Exam AWS Certified Big Data - Specialty topic 1 question 33 discussion

Should be A. Vault access policy can be modified, so it mean the data can be tampered when someone change the vault access policy. Vault lock policy cannot be modified, so it can say 'never be tampered'

A for sure. https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html "As an example of a Vault Lock policy, suppose that you are required to retain archives for one year before you can delete them. To implement this requirement, you can create a Vault Lock policy that denies users permissions to delete an archive until the archive has existed for one year. You can test this policy before locking it down." You can also find a policy with a Deny effect on "glacier:DeleteArchive" action on the same link.

A. Because the data requires NEVER be tampered, after uploaded.

Should be A : AWS Docs : https://d1.awsstatic.com/Projects/P4113791/aws-project_set-up-compliant-archive.pdf Page 4 : A vault lock policy is different than a vault access policy. Both policies govern access controls to your vault. However, a vault lock policy can be locked to prevent future changes, providing strong enforcement for your compliance controls. You can use the vault lock policy to deploy regulatory and compliance controls, which typically require tight controls on data access. In contrast, you use a vault access policy to implement access controls that are not compliance related, temporary, and subject to frequent modification. Vault lock and vault access policies can be used together. For example, you can implement time-based data retention rules in the vault lock policy (deny deletes), and grant read access to designated third parties or your business partners (allow reads).

Answer is A based on AWS Documentation below. An Amazon S3 Glacier (S3 Glacier) vault can have one resource-based vault access policy and one Vault Lock policy attached to it. A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements. Amazon S3 Glacier provides a set of API operations for you to manage the Vault Lock policies, see Locking a Vault by Using the Amazon S3 Glacier API. https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html As an example of a Vault Lock policy, suppose that you are required to retain archives for one year before you can delete them. To implement this requirement, you can create a Vault Lock policy that denies users permissions to delete an archive until the archive has existed for one year. You can test this policy before locking it down. After you lock the policy, the policy becomes immutable. For more information about the locking process, see Amazon S3 Glacier Vault Lock. If you want to manage other user permissions that can be changed, you can use the vault access policy (see Amazon S3 Glacier Access Control with Vault Access Policies).

A "A vault lock policy is different than a vault access policy. Both policies govern access controls to your vault. However, a vault lock policy can be locked to prevent future changes, providing strong enforcement for your compliance controls. You can use the vault lock policy to deploy regulatory and compliance controls, which typically require tight controls on data access. In contrast, you use a vault access policy to implement access controls that are not compliance related, temporary, and subject to frequent modification" https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html

i think it should be A. "You can use the Vault Lock policy to deploy regulatory and compliance controls that are typically restrictive and are “set and forget” in nature." Here also they use the word 'Never

my selection A

Answer: A https://aws.amazon.com/glacier/faqs/ -- refer Vault Lock section

You can now create a Vault Lock policy on a vault, and after it is locked, the policy cannot be overwritten or deleted. For SaaS, one should have chance to delete customers' data. Any suggestions?

It would be A over C since Vault Lock policy is immutable and it satisfies the requirement that data will never be tampered once uploaded.

Answer is A A Glacier "vault access policy" is a resource based policy that you can use to manage permissions to your vault.You can modify permissions in a Vault access policy at any time. A Glacier "vault lock policy" is vault access policy that can be locked. After you lock a vault lock policy, the policy cannot be changed. You can use a vault lock policy to enforce compliance controls. You can enforce the requirement by implementing the following vault lock policy: "glacier:DeleteArchieve" action on the vault.

I will go with A. As there is no "glacier:DeleteArchive" option in Vault Access Policy

Should be A https://aws.amazon.com/glacier/faqs/ a Vault Lock policy can be made immutable ....

It is C

I think it is "A" (vault lock) ..because the question says "..makes sure that data will never be tampered with once it has been uploaded..." . If it is vault-access, you can change it after anytime and this is not permitted according the question.

policy name is vault lock policy. but the configuration is being done with vaul-access-policy c is the answer.