Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 109 discussion

A - No as "specific users can delete" B - No as "nonspecific amount of time" C - No as "prevent the data from being change" D - The answer: "The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed." https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops-legal-hold.html

typo -- 10 delete the objects => TO delete the objects

B. Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Set a retention period of 100 years. Use governance mode as the S3 bucket’s default retention mode for new objects. ✅ Explanation: To meet the requirements of immutability and controlled deletion, Amazon S3 Object Lock is the ideal solution: S3 Object Lock allows you to store objects using a write-once-read-many (WORM) model. Governance mode lets you protect objects from being overwritten or deleted, but authorized users can override the lock if needed. Versioning must be enabled to use Object Lock. Setting a long retention period (e.g., 100 years) ensures objects remain unchangeable until explicitly modified. Only users with the necessary IAM permissions (like s3:BypassGovernanceRetention) can delete or modify objects.

Here's why option B is suitable: S3 Object Lock: This feature allows you to prevent objects from being deleted or changed for a specified retention period. In governance mode, even if a user has delete permissions, they cannot delete the objects until the retention period has expired. Versioning: Enabling versioning ensures that multiple versions of an object are stored. This provides an additional layer of data protection, allowing you to restore data if an object is accidentally modified or deleted. Retention Period: By setting a long retention period (like 100 years), you ensure compliance with data retention policies beyond short-term needs.

Why This Works S3 Object Lock with Governance Mode: Immutable by Default: New objects inherit a 100-year retention period, ensuring they cannot be modified or deleted during this time. Flexible Override: Authorized users (with s3:BypassGovernanceRetention permissions) can shorten the retention period or delete objects before 100 years, aligning with the requirement for nonspecific retention until the company decides. Versioning: Protects against accidental overwrites or deletions by maintaining multiple object versions. Governance Mode Benefits: Allows controlled exceptions for authorized users while blocking unauthorized changes. Why Other Options Fail Option Shortcoming A Glacier vaults are for archival, not active S3 storage. C CloudTrail is reactive (audits changes but doesn’t prevent them). D Legal holds are indefinite but require manual application per object, which is not scalable for new uploads.

Option D: Subscribe to an RDS event notification and send an Amazon Simple Notification Service (Amazon SNS) topic fanned out to multiple Amazon Simple Queue Service (Amazon SQS) queues. Use AWS Lambda functions to update the targets. Correct Choice: This approach leverages RDS event notifications and SNS for fanning out updates to multiple SQS queues. Each target can then independently process updates using Lambda functions, making it scalable and modular.

S3 Bucket Versioning helps deal with modifications while the legal hold coveys no deletes or changes until removed.

D is wrong A legal hold can make objects immutable, but the question specifies new objects must remain unchangeable by default. Legal holds must be applied manually to individual objects, so they are not practical for this use case.

Ans D - "The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed." https://docs.amazonaws.cn/en_us/AmazonS3/latest/userguide/batch-ops-legal-hold.html The other options do not make sense for the situation in hand.

The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed. You can use S3 Batch Operations with Object Lock to add legal holds to many Amazon S3 objects at once. You can do this by listing the target objects in your manifest and submitting that list to Batch Operations. Your S3 Batch Operations job with Object Lock legal hold runs until completion, until cancellation, or until a failure state is reached.

D is the best choice

Adding legal holds to objects and managing permissions for users to delete objects does not provide the same level of data immutability and retention control as S3 Object Lock.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html A: WORM doesn't allow delete by some users C: Irrelevant D: Permission only allows putting legal hold on objects. Not a complete solution B: Closest apart from 100 years as question is asking for indefinite. Governance allows modification by some users

"With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the objects if necessary." D is wrong because it applies Object Lock AND Legal Hold, which are two different things that achieve similar results. 'Adding the s3:PutObjectLegalHold permission' to user's policies would allow them to remove the Legal Hold but NOT the Object Lock. (Also, it would probably make more sense to add the permissions to the bucket policy, not the "IAM policies of users".)

I only picked this because of restricted users who can delete, and the easiest way of achieving this is them assuming the role

"The company wants new objects that are uploaded to Amazon S3 to remain unchangeable for a nonspecific amount of time until the company decides to modify the objects" = A legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed. s3:PutObjectLegalHold permission is required in your IAM role to add or remove legal hold from objects.

The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed.