Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 337 discussion

The solution is A, B and C1. We need to create a Cross Account Backup -> Put it in a Backup Account -> Control modification to the backup account with SCP. A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts. https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html B. Add an SCP that restricts the modification of AWS Backup vaults. https://aws.amazon.com/blogs/storage/managing-access-to-backups-using-service-control-policies-with-aws-backup/ C1. Implement AWS Backup Vault Lock in compliance mode. https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html

ACE for sure A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts. This will allow the company to securely copy their backups to other accounts that are part of their organization for operational or security reasons1. C. Implement AWS Backup Vault Lock in compliance mode. This will provide an additional layer of protection and immutability to the backup vaults, preventing any user (including the root user) or AWS from deleting or modifying the backups until the retention period is complete2. E. Configure the backup frequency, lifecycle, and retention period to ensure that at least one backup always exists in the cold tier. This will help the company to avoid accidental or malicious deletion of backups by enforcing a minimum retention period and moving the backups to a lower-cost storage tier2.

In a ransomware scenario where an attacker gains highly privileged access, both B and C2 can be bypassed. However, C2 (least privilege) offers a slightly stronger defense in this specific case. Here's why: If the attacker compromises an account with permissions to manage backups but not to manage SCPs, least privilege will still restrict their ability to delete or modify backups directly, even if they can't disable the SCP. An SCP, on the other hand, provides no additional protection if the attacker has the permissions to modify SCPs. The Verdict: While both B and C2 are important security practices, C2 (least privilege) is slightly better than B (SCPs) for mitigating the specific risk of ransomware attacks involving privileged credential compromise. However, neither is as effective as C1 (Vault Lock) and A (Cross-account backups).

Why would you store backup of a production environment in a non-production environment? That itself adds a security risk. And in my opinion removes options A and E from my choice. Also, option D it doesn't address the main concern. And options B, C and E look to solve the purpose effectively at least with the given choices and thus those are my choices.

A C(C1) D are correct in questions.

ACD are correct, that is A, C1 and D in question.

Should be BCD. https://aws.amazon.com/blogs/storage/managing-access-to-backups-using-service-control-policies-with-aws-backup/ Cross-Account is not feasible. Hundreds of accounts.

A, C1, D B is incorrect: concern of compromised credentials: SCPs could potentially be modified by a user with sufficient privileges in the organization’s master account. C2: good for ensuring backup availability but does not directly address resilience against breaches of privileged-user credentials. E: provide similar benefits to using AWS Backup Vault Lock but is more complex to manage. AWS Backup Vault Lock is specifically designed for backup resilience and is more straightforward to implement within AWS Backup's framework.

A, B, C for me.

ABC1 is the answer

A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts. C. Implement AWS Backup Vault Lock in compliance mode. E. Configure AWS Backup to write all backups to an Amazon S3 bucket in a designated non-production account. Ensure that the S3 bucket has S3 Object Lock enabled.

ABC For me

ABC is definitely the answer. D. Configuring backup frequency does not do anything to prevent breaches E. AWS backup does not currently support S3 as a storage location for backups. You can use AWS backup to make a backup of S3 buckets but cannot use it to store backups.

ACD for sure

ABC seems more reasonable over D(E) - as others mentioned, configuring backup doesn't protect from compromised creds attack. Moderator, please fix the answer letters order

ABC1 for sure

Answer : ACC ( ACD).. there is typo in question second C should be D, D should be E, E should be F.. saying that the other options B. SCP restricting vault modification: Offers a good layer of protection, but doesn't directly address the concern of compromised credentials in production accounts. E. Cold Tier backups: Ensures backup accessibility in case of attacks, but doesn't specifically protect against compromised credentials. F. S3 Object Lock: Provides immutability within the non-production account, but if that account is breached, backups could still be compromised.