AWS Certified Solutions Architect Associate (SAA02) – Free Practice Tests

Explanation

Regarding Amazon Route 53, if your application is running on Amazon EC2 instances in two or more regions, and if you have more than one Amazon EC2 instance in one or more regions, you can use latency-based routing to route traffic to the correct region and then use weighted resource record sets to route traffic to instances within the region based on weights that you specify

Explanation

A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC.

The ENI allows the user to change the security group of a running instance. Thus, in the present scenario when the organization wants to have a separate security group for one of the instances, it should change the security group of that ENI. This avoids the cost and time of deploying a new instance or configuring a new subnet, or changing the configuration of an existing security group.

Explanation

When scaling a database, you can increase the storage capacity of a DB Instance up to a maximum of 64 terabytes (TiB). Please note that scaling the storage allocation with Amazon RDS does not incur a database outage. The performance will be increased as well.

Explanation

Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This replication feature makes it easy to elastically scale out beyond the capacity constraints of a single DB Instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances.

Read replicas in different regions are available in Amazon RDS for MYSQL, MariaDB, PostgreSQL, Oracle, and Aurora

Explanation

An application load balancer configured to use the HTTPS or SSL protocol with back-end authentication enabled fails public key authentication it’s probable that the public key on the SSL certificate does not match the public key configured on the load balancer. You might need to update your SSL certificate. If your SSL certificate is current, try re-installing it on your load balancer.

Explanation

Implementing a Route 53 Calculated Health Check is the best solution in this case because it aggregates all of the individual health checks. Integrating QuickSight and CloudTrail will create an effective dashboard, but this is not an automated solution because someone has to continuously check the dashboard.

You can also create a CloudWatch Log log alarm, but this would be overly complex compared to the Calculated Health Checks.

For example, let’s say you have deployed 15 EC2 instances, and created 15 separate Route 53 health checks to monitor each one. While you are concerned about each instance’s performance, you essentially need 10 of the 15 instances to be healthy for your system to run properly. Rather than setting up SNS notifications for each individual health check, you can create a calculated health check that collects the results of each health check into a single count between 0-15, and compares that count to a threshold you’ve set. In this case, the threshold could be 10. Now, if 10 instances are healthy, the calculated health check comes back healthy. If less than 10 instances are healthy, the health check comes back unhealthy.For example, let’s say you have deployed 15 EC2 instances, and created 15 separate Route 53 health checks to monitor each one. While you are concerned about each instance’s performance, you essentially need 10 of the 15 instances to be healthy for your system to run properly. Rather than setting up SNS notifications for each individual health check, you can create a calculated health check that collects the results of each health check into a single count between 0-15, and compares that count to a threshold you’ve set. In this case, the threshold could be 10. Now, if 10 instances are healthy, the calculated health check comes back healthy. If less than 10 instances are healthy, the health check comes back unhealthy.

Explanation

In Amazon Web Services, the spot instance is useful when the user wants to run a process temporarily. The spot instance can terminate the instance if the other user outbids the existing bid. In this case all storage is temporary and the data is not required to be persistent. Thus, the spot instance is a good option to save money

Explanation

Amazon Web Services has massive hardware resources at its data centers, but they are finite. The best way for users to maximize their access to these resources is by reserving a portion of the computing capacity that they require. This can be done through reserved instances. With reserved instances, the user literally reserves the computing capacity in the Amazon Web Services cloud.

Explanation

Amazon S3 storage offers very high durability, but it is still a best practice to protect against user level deletion or overwriting of data using versioning, cross-region replication, and MFA Delete.

Explanation

Amazon CloudWatch provides the functionality to graph the metric data generated either by the AWS services or the custom metric to make it easier for the user to analyse. The AWS CloudWatch console provides the option to change the granularity of a graph and zoom in to see data over a shorter time period. To zoom, the user has to click in the graph details pane, drag on the graph area for selection, and then release the mouse button.

Explanation

When creating an alarm, select a period that is greater than or equal to the frequency of the metric to be monitored. For example, basic monitoring for Amazon EC2 provides metrics for your instances every 5 minutes. When setting an alarm on a basic monitoring metric, select a period of at least 300 seconds (5 minutes). Detailed monitoring for Amazon EC2 provides metrics for your instances every 1 minute. When setting an alarm on a detailed monitoring metric, select a period of at least 60 seconds (1 minute).

Explanation

Amazon S3 storage offers very high durability, but it is still a best practice to protect against user level deletion or overwriting of data using versioning, cross-region replication, and MFA Delete.

Explanation

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic

Explanation

You can use snapshots to increase the size of EBS volumes. Take a snapshot of the existing volume, create a new volume from the snapshot but with a larger size, then replace the original snapshot with the new volume. There is a performance hit with new volumes because, while the volume is created immediately, the data is lazy loaded. So there will be a first time performance hit when accessing each block on the volume. This problem can be resolved by initializing the volume and accessing each block one time before the volume is put into service.

Explanation

Both Snowball and VM Import can be used to migrate VMs. Snowball mitigates any bandwidth issues that may occur when using VM Import with standard Internet connections.

Explanation

SQS allows you to quickly build hosted and scalable message queuing applications that can run on any computer. SQS stores messages in transit between diverse, distributed application components without losing messages and without requiring each component to be always available

Explanation

With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access. In some cases, you might have an IAM user with full access to IAM and Amazon S3. If the IAM user assigns a bucket policy to an Amazon S3 bucket and doesn’t specify the root user as a principal, the root user is denied access to that bucket. However, as the root user, you can still access the bucket by modifying the bucket policy to allow root user access.

Explanation

When you send a request to initiate a multipart upload, Amazon S3 returns a response with an upload ID, which is a unique identifier for your multipart upload. You must include this upload ID whenever you upload parts, list the parts, complete an upload, or abort an upload. When uploading a part, in addition to the upload ID, you must specify a part number that uniquely identifies a part and its position in the object you are uploading. Amazon S3 returns an ETag header in its response. For each part upload, you must record the part number and the ETag value for use in each subsequent request.

Explanation

yourwebsite.com is a zone apex. Alias record sets can be used to set a zone apex, but CNAME records cannot. Additionally, queries to Alias records that are mapped to an ELB are free. A records are used to map IPv4 addresses to FQDNs, the IP address of the ELB may change. MX records are used for email servers.

Explanation

An EBS volume is off-instance storage that can persist independently from the life of an instance. You continue to pay for the volume usage as long as the data persists. EBS instances can be stopped and re-started. And EBS volumes boot faster than instance store volumes often by an order of magnitude

Explanation

Cost Explorer, this is a useful and powerful tool within Billing and Cost Management. It allows you to view historical billing information in a graphical format giving you greater insight to your AWS spend. A valuable tool that can help to identify where you should be focusing your cost optimization efforts. It also can forecast your estimated spend up to two months ahead using existing data as a reference. If you can see that your estimated future bills are becoming too high, you have the time now to identify where you can make and initiate cost reduction mechanisms to help mitigate the risk.

Cost Explorer comes configured with three pre-defined views which are commonly used to analyze spending across your account:

1. Monthly Spend by Service view – this covers the current and previous two months and is grouped by AWS services
2. Monthly Spend by Linked Account View – this covers the current and previous two months and is grouped by linked accounts
3. Daily Spend view – this covers the daily spend over the previous sixty days

Explanation

FGAC can benefit any application that tracks information in a DynamoDB table, where the end user (or application client acting on behalf of an end user) wants to read or modify the table directly, without a middle-tier service. For instance, a developer of a mobile app named Acme can use FGAC to track the top score of every Acme user in a DynamoDB table. FGAC allows the application client to modify only the top score for the user that is currently running the application

Explanation

If you use PuTTY to connect to your instances verify that your private key (.pem) file has been converted to the format recognized by PuTTY (.ppk). PuTTY does not natively support the private key format (.pem) generated by Amazon EC2. PuTTY has a tool named PuTTYgen, which can convert keys to the required PuTTY format (.ppk). You must convert your private key into this format (.ppk) before attempting to connect to your instance using PuTTY.

Explanation

The ability to pause multipart uploads offers great flexibility in its usage. A pause could be initiated for a number of reasons but pausing to relieve network traffic is a prime use case. If a multipart upload aborts, it is good practice to have a lifecycle policy, which will delete incomplete uploads after a predetermined number of days. This will reduce storage costs.

Explanation

Explanation

The key benefit of launch templates is their capability to support multiple instance types and purchase types within the same template.

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results.

Explanation

A cluster placement group is a logical grouping of instances within a single AWS Availability Zone. Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both. To provide the lowest latency, and the highest packet-per-second network performance for your placement group, choose an instance type that supports enhanced networking.

Explanation

It is critical before making any major changes to your health checks to verify whether you can connect manually to the EC2 instances in question. Once you’ve verified you can connect to them manually, you can begin altering the health check settings.

Explanation

There are a few key points to this question:

1. Object locks can prevent objects from modification or deletion; objection versioning does not – it only maintains versions of an object until those versions are deleted.
2. Users can only enable Object locks can on new S3 buckets.
3. Object locks have two retention modes – governance mode and compliance mode. Compliance mode prevents objects from being deleted or updated by users, including the root user. Governance mode allows objects to be modified, but prevents objects from being deleted.

Explanation

With Amazon EBS, you can use any of the standard RAID configurations that you can use with a traditional bare metal server, as long as that particular RAID configuration is supported by the operating system for your instance. This is because all RAID is accomplished at the software level. For greater I/O performance than you can achieve with a single volume, RAID 0 can stripe multiple volumes together, for on-instance redundancy, RAID 1 can mirror two volumes together. RAID 5 and RAID 6 are not recommended for Amazon EBS because the parity write operations of these RAID modes consume some of the IOPS available to your volumes

Explanation

When you want to include instances with multiple purchase types in the same auto scaling group, you have the ability to maintain a set number of on-demand instances will be deployed at all times, and then split the remaining instances between multiple purchase types as you see fit. To configure this, set a number of instances as your “optional on-demand base” within your launch template. This is not possible using a launch configuration.

Explanation

Regarding Amazon Route 53, if your application is running on Amazon EC2 instances in two or more regions, and if you have more than one Amazon EC2 instance in one or more regions, you can use latency-based routing to route traffic to the correct region and then use weighted resource record sets to route traffic to instances within the region based on weights that you specify

Explanation

After you launch an instance in EC2-Classic, you can’t change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group

Explanation

You can set up a variety of failover configurations using Amazon Route 53 alias: weighted, latency, geolocation routing, and failover resource record sets.

• Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Amazon Route 53 can detect that it’s unhealthy and stop including it when responding to queries.
  Active-passive failover: Use this failover configuration when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable. When responding to queries, Amazon Route 53 includes only the healthy primary resources. If all of the primary resources are unhealthy, Amazon Route 53 begins to include only the healthy secondary resources in response to DNS queries.
• Active-active-passive and other mixed configurations: You can combine alias and non-alias resource record sets to produce a variety of Amazon Route 53 behaviors.

Explanation

In AWS CloudFormation, Amazon EC2 resources that support the tagging feature can also be tagged in an AWS template. The tag values can refer to template parameters, other resource names, resource attribute values (e.g. addresses), or values computed by simple functions (e.g., a concatenated list of strings).

Explanation

Amazon CloudWatch integrates with AWS Identity and Access Management (IAM) so that you can specify which CloudWatch actions a user in your AWS Account can perform. For example, you could create an IAM policy that gives only certain users in your organization permission to use GetMetricStatistics. They could then use the action to retrieve data about your cloud resources. You can’t use IAM to control access to CloudWatch data for specific resources. For example, you can’t give a user accessto CloudWatch data for only a specific set of instances or a specific LoadBalancer. Permissions granted using IAM coverall the cloud resources you use with CloudWatch. In addition, you can’t use IAM roles with the Amazon CloudWatch command line tools. Using Amazon CloudWatch with IAM doesn’t change how you use CloudWatch. There are no changes to CloudWatch actions, and no new CloudWatch actions related to users and access control.

Explanation

When scaling an RDS instance, changes can be applied immediately or during the maintenance window specified. It is also recommended that you before you scale, make sure you have the correct licensing in place for commercial engines (SQL Server, Oracle) especially if you Bring Your Own License (BYOL). One important thing to call out is that for commercial engines, you are restricted by the license, which is usually tied to the CPU sockets or cores.

Explanation

Amazon Simple Notification Service (Amazon SNS) is a fast, flexible, and fully managed push messaging service. Amazon SNS can be used to make push notifications to mobile devices. Amazon SNS can deliver notifications by SMS text message or email to the Amazon Simple Queue Service (SQS) queues or to any HTTP endpoint. In this case user can use the SNS apis to send SMS.

Explanation

Amazon S3 supports several mechanisms that give you flexibility to control who can access your data as well as how, when, and where they can access it. Amazon S3 provides four different access control mechanisms: AWS Identity and Access Management (IAM) policies, Access Control Lists (ACLs), bucket policies, and query string authentication. IAM enables organizationsto create and manage multiple users under a single AWS account. With IAM policies, you can grant IAM users fine-grained control to your Amazon S3 bucket or objects. You can use ACLs to selectively add (grant) certain permissions on individual objects. Amazon S3 bucket policies can be used to add or deny permissions across some or all of the objects within a single bucket. With Query string authentication, you have the ability to share Amazon S3 objects through URLs that are valid for a specified period of time.

Explanation

The user may want to stop the automated scaling processes on the Auto Scaling groups either to perform manual operations or during emergency situations. To perform this, the user can suspend one or more scaling processes at any time. Once it is completed, the user can resume all the suspended processes.

Explanation

Failing to accurately estimate your costs before migration and during the migration process is a recipe for disaster. To build a migration model for optimal efficiency, it is important to accurately understand the current costs of running on-premises applications, as well as the interim costs incurred during the transition

Explanation

Instances that you launch into a default subnet receive both a public IP address and a private IP address. Instances in a default subnet also receive both public and private DNS hostnames. Instances that you launch into a nondefault subnet in a default VPC don’t receive a public IP address or a DNS hostname. You can change your subnet’s default public IP addressing behavior

Explanation

To determine your instance’s public IP address from within the instance, you can use instance metadata. Use the following command to access the public IP address: For Linux use, $ curl http://169.254.169.254/latest/meta-data/public-ipv4, and for Windows use, $ wget http://169.254.169.254/latest/meta-data/public-ipv4.

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results

Explanation

Amazon API Gateway automatically protects your backend systems from distributed denial-of-service (DDoS) attacks, whether attacked with counterfeit requests (Layer 7) or SYN floods (Layer 3). Additional reading is available here (https://aws.amazon.com/api-gateway/faqs/).

AWS Shield Advanced includes intelligent DDoS attack detection and mitigation for not only for the network layer (layer 3) and transport layer (layer 4) attacks but also for application layer (layer 7) attacks.

NACLs do not provide DDoS mitigation. They are used to control ingress and egress into a subnet based on port and source IP range. Route 53 can protect against DNS based DDoS attacks but does not protect entire layers. Elastic Load Balancing can protect EC2 instances specifically, but not other AWS resources.

Explanation

You can run Amazon RDS for Oracle under two different licensing models – “License Included” and “Bring-Your-Own-License (BYOL)”. In the “License Included” service model, you do not need separately purchased Oracle licenses; the Oracle Database software has been licensed by AWS.

Explanation

Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. Amazon RDS uses several different technologies to provide failover support. Multi-AZ deployments for Oracle, PostgreSQL, MySQL, and MariaDB DB instances use Amazon’s failover technology. SQL Server DB instances use SQL Server Mirroring. Amazon Aurora instances stores copies of the data in a DB cluster across multiple Availability Zones in a single region, regardless of whether the instances in the DB cluster span multiple Availability Zones.

Explanation

Each subnet must be associated with a route table, which controls the routing for the subnet. If you don’t explicitly associate a subnet with a particular route table, the subnet is implicitly associated with the main route table. A route in the route table to an Internet Gateway marks the subnet as a public subnet and no route to an Internet Gateway marks the subnet as private.

Explanation

Several factors can affect the performance of Amazon EBS volumes, such as instance configuration, I/O characteristics, workload demand, and storage configuration. IOPS are input/output operations per second. Amazon EBS measures each I/O operation per second (that is 256 KB or smaller) as one IOPS. I/O operations that are larger than 256 KB are counted in 256 KB capacity units. For example, a 1,024 KB I/O operation would count as 4 IOPS. When you provision a 4,000 IOPS volume and attach it to an EBS-optimized instance that can provide the necessary bandwidth, you can transfer up to 4,000 chunks of data per second (provided that the I/O does not exceed the 128 MB/s per volume throughput limit of General Purpose (SSD) and Provisioned IOPS (SSD) volumes).

Explanation

By using Amazon S3 analytics storage class analysis you can analyze storage access patterns to help you decide when to transition the right data to the right storage class. This new Amazon S3 analytics feature observes data access patterns to help you determine when to transition less frequently accessed STANDARD storage to the STANDARD_IA (IA, for infrequent access) storage class.

Explanation

S3 Event Notifications can be set up on objects stored in S3. An event could be set up to notify when a delete is performed. Logging is turned off by default but can be enabled. When enabled, they can track requests to your S3 bucket.

S3 Server Access Logging tracks detailed information not currently available with CloudWatch metrics or CloudTrail logs. To track requests for access to your bucket, you can enable access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any. Access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill.

Explanation

If you have multiple VPN connections, you can provide secure communication between sites using the AWS VPN CloudHub. The VPN CloudHub operates on a simple hub-and-spoke model that you can use with or without a VPC. This design is suitable for customers with multiple branch offices and existing Internet connections who’d like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices. To use the AWS VPN CloudHub, you must create a virtual private gateway with multiple customer gateways, each with unique Border Gateway Protocol (BGP) Autonomous System Numbers (ASNs). Customer gateways advertise the appropriate routes (BGP prefixes) over their VPN connections. These routing advertisements are received and re-advertised to each BGP peer, enabling each site to send data to and receive data from the other sites. The routes for each spoke must have unique ASNs and the sites must not have overlapping IP ranges. Each site can also send and receive data from the VPC as if they were using a standard VPN connection

Explanation

The Simple Monthly Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

Explanation

Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of SSL protocols, SSL ciphers, and the Server Order Preference option.

Explanation

Amazon S3 Glacier Deep Archive storage class is the cheapest storage class in AWS, and the information can be retrieved within 12 hours.

The other options offer some cost savings compared to Amazon S3 Standard storage class, but Intelligent tiering would not cycle the files to an archive storage class for roughly 120 days, and the One Zone-IA storage class would provide some cost savings, but offers less durable storage, so the likelihood of losing logs is higher.

Explanation

When scaling a database, you can increase the storage capacity of a DB Instance up to a maximum of 64 terabytes (TiB). Please note that scaling the storage allocation with Amazon RDS does not incur a database outage. The performance will be increased as well.

Explanation

The key is that the requirement is for high availability at the web-tier. While multi-AZ deployments and cross-region replication can contribute to high availability, they are each at the storage tier. Route 53 with Health Checks and Failover, Elastic Load Balancer (with health checks and various forms of load balancing, and auto scaling groups create high availability at the web tier.

Explanation

Default security groups and NACLs allow inbound and outbound traffic. All traffic should be routed via internet gateway, so a route should be created with 0.0.0.0/0 as a source, and with your Internet Gateway as the target.

Explanation

An Amazon Machine Image (AMI) is a template that contains a software configuration (for example, an operating system, an application server, and applications). The AMI includes the operating system, initial state of any patches, and any application software. For example, you can select an AMI that has SQL Server. The virtual CPUs are not part of the AMI but are defined by the instance type.

Explanation

By launching your instances into a VPC instead of EC2-Classic, you gain the ability to: Assign static private IP addresses to your instances that persist across starts andstops Assign multiple IP addresses to your instances. Define network interfaces, and attach one or more network interfaces to your instances Change security group membership for your instances while they’re running Control the outbound traffic from your instances (egress filtering) in addition to controlling the inbound traffic to them (ingress filtering). Add an additional layer of access control to your instances in the form of network access control lists (ACL). Run your instances on single-tenant hardware

Explanation

Creating a custom AMI of the instance for which you are trying to provide HA allows you to bring the instance online quickly with no build time. Moving the EIP from the instance, you are replacing to the new instance will send all traffic to the new instance without any change to DNS, which would take time to propagate. Using the AutoRecover option will not replace the unhealthy or failing instance. It will only try to restart it on another host. Creating a “Steady State” Auto Scaling Group would also be a good solution, although using two as a minimum would have a higher cost.

Explanation

A placement group is a logical grouping of instances within a single Availability Zone. Cluster placement groups are recommended for applications that benefit from low network latency, high network throughput, or both. To provide the lowest latency, and the highest packet-per-second network performance for your cluster placement group, choose an instance type that supports enhanced networking

Explanation

Don’t use your AWS root account credentials to access AWS, and don’t give your credentials to anyone else. Instead, create individual users for anyone who needs access to your AWS account. Create an IAM user for yourself as well, give that user administrative privileges, and use that IAM user for all your work.

Explanation

In this case the alarm watches a metric every 5 minutes for 10 intervals. Thus, it needs at least 50 minutes to come to the “OK” state. Till then it will be in the INSUFFUCIENT_DATA state. Since 90 minutes have passed and CPU utilization is at 80% constant, the state of alarm will be “ALARM”.

Explanation

An instance store provides temporary block-level storage for your instance. This storage is located on disks that are physically attached to the host computer. Instance store is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers.

Data in the instance store is lost under the following circumstances:

• The underlying disk drive fails
• The instance stops
• The instance terminates

If the instance reboots (either intentionally or unintentionally) the data persists.

Explanation

AWS Storage Services are: Amazon S3 Amazon Glacier Amazon EBS AWS Storage Gateway

Explanation

You can host a static website on Amazon S3. On a static website, individual web pages include static content. They may also contain client-side scripts. Because your storage on Amazon S3 is virtually unlimited you can scale infinitely. You also do not need to service dynamic content so a database is not needed.

Explanation

In AWS, the instance size decides the I/O characteristics. The provisioned IOPS ensures higher throughput, and lower latency. The region does affect the latency, latency will always be less when the instance is near to the end user. Within a region the user uses any AZ and this does not affect the latency. The AZ is mainly for fault toleration or HA

Explanation

If a IAM user is trying to perform some action on an object belonging to another AWS user’s bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner.

Explanation

Amazon Glacier and S3 Standard-IA are both designed for storing infrequently accessed data. This is why the data storage fees are roughly one-half to one-sixth the cost of Standard Storage. Retrieval fees will quickly add up if the data is retrieved too often, so planning or correctly setting your object lifecycle based on how often you or your company will need the data is important.

Explanation

Amazon S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key, or the user can send the key along with each API call to supply his own encryption key (SSE-C). If the bucket is versioning-enabled, each object version uploaded by the user using the SSE-C feature can have its own encryption key. The user is responsible for tracking which encryption key was used for which object’s version