Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 417 discussion

S3 Object Lock - prevents objects from being deleted or overwritten for a fixed amount of time or indefinitely, adding a layer of protection against malicious or accidental deletion. Replication - to a new account limits the risk of a single point of compromise; even if attackers gain access to the original account, they cannot alter or delete the locked objects in the replicated bucket. Versioning - keeps multiple versions of an object in an S3 bucket, providing additional security and recovery options.

Option D is the only option that addresses security risk. Option A is not addressing this - Replicating existing bucket to another bucket does not eliminate the risk due to original bucket credential leak.

I will go with B. As option A does not protect the original bucket

Option A, the company can effectively isolate sensitive data in a separate, secure account with strict access controls, while ensuring that both existing and future data are protected against unauthorized access, deletion, or modification, even if the original account's credentials are compromised. The other options do not provide the same level of protection or have limitations: Option B relies on AWS Config and automatic remediation, which may not be effective if the attacker gains access to the account and disables or modifies these configurations. Option C focuses on controlling bucket creation but does not address the protection of existing data or objects in the current bucket. Option D relies on Amazon GuardDuty, which is a threat detection service and does not provide the same level of data protection as S3 Versioning and Object Lock.

The correct answer to this question is Option C. Explicitly denying bucket creation from all users and roles except for an AWS Service Catalog launch constraint role, defining a Service Catalog product for the creation of the S3 bucket, and forcing S3 Versioning and MFA Delete ensures that existing and future objects in the S3 bucket are protected. This option provides explicit access controls for S3 bucket creation and forces S3 versioning and MFA Delete on noncompliant resources, making it the most suitable solution to address the security concerns of the company. Option A is not the best choice because creating a new AWS account can introduce complexity and create a single point of failure. While Options B and D offer some benefits, they do not provide explicit access controls for S3 bucket creation, which is essential for protecting sensitive data.

Eliminate C & D

A assume role to provide short-term credential

Option A: Amazon S3 now allows you to enable S3 Object Lock for existing buckets with just a few clicks and to enable S3 Replication for buckets using S3 Object Lock https://aws.amazon.com/about-aws/whats-new/2023/11/amazon-s3-enabling-object-lock-buckets/#:~:text=To%20lock%20existing%20objects%2C%20you,of%20objects%20at%20a%20time.

The question is, as so often, misleading. None of the alternatives deal with _access_, only with modification.

The question is looking for solution for “concerned that an attacker could gain access to the AWS account through leaked long-term credentials”. None of the answer is addressing the concern of “Access” Through “leaked long-term credentials”. The is question doesn’t mention anything about data loss concerns, while, all the answers are providing protection for deleting the data.

Answer is D. It's the only one that specifically addresses the issue. The question never said only the security team needs access.

https://repost.aws/knowledge-center/s3-cross-account-replication-object-lock

A ans : https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html

Correct Answer is A