AWS Certified Security – Specialty — Question 289

A company needs to provide digital evidence to a security engineer for analysis. The evidence must be encrypted and the immutability of the source data must be maintained.
What is the MOST secure solution that meets these requirements?

Answer options

• A. Upload the digital evidence to a new Amazon S3 bucket. Set up an S3 Lifecycle configuration to move the data to S3 Glacier. Configure S3 Glacier with a vault lock policy.
• B. Upload the digital evidence to a new Amazon S3 bucket with S3 Object Lock enabled. Implement server-side encryption with AWS Key Management Service (AWS KMS).
• C. Upload the digital evidence to a new Amazon S3 bucket Configure an S3 bucket policy. Enable S3 Versioning and MFA Delete. Use S3 presigned URLs.
• D. Launch an Amazon EC2 instance. Store the digital evidence on an attached Amazon Elastic Block Store (Amazon EBS) volume. Enable termination protection, isolate the EC2 instance and take a snapshot of the EBS volume.

Correct answer: B

Explanation

Amazon S3 Object Lock provides write-once-read-many (WORM) storage, which guarantees the immutability of the uploaded forensic data, while AWS KMS provides robust, auditable encryption at rest. Transitioning data to S3 Glacier as in Option A is inefficient for immediate analysis due to retrieval delays. Options C and D fail to enforce true, immediate data immutability as effectively as S3 Object Lock.