AWS Certified Security – Specialty (SCS-C02) — Question 138

A company needs a solution to protect critical data from being permanently deleted. The data is stored in Amazon S3 buckets.

The company needs to replicate the S3 objects from the company's primary AWS Region to a secondary Region to meet disaster recovery requirements. The company must also ensure that users who have administrator access cannot permanently delete the data in the secondary Region.

Which solution will meet these requirements?

Answer options

• A. Configure AWS Backup to perform cross-Region S3 backups. Select a backup vault in the secondary Region. Enable AWS Backup Vault Lock in governance mode for the backups in the secondary Region.
• B. Implement S3 Object Lock in compliance mode in the primary Region. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region.
• C. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Create an S3 bucket policy to deny the s3:ReplicateDelete action on the S3 bucket in the secondary Region.
• D. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Configure S3 object versioning on the S3 bucket in the secondary Region.

Correct answer: B

Explanation

The correct answer is B because S3 Object Lock in compliance mode ensures that the objects cannot be deleted or overwritten for a specified retention period, thus fulfilling the requirement of protecting data from permanent deletion. Option A does not directly prevent deletion of objects in the secondary Region. Option C offers a policy that restricts deletion but does not provide the same level of data protection as Object Lock. Option D enables versioning but does not prevent permanent deletion during the versioning lifecycle.