Designing security architecture solutions free download

Instead, you can provision exactly the right type and size of computing resources you need to power your newest bright idea or operate your IT department. With cloud computing, you can access as many resources as you need, almost instantly, and only pay for what you use.

In its simplest form, cloud computing provides an easy way to access servers, storage, databases, and a broad set of application services over the Internet. Cloud computing providers such as AWS own and maintain the network-connected hardware required for these application services, while you provision and use what you need for your workloads.

Advantages of Cloud Computing Cloud computing introduces a revolutionary shift in how technology is obtained, used, and managed, and in how organizations budget and pay for technology services. With the ability to reconfigure the computing environment quickly to adapt to changing business requirements, organizations can optimize spending.

Capacity can be automatically scaled up or down to meet fluctuating usage patterns. Services can be temporarily taken offline or shut down permanently as business demands dictate. In addition, with pay-per-use billing, AWS Cloud services become an operational expense instead of a capital expense. While each organization experiences a unique journey to the cloud with numerous benefits, six advantages become apparent time and time again, as illustrated in Figure 1.

Economies of Scale Another advantage of cloud computing is that organizations benefit from massive economies of scale. By using cloud computing, you can achieve a lower variable cost than you would get on your own. Because usage from hundreds of thousands of customers is aggregated in the cloud, providers such as AWS can achieve higher economies of scale, which translates into lower prices.

Stop Guessing Capacity When you make a capacity decision prior to deploying an application, you often end up either sitting on expensive idle resources or dealing with limited capacity. With cloud computing, organizations can stop guessing about capacity requirements for the infrastructure necessary to meet their business needs.

This results in a dramatic increase in speed and agility for the organization, because the cost and time it takes to experiment and develop is significantly lower. Focus on Business Differentiators Cloud computing allows organizations to focus on their business priorities, instead of on the heavy lifting of racking, stacking, and powering servers. By embracing this paradigm shift, organizations can stop spending money on running and maintaining data centers. This allows organizations to focus on projects that differentiate their businesses, such as analyzing petabytes of data, delivering video content, building great mobile applications, or even exploring Mars.

Go Global in Minutes Another advantage of cloud computing is the ability to go global in minutes. Organizations can easily deploy their applications to multiple locations around the world with just a few clicks.

This allows organizations to provide redundancy across the globe and to deliver lower latency and better experiences to their customers at minimal cost. Going global used to be something only the largest enterprises could afford to do, but cloud computing democratizes this ability, making it possible for any organization.

While specific questions on these advantages of cloud computing are unlikely to be on the exam, having exposure to these benefits can help rationalize the appropriate answers. It is important to understand how each strategy applies to architectural options and decisions. An all-in cloud-based application is fully deployed in the cloud, with all components of the application running in the cloud. Applications in the cloud have either been created in the cloud or have been migrated from an existing infrastructure to take advantage of the benefits of cloud computing.

Cloud-based applications can be built on low-level infrastructure pieces or can use higher-level services that provide abstraction from the management, architecting, and scaling requirements of core infrastructure. A hybrid deployment is a common approach taken by many enterprises that connects infrastructure and applications between cloud-based resources and existing resources, typically in an existing data center.

Choosing between an existing investment in infrastructure and moving to the cloud does not need to be a binary decision.

Leveraging dedicated connectivity, identity federation, and integrated tools allows organizations to run hybrid applications across on-premises and cloud services. AWS Fundamentals At its core, AWS provides on-demand delivery of IT resources via the Internet on a secure cloud services platform, offering compute power, storage, databases, content delivery, and other functionality to help businesses scale and grow. Using AWS resources instead of your own is like purchasing electricity from a power company instead of running your own generator, and it provides the key advantages of cloud computing: Capacity exactly matches your need, you pay only for what you use, economies of scale result in lower costs, and the service is provided by a vendor experienced in running large-scale networks.

AWS global infrastructure and AWS approach to security and compliance are key foundational concepts to understand as you prepare for the exam. Global Infrastructure AWS serves over one million active customers in more than countries, and it continues to expand its global infrastructure steadily to help organizations achieve lower latency and higher throughput for their business needs.

AWS provides a highly available technology infrastructure platform with multiple locations worldwide. These locations are composed of regions and Availability Zones. Each region is a separate geographic area. Each region has multiple, isolated locations known as Availability Zones.

AWS enables the placement of resources and data in multiple locations. Each region is completely independent and is designed to be completely isolated from the other regions. This achieves the greatest possible fault tolerance and stability. Each Availability Zone is also isolated, but the Availability Zones in a region are connected through low-latency links.

Availability Zones are physically separated within a typical metropolitan region and are located in lower-risk flood plains specific flood zone categorization varies by region. In addition to using a discrete uninterruptable power supply UPS and on-site backup generators, they are each fed via different grids from independent utilities when available to reduce single points of failure further.

Availability Zones are all redundantly connected to multiple tier-1 transit providers. By placing resources in separate Availability Zones, you can protect your website or application from a service disruption impacting a single location. You can achieve high availability by deploying your application across multiple Availability Zones.

Redundant instances for each tier for example, web, application, and database of an application should be placed in distinct Availability Zones, thereby creating a multisite solution. At a minimum, the goal is to have an independent copy of each application stack in two or more Availability Zones. Security is a core functional requirement that protects mission-critical information from accidental or deliberate theft, leakage, integrity compromise, and deletion.

Helping to protect the confidentiality, integrity, and availability of systems and data is of the utmost importance to AWS, as is maintaining your trust and confidence. This section is intended to provide a very brief introduction to AWS approach to security and compliance. Security Cloud security at AWS is the number one priority.

All AWS customers benefit from data center and network architectures built to satisfy the requirements of the most security- sensitive organizations. AWS and its partners offer hundreds of tools and features to help organizations meet their security objectives for visibility, auditability, controllability, and agility. This means that organizations can have the security they need, but without the capital outlay and with much lower operational overhead than in an on-premises environment.

Organizations leveraging AWS inherit all the best practices of AWS policies, architecture, and operational processes built to satisfy the requirements of the most security-sensitive customers. The AWS infrastructure has been designed to provide the highest availability while putting strong safeguards in place regarding customer privacy and segregation.

AWS manages the underlying infrastructure, and the organization can secure anything it deploys on AWS. This affords each organization the flexibility and agility they need in security controls.

This infrastructure is built and managed not only according to security best practices and standards, but also with the unique needs of the cloud in mind. AWS ensures that these controls are consistently applied in every new data center or service. Compliance When customers move their production workloads to the AWS Cloud, both parties become responsible for managing the IT environment.

Customers are responsible for setting up their environment in a secure and controlled manner. Customers also need to maintain adequate governance over their entire IT control environment. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS enables customers to build on traditional compliance programs.

This helps organizations establish and operate in an AWS security control environment. Organizations retain complete control and ownership over the region in which their data is physically located, allowing them to meet regional compliance and data residency requirements. The IT infrastructure that AWS provides to organizations is designed and managed in alignment with security best practices and a variety of IT security standards.

While being knowledgeable about all the platform services will allow you to be a well-rounded solutions architect, understanding the services and fundamental concepts outlined in this book will help prepare you for the AWS Certified Solutions Architect — Associate exam. Subsequent chapters provide a deeper view of the services pertinent to the exam. The console provides an intuitive user interface for performing many tasks.

The console also provides information about the account and billing. With just one tool to download and configure, you can control multiple services from the command line and automate them through scripts.

The SDKs provide support for many different programming languages and platforms to allow you to work with your preferred language. Compute and Networking Services AWS provides a variety of compute and networking services to deliver core functionality for businesses to develop and run their workloads. These compute and networking services can be leveraged with the storage, database, and application services to provide a complete solution for computing, query processing, and storage across a wide range of applications.

This section offers a high-level description of the core computing and networking services. Organizations can select from a variety of operating systems and resource configurations memory, CPU, storage, and so on that are optimal for the application profile of each workload.

Amazon EC2 presents a true virtual computing environment, allowing organizations to launch compute resources with a variety of operating systems, load them with custom applications, and manage network access permissions while maintaining complete control.

Auto Scaling Auto Scaling allows organizations to scale Amazon EC2 capacity up or down automatically according to conditions defined for the particular workload see Figure 1.

Not only can it be used to help maintain application availability and ensure that the desired number of Amazon EC2 instances are running, but it also allows resources to scale in and out to match the demands of dynamic workloads. Instead of provisioning for peak load, organizations can optimize costs and use only the capacity that is actually needed.

Elastic Load Balancing Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances in the cloud. It enables organizations to achieve greater levels of fault tolerance in their applications, seamlessly providing the required amount of load balancing capacity needed to distribute application traffic. Developers can simply upload their application code, and the service automatically handles all the details, such as resource provisioning, load balancing, Auto Scaling, and monitoring.

NET, and Go. With AWS Elastic Beanstalk, organizations retain full control over the AWS resources powering the application and can access the underlying resources at any time. In addition, organizations can extend their corporate data center networks to AWS by using hardware or software virtual private network VPN connections or dedicated circuits by using AWS Direct Connect.

Using AWS Direct Connect, organizations can establish private connectivity between AWS and their data center, office, or colocation environment, which in many cases can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based VPN connections.

It is designed to give developers and businesses an extremely reliable and cost-effective way to route end users to Internet applications by translating human readable names, such as www. Amazon Route 53 also serves as domain registrar, allowing you to purchase and manage domains directly from AWS. This section provides an overview of the storage and content delivery services.

Amazon Simple Storage Service Amazon S3 Amazon Simple Storage Service Amazon S3 provides developers and IT teams with highly durable and scalable object storage that handles virtually unlimited amounts of data and large numbers of concurrent users. Organizations can store any number of objects of any type, such as HTML pages, source code files, image files, and encrypted data, and access them using HTTP-based protocols.

Amazon S3 provides cost-effective object storage for a wide variety of use cases, including backup and recovery, nearline archive, big data analytics, disaster recovery, cloud applications, and content distribution.

Amazon Glacier Amazon Glacier is a secure, durable, and extremely low-cost storage service for data archiving and long-term backup. Organizations can reliably store large or small amounts of data for a very low cost per gigabyte per month. To keep costs low for customers, Amazon Glacier is optimized for infrequently accessed data where a retrieval time of several hours is suitable.

Amazon S3 integrates closely with Amazon Glacier to allow organizations to choose the right storage tier for their workloads. By delivering consistent and low-latency performance, Amazon EBS provides the disk storage needed to run a wide variety of workloads. The service supports industry- standard storage protocols that work with existing applications.

It provides low-latency performance by maintaining a cache of frequently accessed data on-premises while securely storing all of your data encrypted in Amazon S3 or Amazon Glacier. It integrates with other AWS Cloud services to give developers and businesses an easy way to distribute content to users across the world with low latency, high data transfer speeds, and no minimum usage commitments. Amazon CloudFront can be used to deliver your entire website, including dynamic, static, streaming, and interactive content, using a global network of edge locations.

Requests for content are automatically routed to the nearest edge location, so content is delivered with the best possible performance to end users around the globe. Database Services AWS provides fully managed relational and NoSQL database services, and in-memory caching as a service and a petabyte-scale data warehouse solution.

This section provides an overview of the products that the database services comprise. Because Amazon RDS manages time- consuming administration tasks, including backups, software patching, monitoring, scaling, and replication, organizational resources can focus on revenue-generating applications and business instead of mundane operational tasks. Its flexible data model and reliable performance make it a great fit for mobile, web, gaming, ad-tech, Internet of Things, and many other applications.

Amazon Redshift Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost effective to analyze structured data.

Amazon Redshift provides a standard SQL interface that lets organizations use existing business intelligence tools. The Amazon Redshift architecture allows organizations to automate most of the common administrative tasks associated with provisioning, configuring, and monitoring a cloud data warehouse. Amazon ElastiCache Amazon ElastiCache is a web service that simplifies deployment, operation, and scaling of an in-memory cache in the cloud.

The service improves the performance of web applications by allowing organizations to retrieve information from fast, managed, in-memory caches, instead of relying entirely on slower, disk-based databases. This section provides an overview of the management tools that AWS provides to organizations. It allows organizations to collect and track metrics, collect and monitor log files, and set alarms.

By leveraging Amazon CloudWatch, organizations can gain system-wide visibility into resource utilization, application performance, and operational health. By using these insights, organizations can react, as necessary, to keep applications running smoothly. AWS CloudFormation AWS CloudFormation gives developers and systems administrators an effective way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.

Templates can be submitted to AWS CloudFormation and the service will take care of provisioning and configuring those resources in appropriate order see Figure 1. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the service.

AWS Config AWS Config is a fully managed service that provides organizations with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.

With AWS Config, organizations can discover existing AWS resources, export an inventory of their AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.

Security and Identity AWS provides security and identity services that help organizations secure their data and systems on the cloud. The following section explores these services at a high level. Organizations can use it to manage users and groups, provide single sign-on to applications and services, create and apply Group Policies, domain join Amazon EC2 instances, and simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads.

AWS WAF gives organizations control over which traffic to allow or block to their web applications by defining customizable web security rules. Application Services AWS provides a variety of managed services to use with applications. The following section explores the application services at a high level. Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.

It is designed to be a highly scalable and cost-effective way for developers and businesses to convert or transcode media files from their source formats into versions that will play back on devices like smartphones, tablets, and PCs.

In Amazon SNS, there are two types of clients—publishers and subscribers—also referred to as producers and consumers. Publishers communicate asynchronously with subscribers by producing and sending a message to a topic, which is a logical access point and communication channel.

Subscribers consume or receive the message or notification over one of the supported protocols when they are subscribed to the topic. Amazon SWF can be thought of as a fully managed state tracker and task coordinator on the cloud. Amazon SWF helps organizations achieve this reliability. Amazon SQS makes it simple and cost effective to decouple the components of a cloud application.

With Amazon SQS, organizations can transmit any volume of data, at any level of throughput, without losing messages or requiring other services to be always available. Instead of buying, owning, and maintaining data centers and servers, organizations can acquire technology such as compute power, storage, databases, and other services on an as-needed basis.

With cloud computing, AWS manages and maintains the technology infrastructure in a secure environment and businesses access these resources via the Internet to develop and run their applications.

Capacity can grow or shrink instantly and businesses pay only for what they use. Cloud computing introduces a revolutionary shift in how technology is obtained, used, and managed, and how organizations budget and pay for technology services.

While each organization experiences a unique journey to the cloud with numerous benefits, six advantages become apparent time and time again. Understanding these advantages allows architects to shape solutions that deliver continuous benefits to organizations. This enables organizations to place resources and data in multiple locations around the globe. Helping to protect the confidentiality, integrity, and availability of systems and data is of the utmost importance to AWS, as is maintaining the trust and confidence of organizations around the world.

AWS offers a broad set of global compute, storage, database, analytics, application, and deployment services that help organizations move faster, lower IT costs, and scale applications. Having a broad understanding of these services allows solutions architects to design effective distributed applications and systems on the AWS platform. Exam Essentials Understand the global infrastructure. Each region is located in a separate geographic area and has multiple, isolated locations known as Availability Zones.

Understand regions. An AWS region is a physical geographic location that consists of a cluster of data centers. AWS regions enable the placement of resources and data in multiple locations around the globe. Understand Availability Zones. An Availability Zone is one or more data centers within a region that are designed to be isolated from failures in other Availability Zones. Availability Zones provide inexpensive, low-latency network connectivity to other zones in the same region.

By placing resources in separate Availability Zones, organizations can protect their website or application from a service disruption impacting a single location. Understand the hybrid deployment model. A hybrid deployment model is an architectural pattern providing connectivity for infrastructure and applications between cloud-based resources and existing resources that are not located in the cloud.

Review Questions 1. Which of the following describes a physical location around the world where AWS clusters data centers? Endpoint B. Collection C. Fleet D. Region 2. Each AWS region is composed of two or more locations that offer organizations the ability to operate production systems that are more highly available, fault tolerant, and scalable than would be possible using a single data center.

What are these locations called? Availability Zones B. Replication areas C. Geographic districts D. Compute centers 3. What is the deployment term for an environment that extends an existing on-premises infrastructure into the cloud to connect cloud resources to internal systems? All-in deployment B. Hybrid deployment C. On-premises deployment D. Scatter deployment 4. Which AWS Cloud service allows organizations to gain system-wide visibility into resource utilization, application performance, and operational health?

Amazon CloudWatch D. AWS CloudFormation 5. Amazon DynamoDB C. Amazon ElastiCache D. What service can help your company dynamically match the required compute capacity to the spike in traffic during flash sales? Auto Scaling B. Amazon Glacier C. Your company provides an online photo sharing service.

The development team is looking for ways to deliver image files with the lowest latency to end users so the website content is delivered with the best possible performance. What service can help speed up distribution of these image files to end users around the world?

Amazon Route 53 C. Amazon CloudFront 8. Your company runs an Amazon Elastic Compute Cloud Amazon EC2 instance periodically to perform a batch processing job on a large and growing filesystem. At the end of the batch job, you shut down the Amazon EC2 instance to save money but need to persist the filesystem on the Amazon EC2 instance from the previous batch runs. What AWS Cloud service can you leverage to meet these requirements? Amazon Glacier D. AWS CloudFormation 9. AWS CloudFormation Your company provides a mobile voting application for a popular TV show, and 5 to 25 million viewers all vote in a second timespan.

What mechanism can you use to decouple the voting application from your back-end services that tally the votes? Amazon Redshift D. Content may include the following: Configure services to support compliance requirements in the cloud. Domain 3. Amazon S3 provides developers and IT teams with secure, durable, and highly-scalable cloud storage. Amazon S3 is easy-to-use object storage with a simple web service interface that you can use to store and retrieve any amount of data from anywhere on the web.

Amazon S3 also allows you to pay only for the storage you actually use, which eliminates the capacity planning and capacity constraints associated with traditional storage.

Amazon S3 is one of first services introduced by AWS, and it serves as one of the foundational web services—nearly any application running in AWS uses Amazon S3, either directly or indirectly. Amazon S3 can be used alone or in conjunction with other AWS services, and it offers a very high level of integration with many other AWS cloud services. Because Amazon S3 is so flexible, so highly integrated, and so commonly used, it is important to understand this service in detail.

Common use cases for Amazon S3 storage include: Backup and archive for on-premises or cloud data Content, media, and software storage and distribution Big data analytics Static website hosting Cloud-native mobile and Internet application hosting Disaster recovery To support these use cases and many more, Amazon S3 offers a range of storage classes designed for various generic use cases: general purpose, infrequent access, and archive.

To help manage data through its lifecycle, Amazon S3 offers configurable lifecycle policies. By using lifecycle policies, you can have your data automatically migrate to the most appropriate storage class, without modifying your application code. In order to control who has access to your data, Amazon S3 provides a rich set of permissions, access controls, and encryption options.

Amazon Glacier is another cloud storage service related to Amazon S3, but optimized for data archiving and long-term backup at extremely low cost. Object Storage versus Traditional Block and File Storage In traditional IT environments, two kinds of storage dominate: block storage and file storage.

Block storage operates at a lower level—the raw storage device level—and manages data as a set of numbered, fixed-size blocks.

File storage operates at a higher level—the operating system level—and manages data as a named hierarchy of files and folders. Whether directly-attached or network- attached, block or file, this kind of storage is very closely associated with the server and the operating system that is using the storage. Amazon S3 object storage is something quite different. Amazon S3 is cloud object storage. Instead of being closely associated with a server, Amazon S3 storage is independent of a server and is accessed over the Internet.

Each Amazon S3 object contains both data and metadata. Objects reside in containers called buckets, and each object is identified by a unique user-specified key filename. Buckets are a simple flat folder with no file system hierarchy.

Each bucket can hold an unlimited number of objects. It is easy to think of an Amazon S3 object or the data portion of an object as a file, and the key as the filename. However, keep in mind that Amazon S3 is not a traditional file system and differs in significant ways. In Amazon S3, you GET an object or PUT an object, operating on the whole object at once, instead of incrementally updating portions of the object as you would with a file.

Instead of a file system, Amazon S3 is highly-durable and highly-scalable object storage that is optimized for reads and is built with an intentionally minimalistic feature set. It provides a simple and robust abstraction for file storage that frees you from many underlying details that you normally do have to deal with in traditional storage.

The same with scalability —if your request rate grows steadily, Amazon S3 automatically partitions buckets to support very high request rates and simultaneous access by many clients. If you need traditional block or file storage in addition to Amazon S3 storage, AWS provides options. Amazon Simple Storage Service Amazon S3 Basics Now that you have an understanding of some of the key differences between traditional block and file storage versus cloud object storage, we can explore the basics of Amazon S3 in more detail.

Buckets A bucket is a container web folder for objects files stored in Amazon S3. Every Amazon S3 object is contained in a bucket. Buckets form the top-level namespace for Amazon S3, and bucket names are global. Bucket names can contain up to 63 lowercase letters, numbers, hyphens, and periods. You can create and use multiple buckets; you can have up to per account by default. It is a best practice to use bucket names that contain your domain name and conform to the rules for DNS names. This ensures that your bucket names are your own, can be used in all regions, and can host static websites.

This lets you control where your data is stored. You can create and use buckets that are located close to a particular set of end users or customers in order to minimize latency, or located in a particular region to satisfy data locality and sovereignty concerns, or located far away from your primary facilities in order to satisfy disaster recovery and compliance needs.

You control the location of your data; data in an Amazon S3 bucket is stored in that region unless you explicitly copy it to another bucket located in a different region. Objects Objects are the entities or files stored in Amazon S3 buckets. An object can store virtually any kind of data in any format. Objects can range in size from 0 bytes up to 5TB, and a single bucket can store an unlimited number of objects.

This means that Amazon S3 can store a virtually unlimited amount of data. Each object consists of data the file itself and metadata data about the file. The data portion of an Amazon S3 object is opaque to Amazon S3. There are two types of metadata: system metadata and user metadata.

User metadata is optional, and it can only be specified at the time an object is created. You can use custom metadata to tag your data with attributes that are meaningful to you. You can think of the key as a filename. A key can be up to bytes of Unicode UTF-8 characters, including embedded slashes, backslashes, dots, and dashes. Keys must be unique within a single bucket, but different buckets can contain objects with the same key.

The combination of bucket, key, and optional version ID uniquely identifies an Amazon S3 object. A key may contain delimiter characters like slashes or backslashes to help you name and logically organize your Amazon S3 objects, but to Amazon S3 it is simply a long key name in a flat namespace. There is no actual file and folder hierarchy. For convenience, the Amazon S3 console and the Prefix and Delimiter feature allow you to navigate within an Amazon S3 bucket as if there were a folder hierarchy.

However, remember that a bucket is a single flat namespace of keys with no structure. In most cases, users do not use the REST interface directly, but instead interact with Amazon S3 using one of the higher-level interfaces available.

NET, Node. Durability and Availability Data durability and availability are related but slightly different concepts. Amazon S3 standard storage is designed for For example, if you store 10, objects with Amazon S3, you can on average expect to incur a loss of a single object once every 10,, years.

Amazon S3 achieves high durability by automatically storing data redundantly on multiple devices in multiple facilities within a region. It is designed to sustain the concurrent loss of data in two facilities without loss of user data. Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage.

RRS offers Even though Amazon S3 storage offers very high durability at the infrastructure level, it is still a best practice to protect against user-level accidental deletion or overwriting of data by using additional features such as versioning, cross-region replication, and MFA Delete. Data Consistency Amazon S3 is an eventually consistent system.

Because your data is automatically replicated across multiple servers and locations within a region, changes in your data may take some time to propagate to all locations.

As a result, there are some situations where information that you read immediately after an update may return stale data. For PUTs to new objects, this is not a concern—in this case, Amazon S3 provides read-after- write consistency. In all cases, updates to a single key are atomic—for eventually-consistent reads, you will get the new data or the old data, but never an inconsistent mix of data.

Access Control Amazon S3 is secure by default; when you create a bucket or object in Amazon S3, only you have access. ACLs are best used today for a limited set of use cases, such as enabling bucket logging or making a bucket that hosts a static website be world-readable. Amazon S3 bucket policies are the recommended access control mechanism for Amazon S3 and provide much finer-grained control.

They include an explicit reference to the IAM principal in the policy. This principal can be associated with a different AWS account, so Amazon S3 bucket policies allow you to assign cross-account access to Amazon S3 resources.

Note that this does not mean that the website cannot be interactive and dynamic; this can be accomplished with client-side scripts, such as JavaScript embedded in static HTML webpages. Static websites have many advantages: they are very fast, very scalable, and can be more secure than a typical dynamic website. If you host a static website on Amazon S3, you can also leverage the security, durability, availability, and scalability of Amazon S3.

Because every Amazon S3 object has a URL, it is relatively straightforward to turn a bucket into a website. To host a static website, you simply configure a bucket for website hosting and then upload the content of the static website to the bucket. To configure an Amazon S3 bucket for static website hosting: 1. Create a bucket with the same name as the desired website hostname.

Upload the static files to the bucket. Make all the files public world readable. Enable static website hosting for the bucket. This includes specifying an Index document and an Error document. The website will now be available at your website domain name.

Amazon S3 Advanced Features Beyond the basics, there are some advanced features of Amazon S3 that you should also be familiar with.

Prefixes and Delimiters While Amazon S3 uses a flat structure in a bucket, it supports the use of prefix and delimiter parameters when listing key names. This feature lets you organize, browse, and retrieve the objects within a bucket hierarchically. This feature lets you logically organize new data and easily maintain the hierarchical folder-and-file structure of existing data uploaded or backed up from traditional file systems. Use delimiters and object prefixes to hierarchically organize the objects in your Amazon S3 buckets, but always remember that Amazon S3 is not really a file system.

Storage Classes Amazon S3 offers a range of storage classes suitable for various use cases. Amazon S3 Standard offers high durability, high availability, low latency, and high performance object storage for general purpose use. Because it delivers low first-byte latency and high throughput, Standard is well-suited for short-term or long-term storage of frequently accessed data.

For most general purpose use cases, Amazon S3 Standard is the place to start. Amazon S3 Standard — Infrequent Access Standard-IA offers the same durability, low latency, and high throughput as Amazon S3 Standard, but is designed for long-lived, less frequently accessed data.

Standard-IA has a lower per GB-month storage cost than Standard, but the price model also includes a minimum object size KB , minimum duration 30 days , and per-GB retrieval costs, so it is best suited for infrequently accessed data that is stored for longer than 30 days. It is most appropriate for derived data that can be easily reproduced, such as image thumbnails. Finally, the Amazon Glacier storage class offers secure, durable, and extremely low-cost cloud storage for data that does not require real-time access, such as archives and long-term backups.

To keep costs low, Amazon Glacier is optimized for infrequently accessed data where a retrieval time of several hours is suitable. Note that the restore simply creates a copy in Amazon S3 RRS; the original data object remains in Amazon Glacier until explicitly deleted. In addition to acting as a storage tier in Amazon S3, Amazon Glacier is also a standalone storage service with a separate API and some unique characteristics.

Refer to the Amazon Glacier section for more details. Set a data retrieval policy to limit restores to the free tier or to a maximum GB- per-hour limit to avoid or minimize Amazon Glacier restore fees. For example, many business documents are frequently accessed when they are created, then become much less frequently accessed over time.

In many cases, however, compliance rules require business documents to be archived and kept accessible for years. Similarly, studies show that file, operating system, and database backups are most frequently accessed in the first few days after they are created, usually to restore after an inadvertent error.

After a week or two, these backups remain a critical asset, but they are much less likely to be accessed for a restore. In many cases, compliance rules require that a certain number of backups be kept for several years. Using Amazon S3 lifecycle configuration rules, you can significantly reduce your storage costs by automatically transitioning data from one storage class to another or even automatically deleting data after a period of time.

For example, the lifecycle rules for backup data might be: Store backup data initially in Amazon S3 Standard.

After 30 days, transition to Amazon Standard-IA. After 90 days, transition to Amazon Glacier. After 3 years, delete. Lifecycle configurations are attached to the bucket and can apply to all objects in the bucket or only to objects specified by a prefix. Encryption It is strongly recommended that all sensitive data stored in Amazon S3 be encrypted, both in flight and at rest.

Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it.

You can also encrypt your Amazon S3 data at rest using Client-Side Encryption, encrypting your data on the client before sending it to Amazon S3. Every object is encrypted with a unique key. The actual object key itself is then further encrypted by a separate master key. A new master key is issued at least monthly, with AWS rotating the keys.

Encrypted data, encryption keys, and master keys are all stored separately on secure hosts, further enhancing protection. Using SSE-KMS, there are separate permissions for using the master key, which provide protection against unauthorized access to your objects stored in Amazon S3 and an additional layer of control.

AWS KMS also provides auditing, so you can see who used your key to access which object and when they tried to access this object. AWS KMS also allows you to view any failed attempts to access data from users who did not have permission to decrypt the data. Client-Side Encryption Client-side encryption refers to encrypting data on the client side of your application before sending it to Amazon S3. Use a client-side master key.

These solutions automate the database discovery, protection, monitoring and security management processes and do not require specialized knowledge of the database system, thus helping the IT team to achieve faster turnaround times. Hardware or software systems that offer monitoring, tracking, real-time file protection and user rights management for files stored on servers and devices connected to the network.

File server protection systems monitor every file access to verify who owns it, who is using file data and protects the confidential data by alerting and possibly blocking unauthorized access.

These systems make it possible to speed up investigations through relevant reports and analyses, also controlling file access without compromising file server performance. Systems capable of detecting zero-day malware not yet registered with an innovative multi-level approach. These systems bring together in real time the reputation of the objects analysed and in-depth analysis of the static code and dynamic analysis sandboxing to analyse the behaviour of executables pdf, word, etc. They represent the most effective protection available on the market against advanced malware that can effectively balance protection and performance needs.

They can analyse network traffic, or specific email and web traffic, or even analyse end-user files desktop, laptop or mobile in order to detect evolved malware nested within commonly used carriers. Today it is very easy to lose control of a confidential document that, without protection, can be printed, copied or forwarded to a competitor or to a press agency. Even employees can keep and use the documents in their possession even when they no longer collaborate with the employer.

The Virtual Vault systems of data loss prevention that protect the confidentiality of information through using encryption, provide complete protection to prevent the improper use of confidential files by collaborators, suppliers and unauthorized users.

The ever-increasing demands for employee access to corporate networks via smartphones are creating a series of complex security problems for companies. They are indispensable tools for the business of a company because they help to increase the productivity of employees, guaranteeing easy access to networks.

If the devices are not adequately protected, it is easy to cause the loss or theft of important sensitive data, as well as legal and compliance problems. In multi-platform environments, where each user has different services available, it is imperative to avoid a user having to remember a large number of passwords.

The existence of a unique password linked to the user allows ease of use for the user, making security transparent. The solutions concern different services on different operating systems that host different applications, and interact with Legacy, Mainframes environments using email or news servers: Password synchronization, Secure Single Sign-On, Reduce Single Sign-On, Access Control. Celebrate your accomplishment with your network. Pricing is subject to change without notice.

Pricing does not include applicable taxes. Please confirm exact pricing with the exam provider before registering to take an exam. After the retirement date, please refer to the related certification for exam requirements.

Tech intensity, the speed at which technology continues to evolve, creates skill intensity. Keep your certification active to validate your skills are current with the latest technology updates. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Save Table of contents. A new exam, Exam AZ , is available in beta. The content of this certification was updated on November 23, Certification details Complete one prerequisite.

Design identity, governance, and monitoring solutions Design data storage solutions Design business continuity solutions Design infrastructure solutions. Two ways to prepare Online - Free. Instructor-led - Paid. Hide completed. Instructor-led courses to gain the skills needed to become certified.

Audience Profile Successful students have experience and knowledge in IT operations, including networking, virtualization, identity, security, business continuity, disaster recovery, data platforms, and governance.

Certification exams AZ Designing Microsoft Azure Infrastructure Solutions beta Languages: en Retirement date: This exam measures your ability to accomplish the following technical tasks: design identity, governance, and monitoring solutions; design data storage solutions; design business continuity solutions; and design infrastructure solutions.