Exam AWS Certified SysOps Administrator - Associate topic 1 question 295 discussion

I'm gonna go against the grain here and go with answer B. While initially it looks like an elephant because of its complexity compared to the other options...it does satisfy every requirement and its the ONLY option that satisfies the stipulation that denys the deletion of a resource.

I think answer is "C" because using AWS backup is the established method/tool for this, and EC2 instance role/profile would not be allow to control or delete backups unless explicitly allowed. The word "cron" in en answer "B" is red flag that is is the wrong answer. I know all about cron, and it's invaluable and bullet proof on a system. However, it's anathema to AWS Cloud way of doing things. Wherever you see the word "cron" in AWS response, you know its the wrong answer (IMHO).

When the AWS backups create the backup points they can not be deleted by ec2:* permission. User need to have backup:DeleteRecoveryPoint

Come on people, B is literally the ONLY answer that addresses a way to prevent deletion. The answer in C does not state a way to prevent deletion, even IF AWS Backbackup can do it, it doesn't say it in that answer.

c is the answer

AWS BACKUP comes with features to manage access to the created AMIs and snapshots, and protect them from deletion with a vault lock.

B is the only option for handling the deletion of any of these production snapshots.

Even though it is a complex solution, the two facts are that accounts are in organizations and the best way to control is using SCP's

Aws backup fulfills all needs. So C

For me the answer has to be C. Cron is usually a red herring that it's the wrong answer. Whilst B makes sense in the fact that it's using SCP controls alongside organizations, Cron just feels like bad practice in the context of AWS exams. Consider in backup controls that you are not able to delete unless specifically allowed and to really prevent deletion at an organizational level you can apply compliance mode which after a cooling off period, will not allow any users to delete the resource: https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html#:~:text=AWS%20Backup%20ensures%20that%20your%20backups%20are%20available,locked%20vault%2C%20AWS%20Backup%20will%20deny%20the%20operation.

Incremental backup, TAG, Manage permissions for the backup. All fit

AWS backup is the only one to fulfil the requirements

The question mentioned the solution requirements are: 1. Automated EBS backups 2. Incremental EBS backups 3. Lifecycle policy 4. Prevent deletion by users (with Permission to delete snapshots) AWS Backup is smarter than DLM, they both automatically create AMIs and Incremental Snapshots. However, AWS BACKUP comes with features to manage access to the created AMIs and snapshots, and protect them from deletion with a vault lock. https://repost.aws/questions/QU8o5m88yhQk6UVAgQA3Mnng/aws-backup-vs-aws-data-lifecycle-management.

Altough not elegant, its the only option that fulfils `prevent deletion` requirement

bbbbbbbbb

bbbbbbbb

B for me as It covers all the requirements needed (the deletion part)