A company stores data in a single Amazon S3 bucket and must retain this data for one year. The company's security team is concerned about potential unauthorized access to the AWS account due to leaked long-term credentials. What measures should be taken to safeguard both existing and future objects in the S3 bucket?

Exam-Like

Establish a new AWS account accessible only to the security team via an assumed role. Within this account, create an S3 bucket, enable S3 Versioning and S3 Object Lock, and set a default retention period of one year. Configure replication from the original S3 bucket to the new one and initiate an S3 Batch Replication job to transfer all existing data.

50.0%

Implement the s3-bucket-versioning-enabled AWS Config managed rule. Set up an automated remediation action using an AWS Lambda function to enforce S3 Versioning and MFA Delete on non-compliant resources. Include an S3 Lifecycle rule to automatically delete objects after one year.

50.0%

Prohibit bucket creation by all users and roles, except through an AWS Service Catalog launch constraint role. Create a Service Catalog product that mandates S3 Versioning and MFA Delete for bucket creation. Grant users permission to create buckets using this product as needed.

0.0%

Activate Amazon GuardDuty with the S3 protection feature for the account and the relevant AWS Region. Implement an S3 Lifecycle rule to remove objects after one year.

0.0%

AWS Certified Solutions Architect - Professional

Get started today

Comments