AWS Certified Solutions Architect – Associate (SAA-C02) — Question 541

A company wants to migrate its 1 PB on-premises image repository to AWS. The images will be used by a serverless web application images stored in the repository are rarely accessed, but they must be immediately available. Additionally, the images must be encrypted at rest and protected from accidental deletion.
Which solution meets these requirements?

Answer options

• A. Implement client-side encryption and store the images in an Amazon S3 Glacier vault. Set a vault lock to prevent accidental deletion.
• B. Store the images in an Amazon S3 bucket in the S3 Standard-Infrequent Access (S3 Standard-IA) storage class. Enable versioning, default encryption, and MFA Delete on the S3 bucket.
• C. Store the images in an Amazon FSx for Windows File Server file share. Configure the Amazon FSx file share to use an AWS Key Management Service (AWS KMS) customer master key (CMK) to encrypt the images in the file share. Use NTFS permission sets on the images to prevent accidental deletion.
• D. Store the Images in an Amazon Elastic File System (Amazon EFS) file share in the Infrequent Access storage class. Configure the EFS file share to use an AWS Key Management Service (AWS KMS) customer master key (CMK) to encrypt the images in the file share. Use NFS permission sets on the images to prevent accidental deletion.

Correct answer: B

Explanation

Amazon S3 Standard-Infrequent Access (S3 Standard-IA) is the ideal storage class for data that is rarely accessed but requires immediate, millisecond-level retrieval. Enabling default encryption secures the images at rest, while versioning and MFA Delete provide robust protection against accidental or malicious deletions. Alternative solutions using S3 Glacier do not offer immediate access, and file-based storage solutions like Amazon EFS or Amazon FSx are less suited for serverless web application architectures compared to object storage.