A financial institution needs to store highly sensitive documents in Amazon S3. Compliance regulations require that the documents cannot be deleted or modified by anyone, including the AWS account root user, for a period of 7 years. <br/><br/>Which TWO actions should the solutions architect take to meet this requirement? (Select TWO.)

Answer options:

Enable S3 Object Lock in Governance mode.

Enable S3 Object Lock in Compliance mode.

Specify a retention period of 7 years.

Enable MFA Delete on the S3 bucket.

Create an IAM deny policy for the s3:DeleteObject action.

How to approach this question

Recognize the requirement for WORM (Write Once Read Many) storage that even the root user cannot bypass.

Full Answer

Amazon S3 Object Lock provides WORM storage. In Compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in Compliance mode, its retention mode can't be changed, and its retention period can't be shortened.

Common mistakes

Selecting Governance mode instead of Compliance mode.

Question 06 All questions Question 08

Practice the full AWS SAA-C03 Practice Exam 4

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team wants...Medium Q02An application running on Amazon EC2 instances needs to access an Amazon DynamoDB table. Both res...Easy Q03A company is designing a web application that will be hosted on AWS. The application will use an ...Medium Q04A company is building a mobile app that requires users to authenticate using their social media a...Hard Q05A solutions architect is designing a VPC for a three-tier web application. The database tier must...Medium

View all 65 questions →