SCS-C02 · Question #128
SCS-C02 Question #128: Real Exam Question with Answer & Explanation
The correct answer is A: Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3. S3 Object Lock in compliance mode is the only option that immutably protects objects from all users - including the AWS account root user - for the duration of the retention period. Once compliance mode is set, no one (not even root) can shorten the retention period, delete the o
Question
A security engineer needs to implement a write-once-read-many (WORM) model for data that a company will store in Amazon S3 buckets. The company uses the S3 Standard storage class for all of its S3 buckets. The security engineer must ensure that objects cannot be overwritten or deleted by any user, including the AWS account root user. Which solution will meet these requirements?
Options
- ACreate new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3
- BUse S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24 hours to
- CCreate new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the
- DCreate new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the
Explanation
S3 Object Lock in compliance mode is the only option that immutably protects objects from all users - including the AWS account root user - for the duration of the retention period. Once compliance mode is set, no one (not even root) can shorten the retention period, delete the object, or switch the mode; this directly satisfies the WORM requirement.
Option B is wrong because S3 Glacier Vault Lock applies to Glacier Vaults, not S3 Standard buckets, and the question explicitly requires S3 Standard storage class.
Option C is wrong because governance mode allows users with the s3:BypassGovernanceRetention permission to override or delete objects - that includes the root user, which violates the requirement.
Option D fails for the same governance mode reason; additionally, legal holds can be removed by any user with the s3:PutObjectLegalHold permission, so they do not guarantee immutability against all users.
Memory tip: Think "C for Compliance = Carved in stone" - compliance mode is permanent and untouchable by anyone, while governance mode gives administrators a "get out of jail" override, making it unsuitable when even the root user must be locked out.
Topics
Community Discussion
No community discussion yet for this question.