Which combination of steps should a solutions architect take to meet these requirements with the LEAST operational overhead?
(Choose two.)
Store the documents in Amazon S3. Use S3 Object Lock in governance mode.
Store the documents in Amazon S3. Use S3 Object Lock in compliance mode.
Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure key rotation.
Use server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys. Configure key rotation.
Use server-side encryption with AWS Key Management Service (AWS KMS) customer provided (imported) keys. Configure key rotation.
Explanations:
S3 Object Lock in governance mode allows users with the necessary permissions to overwrite or delete objects, which does not meet the requirement of ensuring documents cannot be deleted or overwritten for the entire 5-year period.
S3 Object Lock in compliance mode prevents any deletion or modification of the objects for the retention period, fully meeting the requirement for protecting contract documents for 5 years.
While SSE-S3 provides encryption at rest, it does not include built-in key rotation, and the documents could still be deleted or overwritten, failing to meet the compliance requirement.
Using server-side encryption with AWS KMS customer managed keys allows for automatic key rotation. This, combined with the right storage method (like S3 Object Lock in compliance mode), would meet both the encryption and retention requirements.
AWS KMS customer provided keys require more management overhead, and similar to option C, they do not inherently prevent deletion or overwriting of the documents. Additionally, they don’t align with automatic key rotation best practices as easily as managed keys.