AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company needs to store data in Amazon S3 and must prevent the data from being changed. The company wants new objects that are uploaded to Amazon S3 to remain unchangeable for a nonspecific amount of time until the company decides to modify the objects. Only specific users in the company's AWS account can have the ability to delete the objects.

What should a solutions architect do to meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create an S3 Glacier vault. Apply a write-once, read-many (WORM) vault lock policy to the objects.

Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Set a retention period of 100 years. Use governance mode as the S3 bucket’s default retention mode for new objects.

Create an S3 bucket. Use AWS CloudTrail to track any S3 API events that modify the objects. Upon notification, restore the modified objects from any backup versions that the company has.

Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Add a legal hold to the objects. Add the s3:PutObjectLegalHold permission to the IAM policies of users who need to delete the objects.

Explanation:

Explanation

Correct Answer: D

Why Option D is correct:

S3 Object Lock with Legal Hold: This solution perfectly matches the requirements:
- Prevents data from being changed: S3 Object Lock with legal hold prevents objects from being deleted or overwritten
- Nonspecific amount of time: Legal holds can be applied indefinitely until explicitly removed
- Only specific users can delete: By adding s3:PutObjectLegalHold permission to specific IAM policies, only authorized users can remove the legal hold and then delete objects
- Versioning is required: S3 Object Lock requires versioning to be enabled

Why other options are incorrect:

Option A: S3 Glacier vaults are for archival storage, not for active S3 storage. WORM vault lock policies apply to Glacier, not S3 objects.

Option B: Setting a fixed 100-year retention period doesn't meet the "nonspecific amount of time" requirement. Governance mode with fixed retention periods is too rigid for the requirement of "until the company decides to modify the objects."

Option C: This is a reactive approach rather than preventive. It relies on detecting changes after they happen and restoring from backups, which doesn't prevent modification in the first place.

Key AWS Concepts:

S3 Object Lock: Provides WORM (Write Once Read Many) functionality to prevent object deletion or modification
Legal Hold: Can be applied indefinitely and removed when needed, perfect for "nonspecific amount of time" requirements
Governance Mode: Allows retention settings to be overridden by users with specific permissions
Compliance Mode: More restrictive, where no one can override retention settings

This solution provides the flexibility needed while ensuring data immutability until the company decides to make changes.

Powered ByGPT-5.2

Comments

Loading comments...