ACE for sure A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts. This will allow the company to securely copy their backups to other accounts that are part of their organization for operational or security reasons1. C. Implement AWS Backup Vault Lock in compliance mode. This will provide an additional layer of protection and immutability to the backup vaults, preventing any user (including the root user) or AWS from deleting or modifying the backups until the retention period is complete2. E. Configure the backup frequency, lifecycle, and retention period to ensure that at least one backup always exists in the cold tier. This will help the company to avoid accidental or malicious deletion of backups by enforcing a minimum retention period and moving the backups to a lower-cost storage tier2.

The solution is A, B and C1. We need to create a Cross Account Backup -> Put it in a Backup Account -> Control modification to the backup account with SCP. A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts. https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html B. Add an SCP that restricts the modification of AWS Backup vaults. https://aws.amazon.com/blogs/storage/managing-access-to-backups-using-service-control-policies-with-aws-backup/ C1. Implement AWS Backup Vault Lock in compliance mode. https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html

ABC For me

ABC is definitely the answer. D. Configuring backup frequency does not do anything to prevent breaches E. AWS backup does not currently support S3 as a storage location for backups. You can use AWS backup to make a backup of S3 buckets but cannot use it to store backups.

ACD for sure

ABC seems more reasonable over D(E) - as others mentioned, configuring backup doesn't protect from compromised creds attack. Moderator, please fix the answer letters order

ABC1 for sure

Answer : ACC ( ACD).. there is typo in question second C should be D, D should be E, E should be F.. saying that the other options B. SCP restricting vault modification: Offers a good layer of protection, but doesn't directly address the concern of compromised credentials in production accounts. E. Cold Tier backups: Ensures backup accessibility in case of attacks, but doesn't specifically protect against compromised credentials. F. S3 Object Lock: Provides immutability within the non-production account, but if that account is breached, backups could still be compromised.

A, C, D

ABC are obvious correct. The question is why the rest of the answers are wrong. C. Implement least privilege access for the IAM service role that is assigned to AWS Backup. The question is looking for solution that survive privilege access breach. No matter how least privilege is granted, there must be other privilege users which can get more privileges. . D. Configure the backup frequency, lifecycle, and retention period to ensure that at least one backup always exists in the cold tier. Lifecycle doesn't prevent the backups to be deleted . E. Configure AWS Backup to write all backups to an Amazon S3 bucket in a designated non-production account. Ensure that the S3 bucket has S3 Object Lock enabled. AWS backup doesn't support S3 as the storage.

ABC for sure

wait what ?? C. Implement AWS Backup Vault Lock in compliance mode. C. Implement least privilege access for the IAM service role that is assigned to AWS Backup.

https://aws.amazon.com/backup/faqs/

ACD ANS How does the AWS Backup lifecycle feature work? The AWS Backup lifecycle feature can automatically transition your recovery points from a warm storage tier to a lower-cost cold storage tier. Cold storage tier is available only for backups of EFS, DynamoDB, Timestream and VMware virtual machines.

How does the AWS Backup lifecycle feature work? The AWS Backup lifecycle feature can automatically transition your recovery points from a warm storage tier to a lower-cost cold storage tier. Cold storage tier is available only for backups of EFS, DynamoDB, Timestream and VMware virtual machines.

The answer is ABC

While AWS Backup can be used to backup data stored in Amazon S3, it does not use S3 as a DataVaul, There option E is out