AWS Certified SysOps Administrator – Associate — Question 132

A company is storing backups in an Amazon S3 bucket. The backups must not be deleted for at least 3 months after the backups are created.

What should a SysOps administrator do to meet this requirement?

Answer options

• A. Configure an IAM policy that denies the s3:DeleteObject action for all users. Three months after an object is written, remove the policy.
• B. Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
• C. Enable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protect the backups.
• D. Enable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.

Correct answer: B

Explanation

The correct answer is B because enabling S3 Object Lock in compliance mode ensures that the backups cannot be deleted or overwritten for the specified retention period of 3 months. Option A is incorrect since simply removing an IAM policy after three months does not guarantee protection during that time. Option C does not provide the necessary deletion prevention as S3 Versioning alone does not enforce retention. Option D uses governance mode, which allows certain users to delete objects, failing to meet the strict requirement.