What should a SysOps administrator do to meet this requirement?
Configure an IAM policy that denies the s3:DeleteObject action for all users. Three months after an object is written, remove the policy.
Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
Enable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protect the backups.
Enable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
Explanations:
Configuring an IAM policy to deny thes3:DeleteObjectaction does not guarantee that objects cannot be deleted because policies can be changed or removed. Additionally, this approach does not enforce retention automatically and relies on manual intervention to remove the policy after three months, which is not a best practice.
Enabling S3 Object Lock in compliance mode ensures that objects cannot be deleted or modified for the specified retention period of 3 months. This approach is fully compliant with regulatory requirements and protects data integrity, as even the root user cannot remove the retention setting during this period.
Enabling S3 Versioning allows for versioning of objects but does not prevent deletion of the latest version unless a delete marker is applied. While lifecycle rules can transition objects or delete older versions, they do not enforce a mandatory retention policy that prevents deletion for 3 months.
Enabling S3 Object Lock in governance mode allows users with specific permissions to delete objects even within the retention period. This does not meet the requirement of ensuring that backups cannot be deleted for at least 3 months, as it allows for potential removal by authorized users.
I appraise that the answer is:
Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.