Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 109 discussion

A - No as "specific users can delete" B - No as "nonspecific amount of time" C - No as "prevent the data from being change" D - The answer: "The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed." https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops-legal-hold.html

typo -- 10 delete the objects => TO delete the objects

Option D: Subscribe to an RDS event notification and send an Amazon Simple Notification Service (Amazon SNS) topic fanned out to multiple Amazon Simple Queue Service (Amazon SQS) queues. Use AWS Lambda functions to update the targets. Correct Choice: This approach leverages RDS event notifications and SNS for fanning out updates to multiple SQS queues. Each target can then independently process updates using Lambda functions, making it scalable and modular.

S3 Bucket Versioning helps deal with modifications while the legal hold coveys no deletes or changes until removed.

D is wrong A legal hold can make objects immutable, but the question specifies new objects must remain unchangeable by default. Legal holds must be applied manually to individual objects, so they are not practical for this use case.

Ans D - "The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed." https://docs.amazonaws.cn/en_us/AmazonS3/latest/userguide/batch-ops-legal-hold.html The other options do not make sense for the situation in hand.

The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed. You can use S3 Batch Operations with Object Lock to add legal holds to many Amazon S3 objects at once. You can do this by listing the target objects in your manifest and submitting that list to Batch Operations. Your S3 Batch Operations job with Object Lock legal hold runs until completion, until cancellation, or until a failure state is reached.

D is the best choice

Adding legal holds to objects and managing permissions for users to delete objects does not provide the same level of data immutability and retention control as S3 Object Lock.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html A: WORM doesn't allow delete by some users C: Irrelevant D: Permission only allows putting legal hold on objects. Not a complete solution B: Closest apart from 100 years as question is asking for indefinite. Governance allows modification by some users

"With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the objects if necessary." D is wrong because it applies Object Lock AND Legal Hold, which are two different things that achieve similar results. 'Adding the s3:PutObjectLegalHold permission' to user's policies would allow them to remove the Legal Hold but NOT the Object Lock. (Also, it would probably make more sense to add the permissions to the bucket policy, not the "IAM policies of users".)

I only picked this because of restricted users who can delete, and the easiest way of achieving this is them assuming the role

"The company wants new objects that are uploaded to Amazon S3 to remain unchangeable for a nonspecific amount of time until the company decides to modify the objects" = A legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed. s3:PutObjectLegalHold permission is required in your IAM role to add or remove legal hold from objects.

The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed.

My understanding is that the s3:PutObjectLegalHold permission allows certain users to apply or remove the legal hold on objects in the S3 bucket. However, having the permission to apply or remove the legal hold does not necessarily mean users can override the hold set by another user. Once the legal hold is set on an object, it is in effect until the hold is removed by the user who applied it or an admin with the necessary permissions. Other users, even if they have the s3:PutObjectLegalHold permission, won't be able to remove the hold unless they are granted access by the user who originally applied it.

I go with option B as they still need some specific users to be able to make changes so Gov mode is the best choice and 100 yrs is like infinity as well haha

The correct answer is D.