AWS Certified Solutions Architect – Associate (SAA-C02) — Question 251

A company uses Amazon S3 to store its confidential audit documents. The S3 bucket uses bucket policies to restrict access to audit team IAM user credentials according to the principle of least privilege. Company managers are worried about accidental deletion of documents in the S3 bucket and want a more secure solution.
What should a solutions architect do to secure the audit documents?

Answer options

• A. Enable the versioning and MFA Delete features on the S3 bucket.
• B. Enable multi-factor authentication (MFA) on the IAM user credentials for each audit team IAM user account.
• C. Add an S3 Lifecycle policy to the audit team's IAM user accounts to deny the s3:DeleteObject action during audit dates.
• D. Use AWS Key Management Service (AWS KMS) to encrypt the S3 bucket and restrict audit team IAM user accounts from accessing the KMS key.

Correct answer: A

Explanation

The correct answer is A because enabling versioning allows recovery of deleted objects, and MFA Delete adds an additional layer of security by requiring multi-factor authentication to delete versions. Option B does not prevent deletion of objects; it only secures the user accounts. Option C restricts deletions based on time but does not provide a comprehensive solution for accidental deletions, while option D focuses on encryption rather than access control for deletions.