ISC2 Certified Cloud Security Professional (CCSP) Practice Question

A financial services company must retain compliance audit logs for seven years in write-once-read-many (WORM) form. After the first 30 days, the logs are rarely accessed and the firm wants to minimize storage cost without sacrificing durability. Which cloud-native design best satisfies these requirements?

Export the logs to a managed NFS file share replicated across regions using active-active sync.
Store the logs in object storage with an immutable (object-lock) policy and a lifecycle rule that moves objects to the provider's archival tier after 30 days.
Place the logs on encrypted, multi-zone replicated block volumes configured for continuous incremental backups.
Write the logs to high-performance ephemeral SSD attached to each compute instance and take daily snapshots to another region.

Report Issue

Answer Description

Most public-cloud object storage platforms (for example, AWS S3, Azure Blob, GCP Cloud Storage) support an "object lock" or "immutable blob" feature that enforces WORM retention. When combined with a lifecycle policy that automatically transitions data to a cold or archival tier after 30 days, the data remains immutable for the required period, enjoys very high durability (often eleven nines), and costs are reduced because long-term data sits on lower-priced archival media.

Ephemeral instance storage is deleted on VM stop or failure, so it cannot satisfy any retention requirement. Block volumes-even if encrypted and replicated-do not offer native WORM controls and are usually more expensive for infrequently accessed data. Managed file shares provide POSIX/NFS semantics but likewise lack integrated WORM enforcement and low-cost archival tiers. Therefore, immutable object storage with lifecycle transition is the only option that meets all constraints.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.