AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company uses Amazon S3 to store its confidential audit documents. The S3 bucket uses bucket policies to restrict access to audit team IAM user credentials according to the principle of least privilege. Company managers are worried about accidental deletion of documents in the S3 bucket and want a more secure solution.
What should a solutions architect do to secure the audit documents?
Other
Community
UAnonymous
A
Enable the versioning and MFA Delete features on the S3 bucket.
B
Enable multi-factor authentication (MFA) on the IAM user credentials for each audit team IAM user account.
C
Add an S3 Lifecycle policy to the audit team's IAM user accounts to deny the s3:DeleteObject action during audit dates.
D
Use AWS Key Management Service (AWS KMS) to encrypt the S3 bucket and restrict audit team IAM user accounts from accessing the KMS key.
Explanation:
Explanation
Correct Answer: A
Why Option A is correct:
- S3 Versioning: Enables keeping multiple versions of an object, so even if an object is deleted, previous versions can be restored.
- MFA Delete: Requires multi-factor authentication to permanently delete object versions, adding an extra layer of protection against accidental or malicious deletions.
- Directly addresses the concern: The primary worry is accidental deletion of documents, and enabling versioning with MFA Delete provides protection against this specific threat.
Why other options are incorrect:
Option B: Enabling MFA on IAM user credentials adds security for authentication but doesn't specifically protect against accidental deletion of S3 objects. Users could still delete objects after authenticating with MFA.
Option C: S3 Lifecycle policies manage object transitions (like moving to Glacier) and expiration, not access control. They cannot be applied to IAM user accounts to deny specific actions. Access control is managed through IAM policies, bucket policies, or ACLs.
Option D: While KMS encryption adds data protection, it doesn't prevent deletion. Encrypted objects can still be deleted. Also, restricting access to the KMS key would prevent audit team members from accessing the documents they need to work with.
Key AWS Concepts:
- S3 Versioning: Maintains multiple versions of objects
- MFA Delete: Requires MFA to permanently delete object versions
- Least Privilege: The principle of granting only necessary permissions
- Data Protection: Versioning provides protection against accidental deletion, while encryption protects data confidentiality
Best Practice: For critical data, enable versioning and MFA Delete to prevent accidental data loss while maintaining proper access controls through IAM policies and bucket policies.
Comments
Loading comments...