What should a solutions architect do to secure the audit documents?
Enable the versioning and MFA Delete features on the S3 bucket.
Enable multi-factor authentication (MFA) on the IAM user credentials for each audit team IAM user account.
Add an S3 Lifecycle policy to the audit team’s IAM user accounts to deny the s3:DeleteObject action during audit dates.
Use AWS Key Management Service (AWS KMS) to encrypt the S3 bucket and restrict audit team IAM user accounts from accessing the KMS key.
Explanations:
Enabling versioning on the S3 bucket allows for the recovery of previous versions of objects, protecting against accidental deletions. MFA Delete adds an additional layer of security by requiring multi-factor authentication for any delete operations, significantly reducing the risk of accidental deletions.
While enabling MFA on IAM user accounts enhances security, it does not specifically address the risk of accidental deletion of objects in the S3 bucket. It primarily protects against unauthorized access rather than accidental actions.
Adding a lifecycle policy to deny thes3:DeleteObjectaction during specific dates is not a viable solution. Lifecycle policies are generally used for object expiration and transitioning storage classes rather than restricting actions based on timeframes in a precise manner. Additionally, it does not offer comprehensive protection against accidental deletions outside of the defined period.
Using AWS KMS for encryption secures data at rest but does not prevent accidental deletions. Restricting access to the KMS key does not address the risk of deleting the objects themselves and does not mitigate the concern about accidental deletions of audit documents in the S3 bucket.
I strategize that the answer is:
Enable the versioning and MFA Delete features on the S3 bucket.