AWS Certified Solutions Architect – Associate (SAA-C02) — Question 485

A law firm needs to share information with the public. The information includes hundreds of files that must be publicly readable. Modifications or deletions of the files by anyone before a designated future date are prohibited.
Which solution will meet these requirements in the MOST secure way?

Answer options

• A. Upload all flies to an Amazon S3 bucket that is configured for static website hosting. Grant read-only IAM permissions to any AWS principals that access the S3 bucket until the designated date.
• B. Create a new Amazon S3 bucket with S3 Versioning enabled. Use S3 Object Lock with a retention period in accordance with the designated date. Configure the S3 bucket for static website hosting. Set an S3 bucket policy to allow read-only access to the objects.
• C. Create a new Amazon S3 bucket with S3 Versioning enabled. Configure an event trigger to run an AWS Lambda function in case of object modification or deletion. Configure the Lambda function to replace the objects with the original versions from a private S3 bucket.
• D. Upload all files to an Amazon S3 bucket that is configured for static website hosting. Select the folder that contains the files. Use S3 Object Lock with a retention period in accordance with the designated date. Grant read-only IAM permissions to any AWS principals that access the S3 bucket.

Correct answer: B

Explanation

Option B is correct because S3 Object Lock (which requires S3 Versioning to be enabled) provides true WORM (write once, read many) protection, guaranteeing that files cannot be deleted or overwritten until the retention period expires. Using an S3 bucket policy for static website hosting allows anonymous public read access, whereas IAM policies (Options A and D) only apply to authenticated AWS principals. Additionally, S3 Object Lock is applied at the bucket or object level, not at the folder level as suggested in Option D.