AWS Certified Security – Specialty (SCS-C02) — Question 251

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3).

A security engineer must prevent any modifications to the data in the S3 bucket.

Which solution will meet this requirement?

Answer options

• A. Configure S3 bucket policies to deny DELETE and PUT object permissions.
• B. Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.
• C. Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.
• D. Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Correct answer: B

Explanation

The correct answer is B because enabling S3 Object Lock in compliance mode ensures that the objects in the bucket cannot be deleted or modified for the specified retention period. The other options do not provide the same level of data immutability: option A only restricts permissions but does not prevent changes if permissions are altered, option C changes the encryption method but does not prevent modifications, and option D adds an extra layer of security but does not guarantee data immutability.