Exam AWS Certified Security - Specialty topic 1 question 2 discussion

A is the answer https://docs.aws.amazon.com/amazonglacier/latest/dev/api-AbortVaultLock.html

What can you do then if you've erroneously validated the lock ID and 24 hours have elapsed?

Vault access policy is different from Vault lock policy. In this case, the options are not clear about which policy they are. Reading the question, it's about the access, so it appears if we update the vault access policy(which can be updated anytime) is more than sufficient. So I would go for C. Vault lock policy is primarily to avoid anyone deleting the object, it is not about un-intended access.

Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again

In this scenario, you can simply update the existing policy with the correct configuration and call the initiate-vault-lock operation again to apply the updated policy. This allows you to rectify the typo and enforce the intended access controls without the need for additional data transfers or recreating the vault. Option A (calling abort-vault-lock and initiate-vault-lock again) would effectively remove the vault lock and reapply it with the correct policy, but it may incur additional costs and may not be as efficient as updating the policy directly.

The correct answer is: A. Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again. Explanation: The Amazon S3 Glacier vault lock policy allows you to deploy and enforce compliance controls for individual S3 Glacier vaults with a vault lock policy. Once you lock the policy, you can no longer change it. However, before the policy is locked, you can call the abort-vault-lock operation to stop the lock process, correct your policy, and then start the initiate-vault-lock operation again. This is the most cost-effective way because you won't incur data transfer costs or need to manage a new vault or bucket. Other options like copying data to a new bucket or updating the policy while keeping the vault lock in place are not possible once the vault lock is initiated.

The most cost-effective way to correct the typo in the policy that is allowing unintended access to the vault is to call the **abort-vault-lock** operation, fix the typo in the policy and call the **initiate-vault-lock** operation again.

A direct update of vault policy and re-initiate Vault lock will fail with a AccesDenied Error as the lock is in-Progress Vault Lock stage and as 24 hrs is not yet completed. Even if invalid LockId is presented, it will return a Invalid parameter and continue in InProgress stage. If 24 hrs were not completed and Lock ID was provided it will enter Complete Vault-Lock state or if not provided it will automatically exit and the vault policy will be removed after 24 hrs. But this is risky as this is case of unintended access Other method is to initiate a AbortLock or Deletelock policy. Update the policy and initiate Vault Lock policy

A is correct

Why not D ? It looks like the Initiate would auto revert without locking so no need to manually Abort before fixing the policy and re-Initiating lock ? "If you don't complete the Vault Lock process within 24 hours after entering the in-progress state, your vault automatically exits the in-progress state, and the Vault Lock policy is removed. You can call Initiate Vault Lock again to install a new Vault Lock policy and transition into the in-progress state." from the same URL

You have 24 hours to abort the lock after it's created. "If you don't complete the Vault Lock process within 24 hours after entering the in-progress state, your vault automatically exits the in-progress state, and the Vault Lock policy is removed. You can call Initiate Vault Lock again to install a new Vault Lock policy and transition into the in-progress state. The in-progress state provides the opportunity to test your Vault Lock policy before you lock it. Your Vault Lock policy takes full effect during the in-progress state just as if the vault has been locked, except that you can remove the policy by calling Abort Vault Lock (DELETE lock-policy). To fine-tune your policy, you can repeat the Abort Vault Lock/Initiate Vault Lock combination as many times as necessary to validate your Vault Lock policy changes."

To fine-tune your policy, you can repeat the Abort Vault Lock/Initiate Vault Lock combination as many times as necessary to validate your Vault Lock policy changes.

Answer: A https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-how-to-api.html