Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 53 discussion

Only CD provides Object Lock options which is required for stopping admin/root users from deleting. D is governance mode which is like government, pay enough money and you can do anything. This is not what we want so compliance is the option. C is right choice. For future, remember S3 Lock Governance = corrupt government official S3 Lock Compliance = honest solution architect!

The key reasons are: The S3 Lifecycle policy transitions the data to Glacier Deep Archive after 1 year for long-term archival. S3 Object Lock in compliance mode prevents any user from deleting or overwriting objects for the specified retention period. Glacier Deep Archive provides very high durability and the lowest storage cost for long-term archival. Compliance mode ensures no one can override or change the retention settings even if policies change. This meets all the requirements - immediate access for 1 year, archived for 9 years, unable to delete for 10 years, maximum resiliency

Ans C - S3 Glacier after year 1 in compliance mode with object lock (=immutable lock)

No one at the company, including administrative users and root users, can be able to delete the records during the entire 10-year period = Compliance Mode

To meet the requirements of immediately accessible records for 1 year and then archived for an additional 9 years with maximum resiliency, we can use S3 Lifecycle policy to transition records from S3 Standard to S3 Glacier Deep Archive after 1 year. And to ensure that the records cannot be deleted by anyone, including administrative and root users, we can use S3 Object Lock in compliance mode for a period of 10 years. Therefore, the correct answer is option C. Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.htmls

No one at the company, including administrative users and root users, can be able to delete the records during the entire 10-year period = Compliance Mode

Option C is the correct answer

Why not A? Move all files to S3 Glacier instant retrieval (Cheaper than S3) and then move files older than a year to S3 Deep archive.

To prevent deletion of records during the entire 10-year period, you can utilize S3 Object Lock feature. By enabling it in compliance mode, you can set a retention period on the objects, preventing any user, including administrative and root users, from deleting records. A: S3 Glacier is suitable for long-term archival, it may not provide immediate accessibility for the first year as required. B: Intelligent-Tiering may not offer the most cost-effective archival storage option for extended 9-year period. Changing the IAM policy after 10 years to allow deletion also introduces manual steps and potential human error. D: While S3 One Zone-IA can provide cost savings, it doesn't offer the same level of resiliency as S3 Glacier Deep Archive for long-term archival.

In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html

Retention Period: A period is specified by Days & Years. With Retention Compliance Mode, you can’t change/adjust (even by the account root user) the retention mode during the retention period while all objects within the bucket are Locked. With Retention Governance mode, a less restrictive mode, you can grant special permission to a group of users to adjust the Lock settings by using S3:BypassGovernanceRetention. Legal Hold: It’s On/Off setting on an object version. There is no retention period. If you enable Legal Hole on specific object version, you will not be able to delete or override that specific object version. It needs S:PutObjectLegalHole as a permission.

S3 Glacier Deep Archive all day....

Use an S3 Lifecycle policy to transition the records from S3 Standard to S3 Glacier Deep Archive after 1 year. Use S3 Object Lock in compliance mode for a period of 10 years.

Use S3 Object Lock in compliance mode https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html

C, A lifecycle set to transition from standard to Glacier deep archive and use lock for the delete requirement A, B and D don't meet the requirements

C. Use an S3 Lifecycle policy to transition the records from S3 Standard to S3 Glacier Deep Archive after 1 year. Use S3 Object Lock in compliance mode for a period of 10 years. To meet the requirements, the company could use an S3 Lifecycle policy to transition the records from S3 Standard to S3 Glacier Deep Archive after 1 year. S3 Glacier Deep Archive is Amazon's lowest-cost storage class, specifically designed for long-term retention of data that is accessed rarely. This would allow the company to store the records with maximum resiliency and at the lowest possible cost.

A and B are ruled out as you need them to be accessible for 1 year and using control policy or IAM policies, the administrator or root still has the ability to delete them. D is ruled out as it uses One Zone-IA, but requirement says max- resiliency. SO- C should be the right answer.