Question #1944
A financial institution must retain audit logs in an Amazon S3 bucket for exactly five years to comply with regulatory standards. The logs must remain immutable and protected from any deletion or modification during the retention period.
Which solution ensures these requirements are met?
Enable S3 versioning for the bucket and configure a lifecycle policy to delete objects after five years.
Activate S3 Object Lock on the audit logs and use governance mode.
Activate S3 Object Lock on the audit logs and use compliance mode.
Apply an S3 Lifecycle policy to transition the logs to S3 Glacier Deep Archive for the five-year retention period.
Explanation
Answer B is correct because S3 Object Lock in compliance mode enforces immutability, preventing any user (including root) from altering or deleting objects until the retention period expires. This aligns with the requirement for strict regulatory compliance.
Option A (governance mode) allows privileged users to override retention settings, which does not guarantee immutability. Option C relies on versioning and lifecycle policies but lacks Object Lock, leaving objects vulnerable to deletion/modification before five years. Option D transitions data to Glacier Deep Archive but does not enforce immutability during retention.
Key Points:
1. Compliance mode (Object Lock) ensures strict immutability.
2. Governance mode allows exceptions, violating the requirement.
3. Lifecycle policies alone do not prevent deletion/modification.
4. Glacier transitions address storage class, not immutability.
Answer
The correct answer is: B