What should a solutions architect do to secure the audit documents?

By:
On:
In: SAA-C03
Tagged:
With: 0 Comments
A company uses Amazon S3 to store its confidential audit documents.The S3 bucket uses bucket policies to restrict access to audit team IAM user credentials according to the principle of least privilege.Company managers are worried about accidental deletion of documents in the S3 bucket and want a more secure solution.

What should a solutions architect do to secure the audit documents?

Enable the versioning and MFA Delete features on the S3 bucket.

Enable multi-factor authentication (MFA) on the IAM user credentials for each audit team IAM user account.

Add an S3 Lifecycle policy to the audit team’s IAM user accounts to deny the s3:DeleteObject action during audit dates.

Use AWS Key Management Service (AWS KMS) to encrypt the S3 bucket and restrict audit team IAM user accounts from accessing the KMS key.

Explanations:

Enabling versioning allows for the recovery of deleted documents, while MFA Delete adds an extra layer of security by requiring MFA authentication for delete operations.

While enabling MFA on IAM user credentials increases security, it does not directly prevent accidental deletions of documents in the S3 bucket.

An S3 Lifecycle policy cannot be used to deny specific actions like s3; it is used for transitioning or expiring objects based on their age.

Encrypting the S3 bucket with AWS KMS is good for security, but restricting access to the KMS key would prevent the audit team from accessing the documents, defeating the purpose.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × four =