Which solution will ensure that existing and future objects in the S3 bucket are protected?
Create a new AWS account that is accessible only to the security team through an assumed role. Create an S3 bucket in the new account. Enable S3 Versioning and S3 Object Lock. Configure a default retention period of 1 year. Set up replication from the existing S3 bucket to the new S3 bucket. Create an S3 Batch Replication job to copy all existing data.
Use the s3-bucket-versioning-enabled AWS Config managed rule. Configure an automatic remediation action that uses an AWS Lambda function to enable S3 Versioning and MFA Delete on noncompliant resources. Add an S3 Lifecycle rule to delete objects after 1 year.
Explicitly deny bucket creation from all users and roles except for an AWS Service Catalog launch constraint role. Define a Service Catalog product for the creation of the S3 bucket to force S3 Versioning and MFA Delete to be enabled. Authorize users to launch the product when they need to create an S3 bucket.
Enable Amazon GuardDuty with the S3 protection feature for the account and the AWS Region. Add an S3 Lifecycle rule to delete objects after 1 year.
Explanations:
This option provides a comprehensive solution by creating a new AWS account with an S3 bucket that enables S3 Versioning and S3 Object Lock, ensuring data retention for 1 year. It also mitigates the risk of long-term credentials by separating sensitive operations in a different account controlled by the security team, thus adding an extra layer of security. The replication ensures existing data is also protected.
While this option uses AWS Config to monitor and enforce S3 Versioning, it does not address the need for Object Lock, which is critical for protecting data from being deleted or overwritten. Additionally, automatic remediation may not be timely enough to prevent data loss if an attacker gains access. The lifecycle rule for deletion after 1 year is also contrary to the requirement to retain data.
This option focuses on controlling bucket creation through Service Catalog and does not ensure existing objects in the S3 bucket are protected. While it prevents unauthorized bucket creation and encourages best practices by enforcing S3 Versioning and MFA Delete, it lacks the critical aspect of retention management and does not utilize Object Lock.
Enabling GuardDuty enhances monitoring and threat detection but does not directly protect existing or future objects in S3. It does not implement S3 Versioning or Object Lock, which are essential for ensuring data retention and protection from deletion or modification. The lifecycle rule for deletion is also misaligned with the requirement to retain data for 1 year.
I figure that the answer is:
Create a new AWS account that is accessible only to the security team through an assumed role. Create an S3 bucket in the new account. Enable S3 Versioning and S3 Object Lock. Configure a default retention period of 1 year. Set up replication from the existing S3 bucket to the new S3 bucket. Create an S3 Batch Replication job to copy all existing data.