Cloud Storage Solution for On-Premise Application Hosting with AWS S3

Ensuring Secure Object Access and Administration for On-Premise Application Hosting

Prev Question Next Question

Question

You are a solutions architect.

Your organization is building an application hosting at the on-premise location.

They would like to keep the storage on AWS.

Objects/files must only be accessed via the application.

As an exception, Administrators should access the objects/files directly from AWS S3 console/API bypassing the application.

What solution would you provide?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: C.

The File Gateway presents a file interface that enables you to store files as objects in Amazon S3 using the industry-standard NFS and SMB file protocols, and access those files via NFS and SMB from your datacenter or Amazon EC2, or access those files as objects with the S3 API.

For option A, with Cached Volumen Gateway, you store your data in Amazon Simple Storage Service (Amazon S3) and retain a copy of frequently accessed data subsets locally.

We can take incremental backups, called snapshots of the storage volume in S3.All gateway data and snapshot data for cached volumes are stored in Amazon S3 and encrypted at rest using server-side encryption (SSE)

However, you can't access this data with the Amazon S3 API or other tools such as the Amazon S3 Management Console.

For option B, with stored volumes, you store the entire set of volume data on-premises and store periodic point-in-time backups (snapshots) in AWS.

In this model, your on-premises storage is primary, delivering low-latency access to your entire dataset.

AWS storage is the backup that you can restore in the event of a disaster in your data center.

Option D is incorrect because the Tape Gateway enables you to replace using physical tapes on-premises with virtual tapes in AWS without changing existing backup workflows.

For more information on AWS storage gateways, refer to the documentation here.

https://docs.aws.amazon.com/storagegateway/latest/userguide/WhatIsStorageGateway.html https://d1.awsstatic.com/whitepapers/aws-storage-gateway-file-gateway-for-hybrid-architectures.pdf https://aws.amazon.com/storagegateway/vtl/
EEE Private Datacenter

NFS Client

NFS Client

AWS File ‘Simple Storage
Gateway Service

The solution that would fit the requirements stated in the question is AWS S3 with pre-signed URLs.

Amazon S3 is a scalable and durable object storage service that provides industry-leading scalability, availability, durability, and security. It can store and retrieve any amount of data, at any time, from anywhere on the web. S3 offers multiple storage classes to optimize costs, and it can also integrate with a variety of AWS services to automate workflows, build applications, and analyze data.

To meet the requirement of accessing the objects/files only via the application, you can use pre-signed URLs. A pre-signed URL is a signed URL that grants temporary access to a private object in Amazon S3. It allows you to share your object without making it publicly accessible. Pre-signed URLs can be generated programmatically, and they have a configurable expiration time.

For the exception of allowing administrators to access the objects/files directly from AWS S3 console/API bypassing the application, you can create an IAM policy that grants them the necessary permissions to access the objects/files directly. You can then generate pre-signed URLs for them as well, or they can use their AWS credentials to access the S3 console/API.

Option A, Cached Volume Gateway, is a type of AWS Storage Gateway that provides low-latency access to frequently accessed data stored in Amazon S3. It is used to store a cache of frequently accessed data on-premises, while keeping the primary data in Amazon S3. This option is not a good fit for the stated requirements.

Option B, Stored Volume Gateway, is another type of AWS Storage Gateway that stores entire data volumes on-premises while asynchronously backing them up to Amazon S3. This option is not a good fit for the stated requirements either.

Option C, File Gateway, is a type of AWS Storage Gateway that presents a file interface to applications, while storing data as objects in Amazon S3. It is used to store and retrieve files from Amazon S3, and it can be accessed via standard file protocols such as NFS, SMB, and FTP. However, it is not a good fit for the stated requirements, as it would allow direct access to the objects/files bypassing the application.

Option D, Tape Gateway, is a type of AWS Storage Gateway that provides a virtual tape library interface for backup and archiving applications. It is used to store data as virtual tapes in Amazon S3, while providing tape-like access to the data. This option is not a good fit for the stated requirements.