AWS Certified Data Engineer – Associate (DEA-C01) — Question 161

A company stores customer records in Amazon S3. The company must not delete or modify the customer record data for 7 years after each record is created. The root user also must not have the ability to delete or modify the data.

A data engineer wants to use S3 Object Lock to secure the data.

Which solution will meet these requirements?

Answer options

• A. Enable governance mode on the S3 bucket. Use a default retention period of 7 years.
• B. Enable compliance mode on the S3 bucket. Use a default retention period of 7 years.
• C. Place a legal hold on individual objects in the S3 bucket. Set the retention period to 7 years.
• D. Set the retention period for individual objects in the S3 bucket to 7 years.

Correct answer: B

Explanation

The correct answer is B because enabling compliance mode ensures that no one, including the root user, can delete or alter the objects until the retention period expires. Option A, governance mode, allows certain users to bypass the retention settings, which does not satisfy the requirement of protecting the data from the root user. Options C and D do not provide the necessary restrictions on deletion or modification for the entire bucket as required.