint1"
vpn -> "Endpoint2"
end box
box "Public Internet"
participant "Customer Gateway" as cgw
cgw ->
end box
"AWS Public zone" -> "Public internet"
"Public internet" -> "On prem router"
@enduml -
What are VPC flow logs?
-
Do VPC flow logs capture metadata or contents of a request?
click to see the answer
Only metadata
VPC Peering
- Can you peer more than one VPC together?
Details
click to see the answer
No
Route 53
- What is the difference between a hosted zone and a hosted zone group?
- Which DNS record points to IPv6 address?
- What is the difference between a CNAME and an ALIAS?
click to see the answer
- CNAME maps a name to another name in the same domain (naked domain)
- ALIAS maps a name to AWS resource - default for the exam. AWS specific implementation
- What does CNAME stand for?
- Can CNAMEs point to an IP address?
- How many DNS root servers exist?
Details
click to see the answer
13
Public Hosted Zones
- What are R53 public hosted zones?
- How many name servers does R53 alocate?
- What records to use to point at the hosted name servers?
- What is the DNS resolver in a VPC instance?
Details
click to see the answer
VPC+2 IP
Private Hosted Zones
- Can you access the zone in the VPC?
- How to run intranet and public facing web page on the same DNS?
Details
click to see the answer
Split-View
Routing Types
-
What is simple routing?
-
What are health checkers?
-
Can health checks be performed on targets outside of AWS resources?
-
What protocols are supported by health checkers?
-
What checks are supported?
Details
click to see the answer
Endpoint, CloudWatch Alarm, Checks of Checks -
What is failover routing?
Details
click to see the answer
Endpoint, CloudWatch Alarm, Checks of Checks-What is failover routing?
-
What is a multivalue routing
Details
click to see the answer
Can create many records with the same name Up to 8 healthy records are returned to the client Improves availability -
What is a weighted routing
-
What is the weight formula
Details
click to see the answer
Record weight vs total weight, each of the 3 records. Use when u want to control the distribution of the DNS queries -
When to use latency based routing
-
When to use geo-location based routing
Details
click to see the answer
It returns relevant locations only, NOT based on goe-proximity -
When to use geo-proximity routing?
-
What is a geo-proximity bias?
Details
click to see the answer
Expands or shrinks the location of the routing zone -
What is the difference between Route 53 routing policies and load balancing?
Details
click to see the answer
Load balancer is actually routing traffic to the backend services whereas DNS routing returns a DNS resolver server location.
Registering a domain
-
What are different scenarios for registering a domain
click to see the answer
- Registrar and Public DNS Hosting role
- Hosting only role
@startuml domain-registration-traditional
!theme materia-outline
actor Developer as user
participant "Route53\nRegistrar Role" as r53_registrar
participant "Route53\nDNS Hosting Role" as r53_dns_hosting
participant "TLD Server for *.domain" as tld_server
user -> r53_registrar: Requests domain registration\nand pays 1 time fee
r53_registrar -> r53_dns_hosting : Requests cretion of public hosted zone
return 4x Name Servers
r53_registrar -> tld_server : Passes the Name Servers to
tld_server -> tld_server : Creates entries\nfor the Name Servers
tld_server -> r53_dns_hosting : Points to 4 NS Servers in Public Hosted Zone
@enduml@startuml domain-registration-traditional
!theme materia-outline
actor Developer as user
participant "Route53\nRegistrar Role" as r53_registrar
participant "3rd Party Domain Hosting" as r53_dns_hosting
participant "TLD Server for *.domain" as tld_server
user -> r53_registrar: Requests domain registration\nand pays 1 time fee
r53_registrar -> r53_dns_hosting : Requests cretion of public hosted zone
return 4x Name Servers
r53_registrar -> tld_server : Passes the Name Servers to
tld_server -> tld_server : Creates entries\nfor the Name Servers
tld_server -> r53_dns_hosting : Points to 4 NS Servers in Public Hosted Zone
@enduml
Load Balancers
-
What is LCU?
-
How load balancer is priced?
-
Describe briefly ALB architecture
-
How many load balancing nodes does ALB have as a minimum?
-
What is the default distribution algorithm?
-
What is cross zone load balancing?
-
What is a listener configuration?
-
What types of load balancers are there?
click to see the answer
- A(pplication)LB
- N(etwork)LB
- C(lassic)LB
-
How can load balancer handle SSL offloading?
click to see the answer
- Bridging - connection terminated on the ELB. Second connection is created to target services (http). EC2 instances also need copy of the same certificate
- Pass-through - connection encryption is maintained by the client. Listener is configured for TCP.
- Offload - backend connections use http
-
What is session stickiness?
-
How does a load balancer enable session stickiness?
click to see the answer
Cookie 1s to 7 days. It is generally better to use stateless servers and host the state somewhere else, either in a database of on the client side in the case of SPA.
Application Load Balancer (ALB)
- What layer is ALB on?
Details
click to see the answer
7 - What makes ALB internet facing?
Details
click to see the answer
Presence of public IP
Network Load Balancer (NLB)
- What layer is NLB on?
- Is NLB a performance-oriented load balancer?
Gateway Load Balancer
-
What is the usecase for a gateway load balancer?
click to see the answer
Load balances between multiple security appliances
-
What are 2 components of a GWLB?
click to see the answer
GWLB endpoints GWLB instances
-
What protocol is used by GWLB?
click to see the answer
GENEVE
-
How does GWLB endpoint integrates with the existing VPC traffic?
click to see the answer
It is added to a route table as a nex hop in the traffic
Cloud Front
- What does CDN stand for?
Global Accelerator
- What are anycast IP addresses?
Compute
RDS
-
What are some of the downsides of putting a database on EC2 instnace?
-
What is an RDS Instance?
-
Can you connect to RDS instance using IP?
Details
click to see the answer
No, you have to use CNAME DNS record -
What is the resiliency level of an RDS instance?
Details
click to see the answer
AZ, also storage (EBS) -
Explain pricing model of RDS
Details
click to see the answer
ALlocated GM/month Additional storage charges if applicable -
Can you reuse an security group with RDS?
Details
click to see the answer
Yes -
Why do we need to configure subnet groups when provisioning an RDS database instance?
-
Is the multi AZ feature available in the free tier?
Details
click to see the answer
No -
Can the standby replica be accessed directly?
Details
click to see the answer
No, it's just an availability improvement. -
What is synchronous Replication
Details
click to see the answer
Multi AZ, same AWS region
RDS Backup & Restore
-
What are RTO and RPO? RP(oint)O - time between last working backup and data loss event RT(ime)O - time between data loss event and full recovery
-
Do manual snapshots expire?
Details
click to see the answer
No -
What are transaction logs? Stored every 5 minitest (lowers RPO)
-
Do automated backups expire?
Details
click to see the answer
Yes, you can set up to 35 days. -
How does the restore process work?
Details
click to see the answer
Backups are restored from the closest snapshot (from S3) and than transaction logs are replayed on top of the backup. Restoring snapshots can be a long time. -
Can read replicas be created in a different regions?
Details
click to see the answer
Yes -
How many read replicas can you have per RDS DB Instance?
Details
click to see the answer
5 -
Why do read replicas matter?
click to see the answer
- Improved performance
- Makes CQRS pattern possible
- Use read only data in different regions to improve access performance
- In case of a failure, read replica can be promoted to read-write database. This is only useful for database failures, not data corruption
Data Security
- How is encryption at rest supported?
Details
click to see the answer
Handled by host- EBS Volume Encryption
- KMS
- TDE: Only MS SQL and Oracle
EC2
-
👍 What does EC2 stand for?
click to see the answer
Elastic Compute 2
-
Is EC2 going to fail when az (zone) fails?
-
👍 Are you still getting charged when EC2 instance is stopped? If yes for what component?
click to see the answer
Yes, for storage
-
👍 Is deleting an EC2 instance a reversible operation?
click to see the answer
No
-
What does AMI stand for?
-
What kinds of permissions are on the AMI?
-
What port number RDP service runs on?
click to see the answer
3389
-
How many times can you download private key for linux EC2 instance?
-
Can a single security group apply to multiple EC2 instances?
-
What is the resiliency model of EC2
click to see the answer
AZ, all things connected to EC2, like networking or storage run in the same AZ.
-
After restarting EC2 instance, will it move to another random host?
click to see the answer
No, after restarting the EC2 instance boots up on the same host.
-
What are the two conditions under which the instance can be relocated to another EC2 host?
click to see the answer
Host taken down for maintenance by AWE, EC2 instance stopped and started (not jus restarted)
-
What are the 5 EC2 instance types
click to see the answer
- General Purpose
- Compute optimized - ML, Games, HPC
- Memory optimized - some databases
- Accelerated computing - custom programmable hardware
- Storage optimized - transactional databases, data warehouses, data analytics
-
Explain storage types that can be attached to EC2
click to see the answer
Directly attached (hadrware) Network attached
-
Explain key differences between Block, Volume and Object Storage
-
Can you attach EBS storage between availability zones?
click to see the answer
No -
What mechanism can be used to create snapshots of EBS volumes between AZs?
click to see the answer
S3 replication
-
What are 2 volume types available?
click to see the answer
- GP2
- GP3
-
What is an IO Credit and how big is it?
click to see the answer
IO Credit is a single chunk of data and is 16kb in size
-
What is an IOPS?
click to see the answer
1 IOPS is 1 IO Credit in 1 second
-
What EBS drives are designed for max performance?
-
What are 2 types of HDD drives?
click to see the answer
- ST1 - throughput optimized
- SC1 - cold
-
What are Instances Store Volumes?
click to see the answer
- Block Storage Devices
- Physically connected to one EC2 Host
- Highest storage performance
- Included in the instance price
- Need to be attached at launch time
-
When to choose EBS vs Instance Store Volumes
-
How does incremental copy work in S3 snapshots
click to see the answer
- Full data is copied
- Following snapshots are incremental
-
What happens when incremental snapshot is deleted
click to see the answer
All prior snapshots are still kept safely
-
Explain what it means that the EBS snapshot volume restores lazily
click to see the answer
Data is fetched gradually.
To remedy it, use FSR (Fast Snapshot Restore). You can also force this manually using dd for example
-
How many FRS you can have per region?
click to see the answer
50
-
How does snapshot pricing work?
click to see the answer
Gigabyte-month, paid only for used data
-
Can EC2 network interfaces be in different AZs?
click to see the answer
No
-
What does AMI stand for?
click to see the answer
Amazon Machine Image
-
Are AMIs global?
click to see the answer
No, each region will have their own AMI for a given image. AMI in a given region will work only in this region.
-
Explain briefly lifecycle of AMI
click to see the answer
- Launch
- Configure - this also includes volumes
- Create Image
- Launch
-
What is "AMI baking"?
click to see the answer
It is a process of creating an AMI from an EC2 instance with all the dependencies and applications pre-installed.
-
Can AMI be edited/updated?
click to see the answer
No
-
What are you paying for when using AMI
click to see the answer
You are billed for using EBS snapshots. Remember, snapshots are charged by space actually used by data not allocated.
-
What is EC2 Instance Metadata This is data about runtime environment of the instance
-
What IP do you need to access to see the Instance Metadata information?
click to see the answer
(http) 169.254.169.254 /latest/metadata
-
Is the metadata service encrypted?
click to see the answer
No
-
Does the metadata service require authentication?
click to see the answer
No
-
How to access user data for EC2 build automation?
click to see the answer
- http://169.254.169.254/latest/user-data
- Executes only once at the initial launch time
- runs as a root user
-
What metric measures how much time does it take to get a service in a ready state?
click to see the answer
Boot-Time-To-Service-Time
-
What is an instance profile?
click to see the answer
It is a wrapper around an IAM role and is attached to an EC2 instance. Credentials are automatically renewed.
-
Can you use parameter store to store secrets?
click to see the answer
Yes, is also supports versioning. Any changes to parameters can trigger events.
You can also establish hierarchy by adding / in the name.
-
What types of parameters can be stored in PS?
click to see the answer
- Strings
- StringLists
- SecureStrings
-
How to capture logs inside of an EC2 instance?
click to see the answer
Install CloudWatch agent
-
What technology is used in enhanced networking?
click to see the answer
SR-IVO - logical cards, higher PPS, better bandwidth. Most EC2 instance types have this available by default.
-
What is launch configuration and launch template?
-
Are launch configurations editable?
click to see the answer
No
Auto Scaling Groups
-
Where are auto scaling groups defined?
-
What are the 3 characteristics of an auto scaling group?
click to see the answer
- Minimum
- Desired - lways will be set
- Maximum
-
Are auto scaling groups regional?
click to see the answer
Auto scaling group will try to provision an EC2 instance in a different AZ.
-
What are scaling policies?
-
What are sub types of dynamic scaling?
click to see the answer
- Simple
- Stepped - almost always preferred
- Target tracking
ECS
-
What modes does ECS run in
click to see the answer
- Fargate:
- Infra is abstracted away
- Hosted on shared platform
- Each task and service is injected into your VPC
- Only pay for use as containers run
- Use for small or burst style workloads, batch, periodic
- EC2
- Created inside a VPC
- Uses ASG for EC2 instances scaling
- You manage the instances
- Good if you want to manage infra
-
What is task?
click to see the answer
Container for containers (same as ACI group) - self contained app
-
What is task role?
click to see the answer
It is an IAM role that the task can assume to gain the credentials to interact with AWS resources
-
What is service definition?
click to see the answer
Defines task scalability and HA options.
-
What are the main ECS concepts
click to see the answer
Lambda
-
What resource can you allocate to lambda? 👍
click to see the answer
Memory
-
What is the execution time limit on a lambda function? 👍
click to see the answer
15 min
-
What are cloud watch events and EventBdirge?
-
What is Lambda edge?
-
What languages do lambda edge support?
click to see the answer
- Ptyhon
- Node.js
Storage
S3
-
What are the 2 constituent parts of S3 object?
-
What is the size limit of a single object?
-
Are buckets regional?
-
Does a bucket name have to be globally uniq?
-
How many objects can be stored in 1 bucket?
-
Can objects be nested in the bucket?
-
How can you simulate a folder name in a bucket?
-
What is another name that folders are refereed as?
-
What are the naming rules for a bucket?
click to see the answer
-
How many buckets can you have in an account?
click to see the answer
100 soft limit, 1000 hard limit
-
Can you mount an S3 bucket like a block storage?
-
Are S3s public by default?
click to see the answer
No
-
What is the difference between S3 resource policy and identity policy?
-
What is an anonymous principal?
click to see the answer
An principal that is not authenticated against AWS
-
How many policies can there be assigned to an S3 bucket?
click to see the answer
1
-
What name requirement is there in an S3 bucket when you want to use it as static page hosting with a custom domain?
-
What field is used to identify a version of an object?
click to see the answer
Id
-
How to fully delete a versioned object?
click to see the answer
By specifying its version in the delete command
-
What is MFA delete
-
What does SSE-C stand for?
click to see the answer
Server-Side Encryption with Customer-Provided Keys. S3 encrypts data with keys provided by the customer. Key is discarded after encryption, only key hash is stored.
-
What are the benefits of SSE-C model?
click to see the answer
Save on CPU, more control over the encryption process (you hold the keys).
-
What does SSE-S3 stand for?
click to see the answer
Server-Side Encryption with AWS S2-Managed Keys. S3 creates a master key and a key for each object. Master key is encrypted with object key and master key is discarded. We have encrypted object, encrypted master key and public key used to encrypt the object.
-
What are the benefits of SSE-S3 model?
click to see the answer
Key are managed by AWS, very low admin overhead.
-
What algorithm does SSE-S3 uses by default?
click to see the answer
AES256
-
What does SSE-KMS stand for?
click to see the answer
Server-Side Encryption with Customer-Managed Keys stored in AWS Key Management Service (KMS).
-
What are the benefits of SSE-KMS model?
click to see the answer
Someone else can manage the KMS, role separation. Key rotation control.