AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer describes a multi-layered, best-practice approach for ransomware resilience. Designating a separate, hardened AWS account as a backup archive and delegating it for backup administration isolates the backups from the source application accounts. Using AWS Backup to centrally manage policies across the AWS Organization simplifies governance. Storing backups in a vault within this central account, and then enabling AWS Backup Vault Lock in compliance mode, makes the recovery points immutable. Once locked in compliance mode, no user, including the root user, can alter or delete the recovery points before the retention period expires, providing strong protection against malicious or accidental deletion. Finally, replicating the backups to another vault in a different AWS Region provides disaster recovery capabilities.

Using AWS Backup within each account and attaching a permissions boundary is insufficient because a compromised administrative user in the source account could potentially modify or remove the IAM boundary, nullifying the protection. The backups are not sufficiently isolated.

Using custom scripts managed by Systems Manager is operationally complex and lacks the built-in immutability and governance features of AWS Backup Vault Lock. This approach is more prone to misconfiguration and does not provide the same level of security as a managed service designed for this purpose.

A solution using Lambda to copy snapshots to an S3 bucket with Object Lock is a viable but less integrated approach. It creates more operational overhead and complexity in managing permissions and the entire backup lifecycle compared to the native, fully managed cross-account capabilities of AWS Backup.