Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 109 discussion

A - No as "specific users can delete" B - No as "nonspecific amount of time" C - No as "prevent the data from being change" D - The answer: "The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed." https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops-legal-hold.html

typo -- 10 delete the objects => TO delete the objects

Ans D - "The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed." https://docs.amazonaws.cn/en_us/AmazonS3/latest/userguide/batch-ops-legal-hold.html The other options do not make sense for the situation in hand.

The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed. You can use S3 Batch Operations with Object Lock to add legal holds to many Amazon S3 objects at once. You can do this by listing the target objects in your manifest and submitting that list to Batch Operations. Your S3 Batch Operations job with Object Lock legal hold runs until completion, until cancellation, or until a failure state is reached.

D is the best choice

Adding legal holds to objects and managing permissions for users to delete objects does not provide the same level of data immutability and retention control as S3 Object Lock.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html A: WORM doesn't allow delete by some users C: Irrelevant D: Permission only allows putting legal hold on objects. Not a complete solution B: Closest apart from 100 years as question is asking for indefinite. Governance allows modification by some users

"With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the objects if necessary." D is wrong because it applies Object Lock AND Legal Hold, which are two different things that achieve similar results. 'Adding the s3:PutObjectLegalHold permission' to user's policies would allow them to remove the Legal Hold but NOT the Object Lock. (Also, it would probably make more sense to add the permissions to the bucket policy, not the "IAM policies of users".)

I only picked this because of restricted users who can delete, and the easiest way of achieving this is them assuming the role

"The company wants new objects that are uploaded to Amazon S3 to remain unchangeable for a nonspecific amount of time until the company decides to modify the objects" = A legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed. s3:PutObjectLegalHold permission is required in your IAM role to add or remove legal hold from objects.

The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed.

My understanding is that the s3:PutObjectLegalHold permission allows certain users to apply or remove the legal hold on objects in the S3 bucket. However, having the permission to apply or remove the legal hold does not necessarily mean users can override the hold set by another user. Once the legal hold is set on an object, it is in effect until the hold is removed by the user who applied it or an admin with the necessary permissions. Other users, even if they have the s3:PutObjectLegalHold permission, won't be able to remove the hold unless they are granted access by the user who originally applied it.

I go with option B as they still need some specific users to be able to make changes so Gov mode is the best choice and 100 yrs is like infinity as well haha

The correct answer is D.

Option B specifies a retention period of 100 years which contradicts what the question asked for..... "The company wants new objects that are uploaded to Amazon S3 to remain unchangeable for a nonspecific amount of time until the company decides to modify the objects" Setting the retention period of 100 years is specific and the company wants new data/objects to remain unchanged for nonspecific amount of time. Correct answer is D https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops-legal-hold.html

"The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed." https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops-legal-hold.html

retention period of 100 Years prevents the object to be deleted bevor the retention period expires, so it's not a good fit.