Identity Access Management & S3

  • Features
    • Identity federation (including Active Directory, Facebook, LinkedIn, etc.)
    • Provides temporary access to users or devices and services when necessary
    • Supports PCI DSS Compliance
  • Key Terminology
    • Policies – Policies are made up of documents, called policy documents. These documents are formatted in JSON and provide permissions to users, groups, or roles.
  • S3 Basics
    • Files can range from 0 bytes to 5 TB
    • Universal namespace
  • S3 Objects
    • Key
    • Value
    • Version ID
    • Metadata
    • Subresources
      • Access control lists
      • Torrents
  • S3 Guarantees
    • Built for 99.99% availability
    • Guarantee 99.9% availability
    • Guarantee 99.99999999999% durability
  • S3 Charges
    • Storage
    • Requests
    • Storage management
    • Data transfer
    • Transfer acceleration – Enables fast, easy, and secure transfer of files over long distances between your end users and an S3 bucket. It takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.
    • Cross region replication
  • S3 Pricing Tiers
    • S3 Standard
      • First 50 TB / Month > $0.023 per GB
      • Next 450 TB / Month > $0.022 per GB
      • Over 500 TB / Month > $0.021 per GB
    • S3 – IA
      • All storage / Month > $0.0125 per GB
    • S3 – Intelligent Tiering
      • Frequent access tier, first 50 TB / Month > $0.023 per GB
      • Frequent access tier, next 450 TB / Month > $0.022 per GB
      • Frequent access tier, over 500 TB / Month > $0.021 per GB
      • Infrequent access tier, all storage / Month > $0.0125 per GB
      • Monitoring and Automation, all storage / Month > $0.0025 per 1,000 objects
    • S3 One Zone – IA
      • All storage / Month > $ 0.01 per GB
    • S3 Glacier
      • All storage / Month > $0.004 per GB
    • S3 Glacier Deep Archive
      • All storage / Month > $0.00099 per GB
  • S3 Versioning
    • Great backup tool
    • Integrates with lifecycle rules
    • MFA delete capability
  • AWS Organizations – An account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
  • Cross-Account Access
    • Bucket Policies & IAM (applies across the entire bucket). Programmatic access only.
    • Bucket ACLs & IAM (individual objects). Programmatic access only.
    • Cross-account IAM roles. Programmatic and console access.
  • CloudFront
    • A content delivery network (CDN) is a system of distributed servers (network) that deliver webpages and other web content to a user based on the geographic locations of the user, the origin of the webpage, and a content delivery server.
      • Edge Location – This is the location where content will be cached. This is separate from an AWS region/AZ.
      • Origin – This is the origin of all the files that the CDN will distribute. This can be an S3 bucket, an EC2 instance, an Elastic Load Balancer, or Route 53.
      • Distribution – This is the name given to the CDN which consists of a collection of edge locations.
  • Snowball
    • AWS Snowball is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of AWS. Snowball comes in either 50 TB or 80 TB sizes.
    • AWS Snowball Edge is a 100 TB data transfer service with on-board storage and compute capabilities.
    • AWS Snowmobile is an exabyte-scale data transfer service used to move extremely large amounts of data to AWS. You can transfer up to 100 PB per snowmobile.
  • AWS Storage Gateway
    • File Gateway (NFS & SMB) – Files are stored as objects in your S3 buckets and accessed through a Network File System (NFS) mount point.
    • Volume Gateway (iSCSI) – The volume interface presents your applications with disk volumes using the iSCSI block protocol. Data written to these volumes can be asynchronously backed up as point-in-time snapshots of your volumes, and stored in the cloud as Amazon EBS snapshots. Snapshots are incremental backups that capture only changed blocks.
      • Stored Volumes – Stores your primary data locally, while asynchronously backing up that data to AWS. Stored volumes provide your on-premises applications with low-latency access to their entire datasets, while providing durable, off-site backups in the form of Amazon EBS snapshots.
      • Cached Volumes – Lets you use Amazon S3 as your primary data storage while retaining frequently accessed data locally in your storage gateway. Cached volumes minimize the need to scale your on-premises storage infrastructure, while still providing your applications with low-latency access to their frequently accessed data.
    • Tape Gateway (VTL)
  • Athena – Interactive query service which enables you to analyse and query data located in S3 using standard SQL.
    • Serverless
    • Works directly with data stored in S3
    • Commonly used to analyse log data stored in S3
  • Macie – A security service which uses machine learning and natural language processing (NLP) to discover, classify, and protect sensitive data stored in S3.