AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer is to use an Amazon S3 bucket with S3 Object Lock in Compliance mode and a lifecycle policy to transition data to S3 Glacier Deep Archive. This solution meets all requirements:

• Immutability and SEC Rule 17a-4: S3 Object Lock in Compliance mode is designed for strict regulatory compliance like SEC Rule 17a-4, ensuring data cannot be altered or deleted by any user, including the root account, for the duration of the retention period.
• Tiered Access: Keeping objects in S3 Standard for the first 90 days satisfies the need for frequent, low-latency access.
• Cost-Effective Long-Term Storage: S3 Glacier Deep Archive is the most cost-effective storage class for long-term retention where retrieval times of up to 12 hours are acceptable.
• Automation: An S3 Lifecycle policy automates the transition from S3 Standard to S3 Glacier Deep Archive without manual intervention.

Incorrect options are explained below:

• Using S3 Object Lock in Governance mode is incorrect because it allows users with special permissions to bypass the retention settings, which does not meet the strict immutability requirement for SEC Rule 17a-4. S3 Glacier Flexible Retrieval is also less cost-effective than S3 Glacier Deep Archive for the 12-hour retrieval requirement.
• Using Glacier Vault Lock is suboptimal. While it provides immutability, it applies to the entire vault. This approach is less flexible than using an S3 Lifecycle policy for tiered access and requires a separate process to move data rather than a seamless, automated transition.
• Using AWS Backup is not the most appropriate solution for this use case. AWS Backup is primarily designed for creating and managing backups of AWS resources (like EBS, RDS, etc.), not as a primary archival system for raw object data. The native S3 Object Lock and Lifecycle policy is a more direct, simple, and cost-effective pattern for this requirement.