ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company stores project deliverables in an Amazon S3 bucket. A court issues a litigation hold on a subset of those objects. The bucket is version-enabled and has a lifecycle rule that moves objects to S3 Glacier after 30 days; developers currently have permission to delete objects. To satisfy eDiscovery preservation requirements, you must ensure the specified data cannot be altered or removed while keeping administrative overhead low. Which action provides the most appropriate solution?
Attach an IAM policy that denies all users the s3:DeleteObject action on the bucket and enable CloudTrail logging.
Enable S3 Object Lock in Compliance mode on the affected objects and apply a legal hold until the litigation is cleared.
Copy the objects to an on-premises read-only file server and delete them from the S3 bucket to prevent changes.
Suspend the bucket's lifecycle policy and rely on S3 versioning to recover any objects that might be deleted.
Amazon S3 Object Lock lets you place objects in a write-once-read-many (WORM) state. Enabling Object Lock in Compliance mode means no user, not even the root account, can modify or delete protected objects until the retention period or legal hold is cleared, meeting strict litigation-hold and eDiscovery requirements. Adding a legal hold flag allows indefinite protection without setting a retention expiry. Merely suspending lifecycle policies or relying on versioning still allows privileged users to delete object versions, violating preservation obligations. Copying data on-premises and deleting it from S3 breaks chain-of-custody and complicates discovery. An IAM deny statement prevents deletes but cannot block overwrites and is reversible by an administrator, so it lacks the immutability assurances required for legal holds.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon S3 Object Lock and how does Compliance mode work?
Open an interactive chat with Bash
What is the difference between S3 Object Lock Legal Hold and Retention Period?
Open an interactive chat with Bash
Why are IAM policies and versioning insufficient for eDiscovery requirements?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .