SAP-C02 Amazon AWS Certified Solutions Architect Professional – New Domain 5 – Continuous Improvement for Existing Solutions Part 16

65. New S3 Storage Class – Glacier Deep Archive

Hey everyone and welcome back. Now in today’s video we will be discussing about yet another new S Three storage class which is Glacier Deep archive. Now the S Three Glacier Deep archive is basically the Amazon S Three lowest cost storage class and it supports long term retention and digital prevention for data that may be access once or twice in a year. So this type of storage class is specifically for the data that you know will hardly be accessed. So it is like if you want to access the data maybe once or twice a year, then the Glacier Deep archive can be a good solution. Now all the data which you store in the S Three Glacier Deep archive can be restored within 12 hours.

So it’s not like that. You have some data within the Glacier Deep archive and you can just recover the data within few minutes. That is not so the restoration takes hours. So now on the contrary, because you have a glacier deep archive. So in fact, let me show you the storage classes. So you have the glacier storage class and you have the Glacier Deep archive storage class. Now the glacier storage class is ideal for archives where the data is regularly retrieved and some of the data retrieval may need to be within few minutes. So that is the primary difference between them.

Now in terms of costing, so you have one TB of data stored in glacier costs $14. Now one TB of data stored in Glacier Deep archive costs ten point $99. So the Glacier Deep archive is one of the lowest cost storage solutions which is available in AWS. Now if you look into the S Three console here, so again you have the storage class here and this is the storage class which we are discussing, which is the Glacier deep archive.

Now if you talk about the minimum storage duration, you see the minimum storage duration here is 180 days as compared to the glaciers, 90 days over year. Now within the description also, so this is like self explanatory. So you have glacier. It is basically designed for archive data with the deep retrieval times ranging from minutes to hours. Now for the Glacier Deep Archive, it is for archive data that rarely if ever, needs to be accessed with the retrieval time in hours. So this data in glacier deep archive cannot be retrieved in minutes. You need to wait for hours for it to be retrieved.

66. S3 Encryption

Hi everyone, and welcome back to the Knowledge Portal video series. So, S Three is back, and today, yet again, we are going to talk about one more important topic, which is S Three encryption. So it seems that the most of the things that we discuss about all are important, and this truly is important. So let me give you a very simple example for this particular use case. For those who are wondering, is SJ encryption really required? Now let me show you. I have my external hard disk drive. So generally, I have a lot of data in this. Now, generally, when I go out, sometimes I really have to worry because I have a lot of personal data. And if this hard disk drive gets misplaced or it gets lost, and any unauthorized person who gets access to my external hard disk drive, he can simply plug it in his laptop and he can download all of my personal data. So, really scary.

So sometimes I just put my hard disk drive at home, and I never carry it outside. But this is not a solution. So the problem is, if the data within your hard disk drive is unencrypted, and if your hard disk drive gets stolen, then hacker really have access to all of your data. Now, one of the ways in which we can protect is we can use encryption. So in this case, what happens if all the data within your hard disk drive is encrypted? And even if your hard disk drive is stolen, the hacker will not have access to the data. He’ll only have access to the encrypted data. And this is one of the requirements which most of the people need. And this is one of the reasons why the hard disk drive manufacturers are coming up with a pre built in encryptions. So it’s always good to be proactive. So you see Western Digital external hard disipes. They come up with hardware based encryption.

So the hardware based encryption is in build, so no need to use external tools like Procrypt, et cetera. And just within few clicks, you can encrypt your entire hard disregard. And this is very important. Now, the question is, what about S Three? S Three is also a storage device. And as it’s a storage device, the data within the storage device has to be encrypted specifically if it is a sensitive information. And this is one of the use case of many of the compliance requirements. And this is one of the reasons why Amazon has provided us way to encrypt the data within S Three. Also. So there are three ways in which we can encrypt the data in S Three. The first is the serverside encryption with Amazon S Three managed keys. So in very simple, you can call it SSE.

So what happens here is that you just select a one option, and AWS will encrypt all of your data with Amazon managed keys. So here you don’t have to worry about which keys you will use to encrypt the rotation of the keys, the expiry of the keys no need to worry about all those things, amazon will take care of everything. The second option here, server side encryption with AWS Kms managed keys or SSE Hyphen Kms. So for some users it might be like I don’t want Amazon to use their own keys for encryption so what I can do is I can have my own Kms and that Kms keys can be used by the AWS to encrypt your data. Now, in this particular scenario where Kms keys are used, again this AWS uses the envelope based encryption which we already discussed in the previous lecture, where data keys are generated from the customer master key and that data key is used to encrypt the data.

And if some users who do not want Kms also, then AWS has given the third option, which is called as the SSE Hyphen C or customer provided keys. So I can generate my own symmetric encryption key in my computer and I can pass that symmetric key to the AWS and AWS will use that key to encrypt the data. So three options which are available and let’s go to our console and let’s explore on how we can achieve this. So this is my AWS console so let’s do one thing.

Let me create a bucket let’s name it as KP Labs Encryption and region we’ll select Mumbai. Okay, so this is the bucket that we have created. Now let’s upload one data over here. Let’s upload this text file. These are the older operations so no need to worry about. So this is done. So now what has happened is that our text file is uploaded. Now, the problem is that this particular file is unencrypted. So it will stay unencrypted within the S Three storage also. Now, what we can do is we can go to details over here and we can select the server side encryption, and we can set it to AES 256, and I’ll click on Save. Let me go a bit down. Okay, now if you’ll see this particular is saved so if I go to properties over here just to verify now you see it is using a server side encryption with 256 bit as key. So this is the first option of AWS managed keys. Note that you really don’t have any control on which keys AWS uses nothing. You just have to click on one option and save as simple.

Now what happens is this is the scenario where the file is already uploaded we can also look into the second scenario where you are uploading a file. So while uploading this file before you click on start upload over here, just go to set details and select the server side encryption. Now again, there are two options use the AWS three service master key this you already looked earlier and the second is Kms. So I’ll select the kms over here and here. By default, it is showing the default Kms master key. Now, before we select the kms, one very important thing I would really like you to know that s three buckets. As we discuss are region specific.

So this particular bucket resides in the Mumbai region. So now if you want to encrypt the data with Kms then you need to have a Kms key in the same region, which is mumbai. So till now we were creating a Kms key in North Virginia region. And you cannot use the Kms key of North Virginia region to encrypt the files in s three bucket of Mumbai region. That will not work. So what I did, I went to Mumbai and I created one Kms key kplabs and Mumbai. And now what we will do is we will use this key as a Kms identifier for uploading the data. So I’ll use kms kplabs PEM let me click on open set details use server side encryption kms and this is the key that it is showing. So I’ll put this key it has extracted the key ID and let me click on upload. Let’s wait down. Okay, now you see it is done and my Kplabs PEM file is uploaded. So if you go to properties and you just want to verify the server side encryption, you see it is using the kms master key, which is KP Labs, Hyphen, Mumbai. And the third part, which we discussed, that you can even provide your own customer site key. And AWS will use that key to encrypt the data. Now, one interesting thing. That I wanted to show you for S three bucket policy is that you can actually restrict whether data which has been uploaded is encrypted or not.

So for a simple example, if a client is uploading an unencrypted data, then with a bucket policy, we can restrict that particular upload. So let me show you on how that works. Let’s go to permission. I’ll add a bucket policy. I have a sample bucket policy over here. Let me paste. It. And here I’ll give the bucket name, which is Kplabs Hyphen encryption. And same here, kplabs Hyphen encryption. So generally, what happens in this bucket policy is Amazon will look for the action which is put object. So when anyone tries to upload a file. This action is generally happens. Now, within this, there is a condition where it check if the server side encryption option is selected. If it is not selected for either Kms or the first S. Three managed keys, then the bucket or the S three will not allow you to upload a file.

So let’s look into this example. I’ll save this particular bucket policy. Okay, now it is saved. Let’s go back here and now let me try to upload one file. I’ll upload one file. Now, I’m not going to select any of the encryption thing. And let me try on uploading. So if you look down, you see the operation has failed. This is because of the bucket policy. So from now, you will not be able to upload any unencrypted file in this bucket. So what to do now? So now whenever you want to upload a file, you need to select the encryption schema. So now I use the serverside encryption, I’ll use the master key and I’ll click on upload. And now if you look down, it is uploaded. So once again, very important use case scenario for S Three and the Bucket policy as well. So this is the basic about the S three encryption and we also look into an interesting bucket policy. So this is it about this lecture, I hope this has been informative for you. And again, if you have any doubts, feel free to contact us and I’ll be more than happy to help you. Thanks for watching.

• Category: Uncategorized