Explanation:
S3 Object Lock provides a Write Once Read Many (WORM) model. Compliance mode ensures that an object version cannot be overwritten or deleted by any user, including the root user in your AWS account. This is the strictest protection to meet the requirement that backups "must not be deleted." Governance mode allows some users with specific permissions to bypass the lock, which does not strictly meet the requirement of absolute non-deletion.
Ultimate access to all questions.
Question #4
A company is storing backups in an Amazon S3 bucket. The backups must not be deleted for at least 3 months after the backups are created.
What should a CloudOps engineer do to meet this requirement?
A
Configure an IAM policy that denies the s3:DeleteObject action for all users. Three months after an object is written, remove the policy.
B
Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
C
Enable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protect the backups.
D
Enable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
E
Create a Glacier vault with a vault lock policy.
F
Use S3 Replication to a separate account.
No comments yet.