AWS Certified Security – Specialty (SCS-C03) — Question 3

A company needs a solution to protect critical data from being permanently deleted. The data is stored in Amazon S3 buckets.
The company needs to replicate the S3 objects from the company's primary AWS Region to a secondary Region to meet disaster recovery requirements. The company must also ensure that users who have administrator access cannot permanently delete the data in the secondary Region.
Which solution will meet these requirements?

Answer options

• A. Configure AWS Backup to perform cross-Region S3 backups. Select a backup vault in the secondary Region. Enable AWS Backup Vault Lock in governance mode for the backups in the secondary Region.
• B. Implement S3 Object Lock in compliance mode in the primary Region. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region.
• C. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Create an S3 bucket policy to deny the s3:ReplicateDelete action on the S3 bucket in the secondary Region.
• D. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Configure S3 object versioning on the S3 bucket in the secondary Region.

Correct answer: A

Explanation

The correct answer is A because using AWS Backup with vault lock in governance mode ensures that even users with admin access cannot permanently delete backups in the secondary Region. Option B does not fully prevent deletion since compliance mode only applies to the primary Region. Option C does not offer sufficient protection against deletion since a bucket policy can still be overridden by admin actions. Option D allows versioning, but does not prevent an admin from deleting versions, making it less secure.