What should a solutions architect do to meet these requirements?
Create an S3 Glacier vault. Apply a write-once, read-many (WORM) vault lock policy to the objects.
Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Set a retention period of 100 years. Use governance mode as the S3 bucket’s default retention mode for new objects.
Create an S3 bucket. Use AWS CloudTrail to track any S3 API events that modify the objects. Upon notification, restore the modified objects from any backup versions that the company has.
Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Add a legal hold to the objects. Add the s3:PutObjectLegalHold permission to the IAM policies of users who need to delete the objects.
Explanations:
S3 Glacier vaults and vault lock policies are designed for long-term archival and compliance purposes. They are not suitable for scenarios where the company wants to decidelaterwhen to make objects changeable. Once a vault lock policy is in place, it cannot be changed. Also, Glacier is not designed for frequent access.
Setting a retention period of 100 years is not a good solution for an “unspecified amount of time.” This is a fixed duration and doesn’t allow the company to decide when to make the objects changeable. Governance mode allows privileged users to delete objects, but it requires specific permissions.
Using CloudTrail for tracking and restoring from backups is a reactive approach and does notpreventchanges. It only allows you todetectandrevertchanges after they happen. This does not meet the requirement of preventing changes in the first place.
This is the correct approach.S3 Object Lockwith alegal holdis specifically designed for this use case. Enabling Object Lock protects objects from being deleted or overwritten. Applying alegal holdkeeps the objects protected indefinitely until the legal hold is removed. Granting thes3:PutObjectLegalHoldpermission to specific IAM users allows them to remove the legal hold (and thus allow deletion) when the company decides the objects can be changed. Enabling versioning is also a good practice to protect against accidental deletions even with Object Lock enabled.
It seems to me that the answer is:
Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Add a legal hold to the objects. Add the s3:PutObjectLegalHold permission to the IAM policies of users who need to delete the objects.