AWS Certified Solutions Architect – Professional (SAP-C02) — Question 325

A company runs applications in hundreds of production AWS accounts. The company uses AWS Organizations with all features enabled and has a centralized backup operation that uses AWS Backup.

The company is concerned about ransomware attacks. To address this concern, the company has created a new policy that all backups must be resilient to breaches of privileged-user credentials in any production account.

Which combination of steps will meet this new requirement? (Choose three.)

Answer options

• A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts.
• B. Add an SCP that restricts the modification of AWS Backup vaults.
• C. Implement AWS Backup Vault Lock in compliance mode. C. Implement least privilege access for the IAM service role that is assigned to AWS Backup.
• D. Configure the backup frequency, lifecycle, and retention period to ensure that at least one backup always exists in the cold tier.
• E. Configure AWS Backup to write all backups to an Amazon S3 bucket in a designated non-production account. Ensure that the S3 bucket has S3 Object Lock enabled.

Correct answer: A, B, C

Explanation

To protect backups from compromised production credentials, implementing cross-account backups (A) isolates the recovery points in a separate, secure non-production account. Applying a Service Control Policy (B) restricts production administrators from deleting or tampering with backup infrastructure, while AWS Backup Vault Lock in compliance mode (C) enforces strict immutability that cannot be deactivated by any user, including the root account. Other options, such as using S3 Object Lock directly (F) or relying on cold tier storage (E), do not provide the comprehensive, multi-resource vault-level protection required to defend against a privileged credential breach.