Answer-first summary for fast verification
Answer: Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
S3 Object Lock in Compliance mode ensures that objects cannot be deleted or overwritten by any user, including the root user, during the specified retention period. Governance mode allows users with special permissions to alter the lock, which does not strictly meet the requirement that backups MUST NOT be deleted. An IAM policy could be overridden or removed.
Author: Ritesh Yadav
Ultimate access to all questions.
Question #4
A company is storing backups in an Amazon S3 bucket. The backups must not be deleted for at least 3 months after the backups are created.
What should a CloudOps engineer do to meet this requirement?
A
Configure an IAM policy that denies the s3:DeleteObject action for all users. Three months after an object is written, remove the policy.
B
Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
C
Enable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protect the backups.
D
Enable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
No comments yet.