Answer: Enable the versioning and MFA Delete features on the S3 bucket.

## Explanation **Correct Answer: A** **Why Option A is correct:** 1. **S3 Versioning**: Enables keeping multiple versions of an object, so even if an object is deleted, previous versions can be restored. 2. **MFA Delete**: Requires multi-factor authentication to permanently delete object versions, adding an extra layer of protection against accidental or malicious deletions. 3. **Directly addresses the concern**: The primary worry is accidental deletion of documents, and enabling versioning with MFA Delete provides protection against this specific threat. **Why other options are incorrect:** **Option B**: Enabling MFA on IAM user credentials adds security for authentication but doesn't specifically protect against accidental deletion of S3 objects. Users could still delete objects after authenticating with MFA. **Option C**: S3 Lifecycle policies manage object transitions (like moving to Glacier) and expiration, not access control. They cannot be applied to IAM user accounts to deny specific actions. Access control is managed through IAM policies, bucket policies, or ACLs. **Option D**: While KMS encryption adds data protection, it doesn't prevent deletion. Encrypted objects can still be deleted. Also, restricting access to the KMS key would prevent audit team members from accessing the documents they need to work with. **Key AWS Concepts:** - **S3 Versioning**: Maintains multiple versions of objects - **MFA Delete**: Requires MFA to permanently delete object versions - **Least Privilege**: The principle of granting only necessary permissions - **Data Protection**: Versioning provides protection against accidental deletion, while encryption protects data confidentiality **Best Practice**: For critical data, enable versioning and MFA Delete to prevent accidental data loss while maintaining proper access controls through IAM policies and bucket policies.

Author: LeetQuiz Editorial Team