AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A regulated equities-trading firm operates production Amazon RDS databases and Amazon EFS file systems in several AWS accounts that belong to the same AWS Organization. Regulations state that backup copies must be retained for at least seven years, remain immutable and undeletable even by the root user, and be kept in a logically separate AWS account to defend against insider threats. The architects want to rely only on managed AWS services while minimizing ongoing operational effort.
Which combination of actions will satisfy these requirements?
Apply Amazon Data Lifecycle Manager policies to create daily EBS snapshots and copy them to the backup account, then attach an AWS Organizations SCP that denies ec2:DeleteSnapshot in the workload accounts.
Export EBS and RDS snapshots to an Amazon S3 bucket in the backup account, turn on S3 Object Lock in Compliance mode with a seven-year retention rule, and deny DeleteObject permissions with a bucket policy.
Enable AWS Backup Vault Lock in Governance mode in each workload account, set a seven-year retention period, and use a backup rule to copy recovery points to a vault in the backup account.
Create an AWS Backup plan in each workload account that schedules backups and automatically copies them to a backup vault in a dedicated backup account. Enable cross-account backup in AWS Backup settings, lock the destination vault in Compliance mode with AWS Backup Vault Lock, and set the vault's minimum retention period to 2 555 days.
AWS Backup Vault Lock in Compliance mode enforces write-once-read-many (WORM) protection: after the grace period expires no user-including the account root or AWS Support-can delete recovery points or shorten their retention period. A vault can specify minimum and maximum retention periods, so setting the minimum to 2 555 days guarantees seven-year retention. AWS Backup can automatically copy recovery points to a vault that resides in another account inside the same AWS Organization when cross-account backup is enabled. Using a scheduled backup plan to trigger both the original backup and the copy eliminates custom scripting and provides a fully managed workflow. The other options fail to meet one or more requirements:
S3 Object Lock would require exporting every snapshot to S3 for each service, adding complexity and operational overhead.
Governance mode allows privileged users to remove the lock, so backups are not truly immutable.
Amazon DLM policies protect only EBS snapshots and do not cover RDS or EFS, and an SCP still cannot prevent deletion of recovery points that are stored in another account's vault.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Backup Vault Lock and how does Compliance Mode ensure data immutability?
Open an interactive chat with Bash
How does enabling cross-account backup in AWS Backup improve security for regulatory compliance?
Open an interactive chat with Bash
Why are other methods like S3 Object Lock or Data Lifecycle Manager insufficient for this use case?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access