A company needs to store data in Amazon S3 and must prevent the data from being changed. New objects uploaded to S3 must remain immutable for an unspecified period until the company chooses to modify them. Only specific users in the AWS account should be able to delete the objects. What should a solutions architect do to meet these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Add a legal hold to the objects. Add the s3:PutObjectLegalHold permission to the IAM policies of users who need to delete the objects..
Why this is the answer
The correct solution uses S3 Object Lock with a legal hold. Legal holds prevent an object version from being overwritten or deleted, fulfilling the immutability requirement for an unspecified period. Enabling versioning ensures that if an object is accidentally deleted, previous versions are retained. Granting s3:PutObjectLegalHold permission to specific users allows them to manage the legal hold, effectively controlling object deletion. Incorrect options: S3 Glacier Vaults are for archival storage, not primary S3 object storage, and WORM policies are applied to the vault, not individual S3 objects. Setting a 100-year retention period with governance mode is a fixed duration, not an "unspecified period" where the company chooses when to modify. Governance mode also allows users with specific permissions to bypass or shorten retention, which might not align with strict immutability. CloudTrail tracks changes but doesn't prevent them. Restoring from backups is a reactive measure, not a proactive prevention of modification.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed