AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 4

A company is storing backups in an Amazon S3 bucket. The backups must not be deleted for at least 3 months after the backups are created.
What should a CloudOps engineer do to meet this requirement?

Answer options

• A. Configure an IAM policy that denies the s3:DeleteObject action for all users. Three months after an object is written, remove the policy.
• B. Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
• C. Enable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protect the backups.
• D. Enable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.

Correct answer: B

Explanation

The correct answer is B because enabling S3 Object Lock in compliance mode ensures that objects cannot be deleted or overwritten for the specified retention period, which meets the 3-month requirement. Option A is incorrect as it relies on manual policy management, which could lead to accidental deletions. Option C does not provide the same level of protection as Object Lock, allowing for potential deletions. Option D, while it uses Object Lock, does so in governance mode, which allows for deletions by users with specific permissions, failing to meet the strict retention requirement.