The correct answer is D. Enabling S3 Object Lock with versioning, adding legal holds to the objects, and granting the s3:PutObjectLegalHold permission to authorized IAM users will ensure that the data remains immutable until explicitly changed by authorized users. Legal holds prevent objects from being deleted, and you can control who can set and remove these holds through IAM policies. This setup meets the company’s requirements for data immutability and selective deletion permissions.