A company uses Amazon EC2 instances and Amazon EBS volumes for an application. The company creates one snapshot of each EBS volume daily to meet compliance. The company wants an architecture that prevents accidental deletion of EBS snapshots without changing the storage administrator user's administrative rights. Which solution meets these requirements with the LEAST administrative effort?
Choose an answer
Tap an option to check your answer.
Correct answer: Lock the EBS snapshots to prevent deletion..
Why this is the answer
The correct answer is to lock the EBS snapshots to prevent deletion. This refers to using AWS Backup's Vault Lock feature or Amazon S3 Object Lock if snapshots are stored in S3 (though EBS snapshots are typically managed directly). Vault Lock allows you to set an unchangeable retention period for backups, including EBS snapshots, effectively preventing accidental or malicious deletion even by users with administrative rights, once the lock is initiated. This meets the requirement of preventing deletion without altering existing user permissions and requires minimal ongoing administrative effort after initial setup. Creating an IAM role and EC2 instance for deletion is complex and doesn't prevent accidental deletion by other means. Attaching a deny policy to the storage administrator would change their administrative rights, which the question explicitly states to avoid. Adding tags and using Recycle Bin provides a recovery mechanism but doesn't prevent deletion; it merely allows restoration after deletion, which is not the primary goal here.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed