Question #1128
A company must ensure that data stored in Amazon S3 cannot be deleted for a minimum of 5 years due to regulatory requirements. However, authorized administrators should be able to delete objects before the 5-year period if necessary. The solution must ensure that only specific IAM users can override the retention settings.
What should a solutions architect do to meet these requirements?
Create an S3 Glacier vault with a WORM vault lock policy set to 5 years.
Create an S3 bucket with S3 Object Lock enabled, enable versioning, set a 5-year retention period in governance mode, and add s3:BypassGovernanceRetention to the IAM policies of authorized users.
Use AWS CloudTrail to monitor deletion events and automatically restore objects from backups if deleted prematurely.
Enable S3 Object Lock with a legal hold and grant s3:PutObjectLegalHold permission to authorized users.
Explanation
Option B is correct because:
1. S3 Object Lock enforces retention periods (WORM).
2. Governance mode allows authorized users (with s3:BypassGovernanceRetention permission) to delete objects before the retention period ends.
3. Versioning is required for Object Lock to work.
Other options fail because:
- A: S3 Glacier vaults are for archival, not S3 object retention.
- C: CloudTrail monitoring is reactive and doesn't prevent deletions.
- D: Legal hold is indefinite and doesn't enforce a 5-year retention period.
Key Points: Use S3 Object Lock (governance mode) with versioning and IAM bypass permissions for controlled retention overrides.
Answer
The correct answer is: B