Which solution would solve this problem?

Explanations:

While using EBS lifecycle policies to move snapshots to Amazon S3 and then to S3 Glacier can enhance retention, it does not directly prevent the deletion of EBS snapshots if the AWS account is compromised. The lifecycle policies are account-specific and can be altered or deleted if the account is breached. Additionally, Glacier Vault Lock policies apply only to S3 Glacier, not EBS snapshots directly, and may not effectively prevent all potential access or deletion scenarios related to EBS snapshots.

Using AWS Systems Manager to perform local backups to Amazon S3 provides a method to back up data, but it does not specifically address the issue of EBS snapshots being deleted if the AWS account is compromised. Furthermore, it may not capture the exact state of EBS volumes as snapshots do, and management of local backups can become complex.

Creating a new AWS account with limited privileges and allowing it to access the AWS KMS key for the EBS snapshots is a robust strategy. By copying the encrypted snapshots to the new account on a recurring basis, the company ensures that even if the primary account is compromised and snapshots are deleted, backups remain intact in a separate account. This separation reduces the risk of simultaneous compromise and loss of data.

While AWS Backup can manage and automate backups of EBS snapshots, it typically operates within the same account. If the primary account is compromised, AWS Backup does not inherently provide protection against deletion of snapshots. It also does not copy the snapshots to Amazon S3 directly; instead, it manages them within AWS services, so it does not solve the underlying problem of protecting against account-level compromise.