AWS Certified Solutions Architect – Associate (SAA-C02) — Question 648

A company needs to store data in Amazon S3 and must prevent the data from being changed. The company wants new objects that are uploaded to Amazon S3 to remain unchangeable for a nonspecific amount of time until the company decides to modify the objects. Only specific users in the company's AWS account can have the ability to delete the objects.
What should a solutions architect do to meet these requirements?

Answer options

• A. Create an S3 Glacier vault. Apply a write-once, read-many (WORM) vault lock policy to the objects.
• B. Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Set a retention period of 100 years. Use governance mode as the S3 bucket's default retention mode for new objects.
• C. Create an S3 bucket. Use AWS CloudTrail to track any S3 API events that modify the objects. Upon notification, restore the modified objects from any backup versions that the company has.
• D. Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Add a legal hold to the objects. Add the s3:PutObjectLegalHold permission to the IAM policies of users who need to delete the objects.

Correct answer: D

Explanation

Amazon S3 Object Lock legal hold prevents an object version from being overwritten or deleted indefinitely until the hold is explicitly removed, making it ideal for nonspecific durations. By restricting the s3:PutObjectLegalHold permission to specific IAM users, the company ensures that only designated personnel can lift the hold to modify or delete the data. Retention periods (such as 100 years in governance mode) are less suitable because they enforce a fixed time frame rather than an indefinite, on-demand duration.