AWS Certified Security – Specialty (SCS-C02) — Question 35

A company has several petabytes of data. The company must preserve this data for 7 years to comply with regulatory requirements. The company's compliance team asks a security officer to develop a strategy that will prevent anyone from changing or deleting the data.
Which solution will meet this requirement MOST cost-effectively?

Answer options

• A. Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock in compliance mode. Upload the data to the bucket. Create a resource-based bucket policy that meets all the regulatory requirements.
• B. Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock in governance mode. Upload the data to the bucket. Create a user-based IAM policy that meets all the regulatory requirements.
• C. Create a vault in Amazon S3 Glacier. Create a Vault Lock policy in S3 Glacier that meets all the regulatory requirements. Upload the data to the vault.
• D. Create an Amazon S3 bucket. Upload the data to the bucket. Use a lifecycle rule to transition the data to a vault in S3 Glacier. Create a Vault Lock policy that meets all the regulatory requirements.

Correct answer: C

Explanation

The correct answer is C because using S3 Glacier with a Vault Lock policy ensures that the data is stored in a cost-effective manner while preventing any modifications or deletions, thus meeting the regulatory requirements. Options A and B utilize S3 Object Lock, which can be more expensive and may not offer the same level of cost efficiency for long-term storage. Option D, while it uses lifecycle rules, does not lock the data from being changed or deleted in the S3 bucket before moving it to Glacier.