AWS Certified Solutions Architect – Associate (SAA-C03) — Question 435

A company stores data in PDF format in an Amazon S3 bucket. The company must follow a legal requirement to retain all new and existing data in Amazon S3 for 7 years.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Turn on the S3 Versioning feature for the S3 bucket. Configure S3 Lifecycle to delete the data after 7 years. Configure multi-factor authentication (MFA) delete for all S3 objects.
• B. Turn on S3 Object Lock with governance retention mode for the S3 bucket. Set the retention period to expire after 7 years. Recopy all existing objects to bring the existing data into compliance.
• C. Turn on S3 Object Lock with compliance retention mode for the S3 bucket. Set the retention period to expire after 7 years. Recopy all existing objects to bring the existing data into compliance.
• D. Turn on S3 Object Lock with compliance retention mode for the S3 bucket. Set the retention period to expire after 7 years. Use S3 Batch Operations to bring the existing data into compliance.

Correct answer: D

Explanation

S3 Object Lock in compliance retention mode prevents any user, including the root account, from deleting or modifying objects, which perfectly meets strict legal retention requirements. Applying this lock to pre-existing objects is most efficiently done using S3 Batch Operations, minimizing operational overhead compared to manually copying files. Governance mode can be bypassed by certain users, and S3 Lifecycle with MFA delete does not provide the same level of write-once-read-many (WORM) compliance protection.