Which combination of steps will meet this new requirement?

Explanations:

Implementing cross-account backup with AWS Backup vaults in designated non-production accounts ensures that backups are stored in separate accounts, reducing the risk of ransomware attacks compromising both production and backup data.

Adding a Service Control Policy (SCP) that restricts modification of AWS Backup vaults helps prevent unauthorized users (including privileged users) from altering backup settings or deleting backups, thus increasing the resilience to breaches.

AWS Backup Vault Lock in compliance mode prevents any modification or deletion of backups for a specified retention period, even by privileged users, providing an additional layer of protection against ransomware attacks.

While implementing least privilege access is generally a best practice, this option alone does not directly address the need for ransomware resilience in the context of backup protection. It’s important but not a sufficient step in this case.

Configuring the backup frequency, lifecycle, and retention period to ensure that at least one backup always exists in the cold tier is helpful for long-term retention, but it does not address the core requirement of resilience to credential breaches in the event of a ransomware attack.

Configuring AWS Backup to write backups to an Amazon S3 bucket in a non-production account with S3 Object Lock enabled is not as effective as using AWS Backup Vault Lock in compliance mode, as this method relies on additional manual configuration and does not provide the same level of automation and security specific to AWS Backup.