Question #1465
A company stores sensitive financial records in an Amazon S3 bucket. Regulatory requirements mandate that all data must be retained immutably for 5 years, including existing objects. Which solution ensures compliance with the LEAST operational effort?
Enable S3 Versioning and configure a Lifecycle policy to delete objects after 5 years. Implement MFA delete for additional protection.
Activate S3 Object Lock in governance mode with a 5-year retention period. Manually recopy all existing objects to apply retention settings.
Enable S3 Object Lock in compliance mode with a 5-year retention period. Manually recopy all existing objects to enforce retention.
Activate S3 Object Lock in compliance mode with a 5-year retention period. Use S3 Batch Operations to apply retention settings to all existing objects.
Explanation
The correct answer is D because:
1. S3 Object Lock in compliance mode ensures immutability for the required 5-year period, preventing deletion even by root users, meeting regulatory requirements.
2. S3 Batch Operations automates applying retention settings to all existing objects, avoiding the high operational effort of manual recopying.
Why other options are incorrect:
- A: Lifecycle policies delete objects, which violates retention requirements. Versioning and MFA delete do not enforce immutability.
- B: Governance mode allows retention overrides with permissions, failing strict compliance. Manual recopying is operationally intensive.
- C: Compliance mode is correct, but manual recopying is inefficient compared to Batch Operations.
Key points:
- Use S3 Object Lock in compliance mode for regulatory immutability.
- Use S3 Batch Operations to apply retention settings to existing objects at scale.
Answer
The correct answer is: D