Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 109 discussion

A - No as "specific users can delete" B - No as "nonspecific amount of time" C - No as "prevent the data from being change" D - The answer: "The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed." https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops-legal-hold.html

typo -- 10 delete the objects => TO delete the objects

Here's why option B is suitable: S3 Object Lock: This feature allows you to prevent objects from being deleted or changed for a specified retention period. In governance mode, even if a user has delete permissions, they cannot delete the objects until the retention period has expired. Versioning: Enabling versioning ensures that multiple versions of an object are stored. This provides an additional layer of data protection, allowing you to restore data if an object is accidentally modified or deleted. Retention Period: By setting a long retention period (like 100 years), you ensure compliance with data retention policies beyond short-term needs.

Why This Works S3 Object Lock with Governance Mode: Immutable by Default: New objects inherit a 100-year retention period, ensuring they cannot be modified or deleted during this time. Flexible Override: Authorized users (with s3:BypassGovernanceRetention permissions) can shorten the retention period or delete objects before 100 years, aligning with the requirement for nonspecific retention until the company decides. Versioning: Protects against accidental overwrites or deletions by maintaining multiple object versions. Governance Mode Benefits: Allows controlled exceptions for authorized users while blocking unauthorized changes. Why Other Options Fail Option Shortcoming A Glacier vaults are for archival, not active S3 storage. C CloudTrail is reactive (audits changes but doesn’t prevent them). D Legal holds are indefinite but require manual application per object, which is not scalable for new uploads.

Option D: Subscribe to an RDS event notification and send an Amazon Simple Notification Service (Amazon SNS) topic fanned out to multiple Amazon Simple Queue Service (Amazon SQS) queues. Use AWS Lambda functions to update the targets. Correct Choice: This approach leverages RDS event notifications and SNS for fanning out updates to multiple SQS queues. Each target can then independently process updates using Lambda functions, making it scalable and modular.

S3 Bucket Versioning helps deal with modifications while the legal hold coveys no deletes or changes until removed.

D is wrong A legal hold can make objects immutable, but the question specifies new objects must remain unchangeable by default. Legal holds must be applied manually to individual objects, so they are not practical for this use case.

Ans D - "The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed." https://docs.amazonaws.cn/en_us/AmazonS3/latest/userguide/batch-ops-legal-hold.html The other options do not make sense for the situation in hand.

The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed. You can use S3 Batch Operations with Object Lock to add legal holds to many Amazon S3 objects at once. You can do this by listing the target objects in your manifest and submitting that list to Batch Operations. Your S3 Batch Operations job with Object Lock legal hold runs until completion, until cancellation, or until a failure state is reached.

D is the best choice

Adding legal holds to objects and managing permissions for users to delete objects does not provide the same level of data immutability and retention control as S3 Object Lock.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html A: WORM doesn't allow delete by some users C: Irrelevant D: Permission only allows putting legal hold on objects. Not a complete solution B: Closest apart from 100 years as question is asking for indefinite. Governance allows modification by some users

"With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the objects if necessary." D is wrong because it applies Object Lock AND Legal Hold, which are two different things that achieve similar results. 'Adding the s3:PutObjectLegalHold permission' to user's policies would allow them to remove the Legal Hold but NOT the Object Lock. (Also, it would probably make more sense to add the permissions to the bucket policy, not the "IAM policies of users".)

I only picked this because of restricted users who can delete, and the easiest way of achieving this is them assuming the role

"The company wants new objects that are uploaded to Amazon S3 to remain unchangeable for a nonspecific amount of time until the company decides to modify the objects" = A legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed. s3:PutObjectLegalHold permission is required in your IAM role to add or remove legal hold from objects.

The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed.

My understanding is that the s3:PutObjectLegalHold permission allows certain users to apply or remove the legal hold on objects in the S3 bucket. However, having the permission to apply or remove the legal hold does not necessarily mean users can override the hold set by another user. Once the legal hold is set on an object, it is in effect until the hold is removed by the user who applied it or an admin with the necessary permissions. Other users, even if they have the s3:PutObjectLegalHold permission, won't be able to remove the hold unless they are granted access by the user who originally applied it.