AWS Certified Security – Specialty (SCS-C02) — Question 284

A company plans to create Amazon S3 buckets to store log data. All the S3 buckets will have versioning enabled and will use the S3 Standard storage class.

A security engineer needs to implement a solution that protects objects in the S3 buckets from deletion for 90 days. The solution must ensure that no object can be deleted during this time period, even by an administrator or the AWS account root user.

Which solution will meet these requirements?

Answer options

• A. Enable S3 Object Lock in governance mode. Set a legal hold of 90 days.
• B. Enable S3 Object Lock in governance mode. Set a retention period of 90 days.
• C. Enable S3 Object Lock in compliance mode. Set a retention period of 90 days.
• D. Create an S3 Glacier Vault Lock policy that prevents deletion for 90 days.

Correct answer: C

Explanation

S3 Object Lock in compliance mode provides write-once-read-many (WORM) protection, preventing any user—including the AWS account root user and administrators—from deleting objects or reducing the retention period. In contrast, governance mode allows users with specific IAM permissions to bypass retention settings, which fails the strict security requirement. S3 Glacier Vault Lock is incorrect because the logs are stored in S3 Standard buckets rather than S3 Glacier vaults.