AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company uses Amazon EC2 instances and Amazon Elastic Block Store (Amazon EBS) volumes to run an application. The company creates one snapshot of each EBS volume every day to meet compliance requirements. The company wants to implement an architecture that prevents the accidental deletion of EBS volume snapshots. The solution must not change the administrative rights of the storage administrator user.
Which solution will meet these requirements with the LEAST administrative effort?
Other
Community
UAnonymous
A
Create an IAM role that has permission to delete snapshots. Attach the role to a new EC2 instance. Use the AWS CLI from the new EC2 instance to delete snapshots.
B
Create an IAM policy that denies snapshot deletion. Attach the policy to the storage administrator user.
C
Add tags to the snapshots. Create retention rules in Recycle Bin for EBS snapshots that have the tags.
D
Lock the EBS snapshots to prevent deletion.
Explanation:
Explanation
Correct Answer: D - Lock the EBS snapshots to prevent deletion.
Why Option D is correct:
- EBS Snapshot Lock is a feature specifically designed to prevent accidental deletion of EBS snapshots.
- When you lock an EBS snapshot, it cannot be deleted until the lock is removed, providing protection against accidental deletion.
- This solution meets the requirement of not changing administrative rights because it works at the resource level rather than the IAM policy level.
- It requires the least administrative effort - simply enabling the lock on existing snapshots.
Why other options are incorrect:
Option A: This solution actually facilitates deletion rather than preventing it. Creating an IAM role with delete permissions and attaching it to an EC2 instance would make deletion easier, not prevent it.
Option B: While creating an IAM policy that denies snapshot deletion would work, it violates the requirement of "not changing the administrative rights of the storage administrator user." Attaching a deny policy to the user directly changes their permissions.
Option C: Recycle Bin for EBS snapshots provides retention rules, but it's designed for recovery after deletion rather than prevention. Snapshots can still be deleted and would go to the Recycle Bin, but this doesn't prevent the deletion action itself.
Key AWS Concepts:
- EBS Snapshot Lock: A feature that prevents snapshot deletion until the lock is explicitly removed.
- IAM Policies vs Resource-level Protection: IAM policies control user permissions, while resource-level features like snapshot locks protect the resource regardless of user permissions.
- Compliance Requirements: Snapshot locks are often used for compliance scenarios where data retention periods must be enforced.
Best Practice: For compliance requirements where snapshots must be retained for specific periods, EBS snapshot locks provide the simplest and most effective protection against accidental deletion without modifying user permissions.
Comments
Loading comments...