{ "Version": "2012 -10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket -name/*", "Condition": { "IpAddress": { "aws:SourceIp": "192.168.1.0/24" } } } ] } 2. Apply the bucket policy: aws s3api put -bucket -policy --bucket bucket -name --policy file://policy.json 3. Verify restricted access: Test access from allowed and disallowed IPs. Explanation: IP-based restrictions enhance security by allowing access only from trusted networks. Enable and configure server access logging for a specific bucket in RADOS Gateway. ee the solution below. Solution: 1. Create a bucket for logs: aws s3api create -bucket --bucket log -bucket 2. Enable access logging for the target bucket: aws s3api put -bucket -logging --bucket target -bucket --bucket -logging -status '{"LoggingEnabled": {"TargetBucket": "log -bucket", "TargetPrefix": "logs/"}}' 3. Verify logs:
Upload objects to the target bucket and check the logs. Explanation: Access logging provides insights into bucket activity, useful for auditing and monitoring. Configure a Swift container to limit the maximum number of stored objects. ee the solution below. Solution: 1. Set the container quota: swift post my -container -m "X -Container -Meta -Quota -Count:1000" 2. Verify the quota: swift stat my -container Explanation: Limiting the number of objects in a Swift container ensures resource usage remains under control. Enable object expiration in RADOS Gateway for S3 buckets and verify object deletion. ee the solution below. Solution: 1. Create an expiration rule in a lifecycle policy (lifecycle.json): { "Rules": [ { "ID": "ExpireRule", "Status": "Enabled", "Expiration": { "Days": 30 } } ] }
2. Apply the lifecycle policy: aws s3api put-bucket -lifecycle -configuration --bucket bucket -name --lifecycle -configuration file://lifecycle.json 3. Verify expiration: Check if objects older than 30 days are deleted. Explanation: Object expiration reduces storage costs by automatically deleting unused or old objects. Create a custom domain name for a bucket in RADOS Gateway using CNAME records. ee the solution below. Solution: 1. Create a CNAME record pointing to the RADOS Gateway endpoint: echo "bucket.example.com CNAME rgw.example.com" >> dns-zone -file 2. Test the custom domain: Access the bucket using http://bucket.example.com. Explanation: Custom domains simplify access to buckets by providing user -friendly URLs. Configure a Swift container to expire objects after a specified time interval. ee the solution below. Solution: 1. Set the expiration time: swift post my -container -m "X -Delete -After:3600" 2. Verify the expiration:
swift stat my -container Explanation: Setting expiration times automates object deletion, freeing up storage space for new data. Configure a bucket policy in RADOS Gateway to allow access to a specific AWS IAM role. ee the solution below. Solution: 1. Create a bucket policy JSON file (policy.json): { "Version": "2012 -10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account -id:role/role -name" }, "Action": "s3:*", "Resource": "arn:aws:s3:::bucket -name/*" } ] } 2. Apply the policy: aws s3api put -bucket -policy --bucket bucket -name --policy file://policy.json 3. Verify access using the IAM role. Explanation: This setup ensures that only the specified IAM role can perform actions on the bucket, enhancing access control. Enable object locking on an S3 bucket in RADOS Gateway with a governance retention policy. ee the solution below.
Solution: 1. Enable object locking during bucket creation: aws s3api create -bucket --bucket bucket -name --object -lock-enabled -for-bucket 2. Set a governance retention policy: aws s3api put -object -lock-configuration --bucket bucket -name --object -lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"GOVERNANCE","Days":30}}}' 3. Verify the retention policy: aws s3api get -object -lock-configuration --bucket bucket -name Explanation: Object locking protects objects from accidental deletion, ensuring compliance with data retention policies. Implement and test cross -origin resource sharing (CORS) for a bucket in RADOS Gateway. ee the solution below. Solution: 1. Create a CORS configuration file (cors.json): { "CORSRules": [ { "AllowedOrigins": ["*"], "AllowedMethods": ["GET", "PUT"], "AllowedHeaders": ["*"] } ] } 2. Apply the CORS configuration: aws s3api put -bucket -cors --bucket bucket -name --cors-configuration file://cors.json 3. Verify CORS access from a web application. Explanation:
3. Apply the new CRUSH map: crushtool -c crush.txt -o crush.map ceph osd setcrushmap -i crush.map Explanation: CRUSH maps define how data is distributed across OSDs. Customizing these maps allows fine-grained control over data placement. Set up Ceph storage with authentication enabled and verify that clients require keys to access the cluster. ee the solution below. Solution: 1. Enable authentication in the Ceph configuration file: ceph config set mon auth_allow_insecure_global_id_reclaim false 2. Generate a client key: ceph auth get -or-create client.admin 3. Verify client access using the key: ceph -s --keyring /etc/ceph/ceph.client.admin.keyring Explanation: Enabling authentication adds a layer of security, ensuring only authorized clients can interact with the cluster. Deploy Ceph storage and configure BlueStore as the OSD backend for optimal performance. ee the solution below. Solution: 1. Update the playbook with BlueStore settings: osd_objectstore: bluestore
