What is the MOST secure solution that meets these requirements?
Upload the digital evidence to a new Amazon S3 bucket. Set up an S3 Lifecycle configuration to move the data to S3 Glacier. Configure S3 Glacier with a vault lock policy.
Upload the digital evidence to a new Amazon S3 bucket with S3 Object Lock enabled. Implement server-side encryption with AWS Key Management Service (AWS KMS).
Upload the digital evidence to a new Amazon S3 bucket Configure an S3 bucket policy. Enable S3 Versioning and MFA Delete. Use S3 presigned URLs.
Launch an Amazon EC2 instance. Store the digital evidence on an attached Amazon Elastic Block Store (Amazon EBS) volume. Enable termination protection, isolate the EC2 instance and take a snapshot of the EBS volume.
Explanations:
S3 Glacier with a vault lock policy provides immutability, but it does not specify encryption for the data. Also, Glacier is designed for archival storage and is not the most suitable for active analysis or easy retrieval of data by a security engineer.
S3 Object Lock ensures immutability of the data, and enabling server-side encryption with AWS KMS ensures the data is encrypted. This solution meets both the encryption and immutability requirements, making it the most secure and appropriate solution for providing evidence for analysis.
While S3 Versioning and MFA Delete add layers of protection to prevent accidental deletion, they do not guarantee immutability. Additionally, using S3 presigned URLs may not provide sufficient security and control for sharing the data. It does not meet the encryption and immutability requirements as effectively as option B.
Storing the evidence on an EC2 instance with EBS and taking a snapshot of the volume does not provide the same level of immutability as S3 Object Lock. Additionally, snapshots can be deleted or modified, and the data is not automatically encrypted unless specifically configured. This option does not fulfill the encryption and immutability requirements as effectively as option B.
I sort that the answer is:
Upload the digital evidence to a new Amazon S3 bucket with S3 Object Lock enabled. Implement server-side encryption with AWS Key Management Service (AWS KMS).