Which solution will meet these requirements with the LEAST administrative effort?
Create an IAM role that has permission to delete snapshots. Attach the role to a new EC2 instance. Use the AWS CLI from the new EC2 instance to delete snapshots.
Create an IAM policy that denies snapshot deletion. Attach the policy to the storage administrator user.
Add tags to the snapshots. Create retention rules in Recycle Bin for EBS snapshots that have the tags.
Lock the EBS snapshots to prevent deletion.
Explanations:
Creating an IAM role and using an EC2 instance with the AWS CLI does not prevent the accidental deletion of snapshots. It requires additional manual intervention and does not fulfill the requirement of preventing accidental deletion with minimal effort.
Denying snapshot deletion through IAM policy will affect the storage administrator’s permissions, which contradicts the requirement to avoid changing administrative rights of the storage administrator.
Using retention rules in Recycle Bin is not a direct mechanism to prevent snapshot deletion. It helps recover snapshots after deletion, but it does not prevent deletion from occurring in the first place.
Locking EBS snapshots using the EBS Snapshot Lock feature prevents deletion, ensuring compliance without changing administrative rights or requiring manual intervention. This is the simplest and most effective solution.
I calculate that the answer is:
Lock the EBS snapshots to prevent deletion.