AWS Certified Security – Specialty (SCS-C02) — Question 40

A company has a new partnership with a vendor. The vendor will process data from the company's customers. The company will upload data files as objects into an Amazon S3 bucket. The vendor will download the objects to perform data processing. The objects will contain sensitive data.
A security engineer must implement a solution that prevents objects from residing in the S3 bucket for longer than 72 hours.
Which solution will meet these requirements?

Answer options

• A. Use Amazon Macie to scan the S3 bucket for sensitive data every 72 hours. Configure Macie to delete the objects that contain sensitive data when they are discovered.
• B. Configure an S3 Lifecycle rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.
• C. Create an Amazon EventBridge scheduled rule that invokes an AWS Lambda function every day. Program the Lambda function to remove any objects that have been in the S3 bucket for 72 hours.
• D. Use the S3 Intelligent-Tiering storage class for all objects that are uploaded to the S3 bucket. Use S3 Intelligent-Tiering to expire objects that have been in the $3 bucket for 72 hours.

Correct answer: B

Explanation

The correct answer is B because configuring an S3 Lifecycle rule directly addresses the requirement to expire objects after 72 hours. Option A is incorrect as Macie does not automatically delete objects, but only scans for sensitive data. Option C, while it could work, is more complex and less efficient than using a built-in Lifecycle rule. Option D does not guarantee deletion and instead focuses on cost optimization, which does not meet the specified requirement.