AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company needs to save the results from a medical trial to an Amazon S3 repository. The repository must allow a few scientists to add new files and must restrict all other users to read-only access. No users can have the ability to modify or delete any files in the repository. The company must keep every file in the repository for a minimum of 1 year after its creation date.

Which solution will meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use S3 Object Lock in governance mode with a legal hold of 1 year.

Use S3 Object Lock in compliance mode with a retention period of 365 days.

Use an IAM role to restrict all users from deleting or changing objects in the S3 bucket. Use an S3 bucket policy to only allow the IAM role.

Configure the S3 bucket to invoke an AWS Lambda function every time an object is added. Configure the function to track the hash of the saved object so that modified objects can be marked accordingly.

Explanation:

Explanation

Correct Answer: B - Use S3 Object Lock in compliance mode with a retention period of 365 days.

Why this is correct:

S3 Object Lock in compliance mode provides the strongest protection against object deletion and modification:
- Objects cannot be deleted or overwritten by any user, including the root account
- Retention periods cannot be shortened
- This ensures "no users can have the ability to modify or delete any files"
Retention period of 365 days ensures that "every file in the repository for a minimum of 1 year after its creation date"
Access control can be managed separately using IAM policies and bucket policies to:
- Allow scientists to add new files (PUT permissions)
- Restrict other users to read-only access (GET permissions)

Why other options are incorrect:

A. S3 Object Lock in governance mode with a legal hold of 1 year:

Governance mode allows users with special permissions to delete or modify objects
Legal hold is temporary and can be removed by authorized users
Doesn't guarantee the 1-year minimum retention requirement

C. Use an IAM role to restrict all users from deleting or changing objects:

IAM policies can be bypassed or modified
Doesn't provide the immutable storage requirement
Users with sufficient permissions could still delete objects

D. Configure S3 bucket to invoke AWS Lambda function:

This is a monitoring solution, not a prevention solution
Doesn't prevent deletion or modification
Doesn't enforce the 1-year retention requirement

Key AWS Concepts:

S3 Object Lock provides WORM (Write Once Read Many) storage
Compliance mode is the strictest - no one can delete or modify objects during retention period
Retention period ensures objects are preserved for a specified duration
Legal hold is temporary and can be removed, while retention periods are fixed

This solution meets all requirements: immutable storage, 1-year retention, and controlled access permissions.

Powered ByGPT-5.2

Comments

Loading comments...