Answer-first summary for fast verification
Answer: Create a new Amazon S3 bucket with S3 Versioning enabled. Use S3 Object Lock with a retention period in accordance with the designated date. Configure the S3 bucket for static website hosting. Set an S3 bucket policy to allow read-only access to the objects.
## Explanation **Correct Answer: B** **Why Option B is correct:** 1. **S3 Object Lock with retention period**: This is the key feature that prevents modifications or deletions of files before the designated date. S3 Object Lock provides WORM (Write Once Read Many) protection, ensuring objects cannot be deleted or overwritten until the retention period expires. 2. **S3 Versioning enabled**: This works in conjunction with Object Lock to maintain object versions and prevent permanent deletion. 3. **Static website hosting**: Allows public access to the files. 4. **S3 bucket policy for read-only access**: Properly controls public access at the bucket level rather than relying on IAM permissions. **Why other options are incorrect:** **Option A**: Only uses IAM permissions which don't prevent modifications or deletions. IAM permissions can be changed or removed, and they don't provide the immutable protection required. **Option C**: Relies on a reactive Lambda function to restore objects after they've been modified or deleted. This is less secure because: - Objects can still be modified/deleted temporarily - There's a window of vulnerability between deletion and restoration - Lambda functions can fail or have errors - More complex and less reliable than native S3 Object Lock **Option D**: Has several issues: - S3 Object Lock cannot be applied at folder level; it must be applied at bucket or object level - Still uses IAM permissions instead of bucket policies for public access - The combination of approaches is inconsistent and less secure **Key Security Principles Applied:** - **Immutable storage**: S3 Object Lock ensures files cannot be modified or deleted - **Least privilege**: Bucket policy provides read-only public access - **Simplicity**: Uses native AWS features rather than complex workarounds - **Reliability**: No dependency on Lambda functions that could fail
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A law firm needs to share information with the public. The information includes hundreds of files that must be publicly readable. Modifications or deletions of the files by anyone before a designated future date are prohibited.
Which solution will meet these requirements in the MOST secure way?
A
Upload all files to an Amazon S3 bucket that is configured for static website hosting. Grant read-only IAM permissions to any AWS principals that access the S3 bucket until the designated date.
B
Create a new Amazon S3 bucket with S3 Versioning enabled. Use S3 Object Lock with a retention period in accordance with the designated date. Configure the S3 bucket for static website hosting. Set an S3 bucket policy to allow read-only access to the objects.
C
Create a new Amazon S3 bucket with S3 Versioning enabled. Configure an event trigger to run an AWS Lambda function in case of object modification or deletion. Configure the Lambda function to replace the objects with the original versions from a private S3 bucket.
D
Upload all files to an Amazon S3 bucket that is configured for static website hosting. Select the folder that contains the files. Use S3 Object Lock with a retention period in accordance with the designated date. Grant read-only IAM permissions to any AWS principals that access the S3 bucket.