AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company has a production web application in which users upload documents through a web interface or a mobile app. According to a new regulatory requirement, new documents cannot be modified or deleted after they are stored. What should a solutions architect do to meet this requirement?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Store the uploaded documents in an Amazon S3 bucket with S3 Versioning and S3 Object Lock enabled.

Store the uploaded documents in an Amazon S3 bucket. Configure an S3 Lifecycle policy to archive the documents periodically.

Store the uploaded documents in an Amazon S3 bucket with S3 Versioning enabled. Configure an ACL to restrict all access to read-only.

Store the uploaded documents on an Amazon Elastic File System (Amazon EFS) volume. Access the data by mounting the volume in read-only mode.

Explanation:

Explanation

Correct Answer: A

Why Option A is correct:

S3 Object Lock is specifically designed for regulatory compliance requirements where objects need to be immutable (cannot be modified or deleted) for a specific retention period or indefinitely.
S3 Versioning works with Object Lock to prevent deletion of objects - when Object Lock is enabled, even if you try to delete an object, it creates a delete marker but the actual object version remains protected.
Object Lock provides two modes:
- Governance mode: Users with special permissions can override retention settings
- Compliance mode: No one can override the retention settings, not even the root AWS account
This combination meets the regulatory requirement that "new documents cannot be modified or deleted after they are stored."

Why other options are incorrect:

Option B: S3 Lifecycle policies are for transitioning objects between storage classes (like moving to Glacier) or expiring objects. They don't prevent modification or deletion of objects.

Option C: S3 Versioning alone doesn't prevent deletion - it only preserves previous versions when objects are overwritten. ACLs restricting access to read-only can be bypassed by users with appropriate permissions and don't provide true immutability.

Option D: Amazon EFS with read-only mounting doesn't prevent modification or deletion at the file system level. Users with appropriate permissions could still modify or delete files, and EFS doesn't have built-in immutability features like S3 Object Lock.

Key AWS Services:

S3 Object Lock: Provides write-once-read-many (WORM) functionality
S3 Versioning: Preserves all versions of an object
Compliance Mode: Ensures objects cannot be deleted or overwritten by anyone, including the root AWS account

This solution is commonly used for regulatory compliance in industries like healthcare (HIPAA), finance (SEC Rule 17a-4), and other sectors requiring data immutability.

Powered ByGPT-5.2

Comments

Loading comments...