AWS Certified Security – Specialty (SCS-C02) — Question 99

A security engineer needs to implement a write-once-read-many (WORM) model for data that a company will store in Amazon S3 buckets. The company uses the S3 Standard storage class for all of its S3 buckets. The security engineer must ensure that objects cannot be overwritten or deleted by any user, including the AWS account root user.

Which solution will meet these requirements?

Answer options

• A. Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets.
• B. Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24 hours to complete the Vault Lock process. Place objects in the S3 buckets.
• C. Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the S3 buckets.
• D. Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3 buckets. Place objects in the S3 buckets.

Correct answer: A

Explanation

The correct answer is A because enabling S3 Object Lock in compliance mode ensures that objects cannot be deleted or overwritten by any user, including the root user, thus fulfilling the WORM requirement. Options B and D use policies that do not prevent the root user from deleting objects, and option C uses governance mode, which allows for some flexibility in deletion, also failing to meet the requirement.