AWS Certified Big Data – Specialty — Question 8

A system engineer for a company proposes digitalization and backup of large archives for customers. The systems engineer needs to provide users with a secure storage that makes sure that data will never be tampered with once it has been uploaded.
How should this be accomplished?

Answer options

• A. Create an Amazon Glacier Vault. Specify a "Deny" Vault Lock policy on this Vault to block "glacier:DeleteArchive".
• B. Create an Amazon S3 bucket. Specify a "Deny" bucket policy on this bucket to block "s3:DeleteObject".
• C. Create an Amazon Glacier Vault. Specify a "Deny" vault access policy on this Vault to block "glacier:DeleteArchive".
• D. Create secondary AWS Account containing an Amazon S3 bucket. Grant "s3:PutObject" to the primary account.

Correct answer: C

Explanation

The correct answer is C because using an Amazon Glacier Vault with a 'Deny' vault access policy effectively prevents any deletion of archives, ensuring the data remains intact and unaltered. Option A is incorrect because the Vault Lock policy is not necessary for the requirement, while option B does not address the need for a tamper-proof solution as S3 does not provide the same level of immutability as Glacier. Option D introduces unnecessary complexity and does not ensure data integrity.