Q49 — AWS SAA-C03 Ch.1

Question 49 of 65 | ← Chapter 1

Q49. A company uses Amazon S3 to store its confidential audit documents. The S3 bucket uses bucket policies to restrict access to audit team IAM user credentials according to the principle of least privilege. Company managers are worried about accidental deletion of documents in the S3 bucket and want a more secure solution.What should a solutions architect do to secure the audit documents?

Correct Answer: A. Enable the versioning and MFA Delete features on the S3 bucket

Explanation

To secure the audit documents stored in the Amazon S3 bucket and protect against accidental deletion, a solutions architect should choose option A: Enable the versioning and MFA Delete features on the S3 bucket. Here's how this solution helps to enhance security: 1. Versioning: By enabling versioning on the S3 bucket, every modification or deletion of an object creates a new version instead of permanently removing the object. This allows easy recovery of previous versions of the documents in case of accidental deletion or modification. 2. MFA Delete: Enabling the MFA Delete feature adds an extra layer of protection by requiring multi-factor authentication (MFA) before allowing deletion of objects in the S3 bucket. MFA ensures that only authorized users with physical access to the MFA device can perform deletions. By implementing versioning and enabling MFA Delete, the company benefits from the following: - Accidental deletion protection: With versioning, accidental deletions can be recovered by accessing previous versions of the documents. It provides an extra level of data protection and reduces the risk of permanent loss. - Granular control: MFA Delete ensures that even if an unauthorized person gains access to an IAM user's credentials, they will not be able to delete objects from the S3 bucket without the additional MFA authentication. Option B suggests enabling MFA on the IAM user credentials, but this alone does not protect against accidental deletion. MFA only adds an authentication factor during user login, but it does not prevent the user from unintentionally deleting objects. Option C suggests adding an S3 Lifecycle policy to deny the s3:DeleteObject action during audit dates. While this may prevent accidental deletions during specific periods, it does not provide a comprehensive solution for securing the documents against accidental deletion in general. Option D suggests using AWS Key Management Service (AWS KMS) to encrypt the S3 bucket and restrict access to the KMS key. While encryption is an important security measure, it does not specifically address the concern of accidental deletion of documents.