Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 154 discussion

B, The key is "No users can have the ability to modify or delete any files" and compliance mode supports that. I remember it this way: ( governance is like government, they set the rules but they can allow some people to break it :D )

Answer : B Reason: Compliance Mode. The key difference between Compliance Mode and Governance Mode is that there are NO users that can override the retention periods set or delete an object, and that also includes your AWS root account which has the highest privileges.

First of all, Regal hold has no expiration before you remove it. So A makes no sense. After that Governance mode is breakable with permission, but Compilance mode is not even for root user cannot delete it. https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html

B for sure

I almost chose A for this deciving line lol but it would be compliance mode as no user should be able to change objects:- The repository must allow a few scientists to add new files and must restrict all other users to read-only access.

Can someone please explain why the answer is not A. It said that The repository must allow a few scientists to add new files. So, i think some user must have permission to change it.

Unsure, B would meet the "must keep every file for a minimum of 1 year" requirement. (In theory C would too if you ignore the root user, but administrators could remove the policy.) But what about the 'a few scientists must be able to add new files'? None of the options mentions permissions for a special group.

Both Compliance & Governance mode protect objects against being deleted or changed. But in Governance mode some people can have special permissions. In this question, no user can delete or modify files; so the answer is Compliance mode only. Neither of these modes restrict user from adding new files.

Compliance Mode best suits this scenario because once an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened.

B) seems to be the right option, because: Both option A) & B) allow to: - Scientists add new files & other users read-only access. - Keep files for a minimum of 1 year Only option B allows to: - Disable all users the ability to modify or delete any file. If A) were the correct option some scientis will be able to modify files, as if they were in charge of put an object lock same permission would allow them to remove the lock and consequently delete the file.

B) seems to be the right option, because: Both option A) & B) allow to: - Scientists add new files & other users read-only access. - Keep files for a minimum of 1 year Only option B allows to: - Disable all users the ability to modify or delete any file. If A) were the correct option some scientis will be able to modify files, as if they were in charge of put an object lock same permission would allow them to remove the lock and consequently delete the file.

S3 Object Lock provides the necessary features to enforce immutability and retention of objects in an S3. Compliance mode ensures that the locked objects cannot be deleted or modified by any user, including those with write access. By setting a retention period of 365 days, the company can ensure that every file in the repository is kept for a minimum of 1 year after its creation date. A does not provide the same level of protection as compliance mode. In governance mode, there is a possibility for authorized users to remove the legal hold, potentially allowing objects to be modified or deleted. C can restrict users from deleting or changing objects, but it does not enforce the retention period requirement. It also does not provide the same level of immutability and protection against accidental or malicious modifications. D does not address the requirement of preventing users from modifying or deleting files. It provides a mechanism for tracking changes but does not enforce the desired access restrictions or retention period.

Am I the only one to worry about leap years ?

In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened. Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period. In governance mode, users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary. In Governance mode, Objects can be deleted by some users with special permissions, this is against the requirement.

its B, legal hold has no retention

https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html

Both Compliance & Governance mode protect objects against being deleted or changed. But in Governance mode some people can have special permissions. In this question, no user can delete or modify files; so the answer is Compliance mode only. Neither of these modes restrict user from adding new files.