Answer-first summary for fast verification
Answer: Establish a new AWS account accessible only to the security team via an assumed role. Within this account, create an S3 bucket, enable S3 Versioning and S3 Object Lock, and set a default retention period of one year. Configure replication from the original S3 bucket to the new one and initiate an S3 Batch Replication job to transfer all existing data.
Option A is the correct answer. Creating a new AWS account that is only accessible to the security team through an assumed role significantly reduces the risk of unauthorized access through leaked long-term credentials. By setting up S3 Versioning and S3 Object Lock with a default retention period of one year, the data is protected against accidental or intentional deletion. Replicating the data to the new, secure S3 bucket ensures that even if the original bucket is compromised, the data remains safe in the new account. This comprehensive approach addresses both the security concerns and data retention requirements effectively.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company stores data in a single Amazon S3 bucket and must retain this data for one year. The company's security team is concerned about potential unauthorized access to the AWS account due to leaked long-term credentials. What measures should be taken to safeguard both existing and future objects in the S3 bucket?
A
Establish a new AWS account accessible only to the security team via an assumed role. Within this account, create an S3 bucket, enable S3 Versioning and S3 Object Lock, and set a default retention period of one year. Configure replication from the original S3 bucket to the new one and initiate an S3 Batch Replication job to transfer all existing data.
B
Implement the s3-bucket-versioning-enabled AWS Config managed rule. Set up an automated remediation action using an AWS Lambda function to enforce S3 Versioning and MFA Delete on non-compliant resources. Include an S3 Lifecycle rule to automatically delete objects after one year.
C
Prohibit bucket creation by all users and roles, except through an AWS Service Catalog launch constraint role. Create a Service Catalog product that mandates S3 Versioning and MFA Delete for bucket creation. Grant users permission to create buckets using this product as needed.
D
Activate Amazon GuardDuty with the S3 protection feature for the account and the relevant AWS Region. Implement an S3 Lifecycle rule to remove objects after one year.