AWS Certified Solutions Architect – Professional (SAP-C02) — Question 411
A company has an application that stores data in a single Amazon S3 bucket. The company must keep all data for 1 year. The company’s security team is concerned that an attacker could gain access to the AWS account through leaked long-term credentials.
Which solution will ensure that existing and future objects in the S3 bucket are protected?
Answer options
- A. Create a new AWS account that is accessible only to the security team through an assumed role. Create an S3 bucket in the new account. Enable S3 Versioning and S3 Object Lock. Configure a default retention period of 1 year. Set up replication from the existing S3 bucket to the new S3 bucket. Create an S3 Batch Replication job to copy all existing data.
- B. Use the s3-bucket-versioning-enabled AWS Config managed rule. Configure an automatic remediation action that uses an AWS Lambda function to enable S3 Versioning and MFA Delete on noncompliant resources. Add an S3 Lifecycle rule to delete objects after 1 year.
- C. Explicitly deny bucket creation from all users and roles except for an AWS Service Catalog launch constraint role. Define a Service Catalog product for the creation of the S3 bucket to force S3 Versioning and MFA Delete to be enabled. Authorize users to launch the product when they need to create an S3 bucket.
- D. Enable Amazon GuardDuty with the S3 protection feature for the account and the AWS Region. Add an S3 Lifecycle rule to delete objects after 1 year.
Correct answer: A
Explanation
To fully protect data against compromised credentials in the primary account, replicating existing and new objects to a separate, highly restricted AWS account with S3 Object Lock enabled is the most secure method. S3 Object Lock in Compliance mode ensures that objects cannot be deleted or overwritten by any user, including root, for the duration of the retention period. Other options keep the data in the compromised account, where an attacker with administrative privileges could still delete the data or modify retention policies.