Question #946
A company uses an Amazon S3 bucket to store sensitive financial records that must remain unaltered for a minimum of 2 years. The compliance team is concerned that compromised credentials could lead to data tampering or deletion. Which solution ensures all current and future objects are immutable for the required duration?
Create a new AWS account accessible only via an IAM role. In the new account, create an S3 bucket with Versioning and Object Lock in Governance mode. Configure a default retention period of 2 years. Set up replication from the existing S3 bucket to the new bucket. Use S3 Batch Operations to copy all existing objects to the new bucket.
Enable the s3-bucket-versioning-enabled AWS Config rule. Configure an automatic remediation action using AWS Lambda to enforce S3 Versioning and MFA Delete. Add an S3 Lifecycle rule to transition objects to Glacier after 2 years.
Define an AWS Service Catalog product requiring S3 Versioning and Object Lock with a 2-year retention period. Restrict bucket creation to Service Catalog users. Authorize users to provision compliant buckets but do not address existing data.
Enable Amazon GuardDuty with S3 protection and logging. Implement an S3 Lifecycle policy to delete objects after 2 years. Rely on GuardDuty alerts to detect unauthorized deletion attempts.
Explanation
The correct answer is A because it uses S3 Object Lock in Governance mode with a default retention period of 2 years, ensuring all objects (existing and new) are immutable. Key points:
1. Object Lock: Enforces WORM (Write-Once-Read-Many) compliance, preventing tampering or deletion.
2. Replication & Batch Operations: Ensures existing objects are copied with retention settings, and new objects inherit the policy via replication.
3. Separate AWS Account: Limits access via IAM roles, reducing risk from compromised credentials.
Other options are incorrect because:
- B: Relies on MFA Delete and Lifecycle rules, which do not enforce immutability. Glacier transitions do not prevent deletion before 2 years.
- C: Only applies to new buckets created via Service Catalog, ignoring existing data.
- D: GuardDuty detects threats but does not prevent deletion. Lifecycle policy deletes objects, conflicting with the requirement.
Key Takeaway: S3 Object Lock with Governance/Compliance mode and Versioning is critical for immutable storage. Replication and Batch Operations ensure existing data compliance.
Answer
The correct answer is: A