Ends in
00
days
00
hrs
00
mins
00
secs
LEARN MORE

FLASH SALE - AWS SAA, CDA, and SysOps Practice Exams at $12.99 ONLY!

Amazon S3 Glacier

  • Long-term archival solution optimized for infrequently used data, or “cold data.”
  • Glacier is a REST-based web service.
  • You can store an unlimited number of archives and an unlimited amount of data.
  • You cannot specify Glacier as the storage class at the time you create an object.
  • It is designed to provide an average annual durability of 99.999999999% for an archive. Glacier synchronously stores your data across multiple AZs before confirming a successful upload.
  • To prevent corruption of data packets over the wire, Glacier uploads the checksum of the data during data upload. It compares the received checksum with the checksum of the received data and validates data authenticity with checksums during data retrieval.
  • Glacier works together with Amazon S3 lifecycle rules to help you automate archiving of S3 data and reduce your overall storage costs. Requested archival data is copied to S3 One Zone-IA

Data Model

  • Vault
    • A container for storing archives.
    • Each vault resource has a unique address with form:
      https://region-specific endpoint/account-id/vaults/vaultname
    • You can store an unlimited number of archives in a vault.
    • Vault operations are Region specific.
  • Archive
    • Can be any data such as a photo, video, or document and is a base unit of storage in Glacier.
    • Each archive has a unique address with form:
      https://region-specific-endpoint/account-id/vaults/vault-name/archives/archive-id
  • Job
    • You can perform a select query on an archive, retrieve an archive, or get an inventory of a vault. Glacier Select runs the query in place and writes the output results to Amazon S3.
    • Select, archive retrieval, and vault inventory jobs are associated with a vault. A vault can have multiple jobs in progress at any point in time.
  • Notification Configuration
    • Because jobs take time to complete, Glacier supports a notification mechanism to notify you when a job is complete.

Glacier Operations

  • Retrieving an archive (asynchronous operation)
  • Retrieving a vault inventory (list of archives) (asynchronous operation)
  • Create and delete vaults
  • Get the vault description for a specific vault or for all vaults in a region
  • Set, retrieve, and delete a notification configuration on the vault
  • Upload and delete archives. You cannot update an existing archive.
  • Glacier jobs select, archive-retrieval, inventory-retrieval
IT Certification Category (English)728x90

Vaults

  • Vault operations are region specific.
  • Vault names must be unique within an account and the region in which the vault is being created.
  • You can delete a vault only if there are no archives in the vault as of the last inventory that Glacier computed and there have been no writes to the vault since the last inventory.
  • You can retrieve vault information such as the vault creation date, number of archives in the vault, and the total size of all the archives in the vault.
  • Glacier maintains an inventory of all archives in each of your vaults for disaster recovery or occasional reconciliation. A vault inventory refers to the list of archives in a vault. Glacier updates the vault inventory approximately once a day. Downloading a vault inventory is an asynchronous operation.
  • You can assign your own metadata to Glacier vaults in the form of tags. A tag is a key-value pair that you define for a vault.
  • Glacier Vault Lock allows you to easily deploy and enforce compliance controls for individual Glacier vaults with a vault lock policy. You can specify controls such as “write once read many” (WORM) in a vault lock policy and lock the policy from future edits. Once locked, the policy can no longer be changed.

Archives

  • Glacier supports the following basic archive operations: upload, download, and delete. Downloading an archive is an asynchronous operation.
  • You can upload an archive in a single operation or upload it in parts.
  • Using the multipart upload API, you can upload large archives, up to about 10,000 x 4 GB.
  • You cannot upload archives to Glacier by using the management console. Use the AWS CLI or write code to make requests, by using either the REST API directly or by using the AWS SDKs.
  • You cannot delete an archive using the Amazon S3 Glacier (Glacier) management console. Glacier provides an API call that you can use to delete one archive at a time.
  • After you upload an archive, you cannot update its content or its description. The only way you can update the archive content or its description is by deleting the archive and uploading another archive.
  • Glacier does not support any additional metadata for the archives.

Glacier Select

  • You can perform filtering operations using simple SQL statements directly on your data in Glacier.
  • You can run queries and custom analytics on your data that is stored in Glacier, without having to restore your data to a hotter tier like S3.
  • When you perform select queries, Glacier provides three data access tiers:
    • Expedited – data accessed is typically made available within 1–5 minutes.
    • Standard – data accessed is typically made available within  3–5 hours.
    • Bulk – data accessed is typically made available within 5–12 hours.

Glacier Data Retrieval Policies

  • Set data retrieval limits and manage the data retrieval activities across your AWS account in each region.
  • Three types of policies:
    • Free Tier Only – you can keep your retrievals within your daily free tier allowance and not incur any data retrieval cost.
    • Max Retrieval Rate – ensures that the peak retrieval rate from all retrieval jobs across your account in a region does not exceed the bytes-per-hour limit you set.
    • No Retrieval Limit

Security

  • Glacier encrypts your data at rest by default and supports secure data transit with SSL.
  • Data stored in Amazon Glacier is immutable, meaning that after an archive is created it cannot be updated.
  • Access to Glacier requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access Glacier vaults or S3 buckets.
  • Glacier requires all requests to be signed for authentication protection. To sign a request, you calculate a digital signature using a cryptographic hash function that returns a hash value that you include in the request as your signature.
  • Glacier supports policies only at the vault level.
  • You can attach identity-based policies to IAM identities.
  • A Glacier vault is the primary resource and resource-based policies are referred to as vault policies.
  • When activity occurs in Glacier, that activity is recorded in a CloudTrail event along with other AWS service events in Event History.

Pricing

  • You are charged per GB per month of storage
  • You are charged for retrieval operations such as retrieve requests and amount of data retrieved depending on the data access tier – Expedited, Standard, or Bulk
  • Upload requests are charged.
  • You are charged for data transferred out of Glacier.
  • Pricing for Glacier Select is based upon the total amount of data scanned, the amount of data returned, and the number of requests initiated.
  • There is a charge if you delete data within 90 days.

Limits

  • Under a single AWS account, you can have up to 1000 vaults.

Free Amazon Glacier Tutorials on YouTube:

https://www.youtube.com/user/AmazonWebServices/search?query=Glacier

 

Other Amazon Glacier-related Cheat Sheets:

 

Validate Your Knowledge

Question 1

A company plans to migrate their application to AWS. The application data will be stored in Amazon S3 Glacier and must be archived for at least 7 years.

Which of the following options would enforce regulatory and compliance requirements?

  1. Create a Glacier vault lock policy.
  2. Enable Glacier vault notifications.
  3. Create a Glacier vault access policy.
  4. Set up a Glacier data retrieval policy.

Correct Answer: 1

Tutorials Dojo Study Guide and Cheatsheet

Amazon S3 Glacier is a secure, durable, and extremely low-cost Amazon S3 storage class for data archiving and long-term backup. With S3 Glacier, customers can store their data cost effectively for months, years, or even decades. S3 Glacier enables customers to offload the administrative burdens of operating and scaling storage to AWS, so they don’t have to worry about capacity planning, hardware provisioning, data replication, hardware failure detection and recovery, or time-consuming hardware migrations.

A Vault Lock policy allows you to enforce regulatory and compliance requirements on individual S3 Glacier vaults. For example, you need to retain the archive data for three years before you can delete the vault. If you created a vault lock policy with those conditions and lock it, the policy becomes immutable and S3 Glacier would only allow operations that are explicitly permitted in the compliance controls you have specified.

In this scenario, you need to retain the data in Amazon S3 Glacier for 7 years. To implement this requirement, you can create a vault lock policy that denies users permissions to delete an archive until the archive has existed for five years. Remember that S3 Glacier can only have one vault access policy and one vault lock policy.

Hence, the correct answer is: Create a Glacier vault lock policy.

The option that says: Enable Glacier vault notifications is incorrect because this just sends a notification whenever the S3 Glacier archive retrieval job or vault inventory retrieval job has been completed. To enforce compliance controls in your S3 Glacier vaults, you need to create a Glacier vault lock policy.

The option that says: Create a Glacier vault access policy is incorrect because this policy is simply used to set up temporary controls. This means that you can modify the permissions of a vault access policy at any time. While in a vault lock policy, after you lock the policy, it cannot be altered or the policy is immutable.

The option that says: Set up a Glacier data retrieval policy is incorrect because this option only allows you to manage retrieval costs by setting limits on retrieval activities across your AWS account in each region. You can’t use a data retrieval policy to enforce compliance controls in your vaults.

References:
https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html
https://aws.amazon.com/glacier/faqs/

Note: This question was extracted from our AWS Certified SysOps Administrator Associate Practice Exams.

Question 2

An organization is currently using a tape backup solution to store its application data on-premises. They plan to use a cloud storage service to preserve the backup data for up to 10 years that may be accessed about once or twice a year.

Which of the following is the most cost-effective option to implement this solution?

  1. Use AWS Storage Gateway to backup the data directly to Amazon S3 Glacier.
  2. Order an AWS Snowball Edge appliance to import the backup directly to Amazon S3 Glacier.
  3. Use AWS Storage Gateway to backup the data directly to Amazon S3 Glacier Deep Archive.
  4. Use Amazon S3 to store the backup data and add a lifecycle rule to transition the current version to Amazon S3 Glacier.

Correct Answer: 3

Tape Gateway enables you to replace using physical tapes on-premises with virtual tapes in AWS without changing existing backup workflows. Tape Gateway supports all leading backup applications and caches virtual tapes on-premises for low-latency data access. Tape Gateway encrypts data between the gateway and AWS for secure data transfer and compresses data and transitions virtual tapes between Amazon S3 and Amazon S3 Glacier, or Amazon S3 Glacier Deep Archive, to minimize storage costs.

How Tape Gateway works

The scenario requires you to backup your application data to a cloud storage service for long-term retention of data that will be retained for 10 years. Since it uses a tape backup solution, an option that uses AWS Storage Gateway must be the possible answer. Tape Gateway can move your virtual tapes archived in Amazon S3 Glacier or Amazon S3 Glacier Deep Archive storage class, enabling you to further reduce the monthly cost to store long-term data in the cloud by up to 75%.

Hence, the correct answer is: Use AWS Storage Gateway to backup the data directly to Amazon S3 Glacier Deep Archive.

The option that says: Use AWS Storage Gateway to backup the data directly to Amazon S3 Glacier is incorrect. Although this is a valid solution, moving to S3 Glacier is more expensive than directly backing it up to Glacier Deep Archive.

The option that says: Order an AWS Snowball Edge appliance to import the backup directly to Amazon S3 Glacier is incorrect because Snowball Edge can’t directly integrate backups to S3 Glacier. Moreover, you have to use the Amazon S3 Glacier Deep Archive storage class as it is more cost-effective than the regular Glacier class.

The option that says: Use Amazon S3 to store the backup data and add a lifecycle rule to transition the current version to Amazon S3 Glacier is incorrect. Although this is a possible solution, it is difficult to directly integrate a tape backup solution to S3 without using Storage Gateway.

References:
https://aws.amazon.com/storagegateway/faqs/
https://aws.amazon.com/s3/storage-classes/

Note: This question was extracted from our AWS Certified Solutions Architect Associate Practice Exams.

For more AWS practice exam questions with detailed explanations, check this out:Tutorials Dojo AWS Practice Tests

X

Sources: 
https://docs.aws.amazon.com/amazonglacier/latest/dev/
https://aws.amazon.com/glacier/features/?nc=sn&loc=2
https://aws.amazon.com/glacier/pricing/?nc=sn&loc=3
https://aws.amazon.com/glacier/faqs/?nc=sn&loc=6

5-DAY FLASH SALE! Big Discounts on our SAA, CDA, and SysOps Practice Exams

Pass your AWS and Azure Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers
error: Content is protected !!