protects an object version for a fixed amount of time, during which an object remains locked.
During this period, the object is WORM-protected and can’t be overwritten or deleted.
can be applied on an object version either explicitly or through a bucket default setting.
S3 stores a timestamp in the object version’s metadata to indicate when the retention period expires. After the retention period expires, the object version can be overwritten or deleted unless you also placed a legal hold on the object version.
protects an object version, as a retention period, but it has no expiration date.
remains in place until you explicitly remove it.
can be freely placed and removed by any user who has the s3:PutObjectLegalHold permission.
are independent of retention periods.
Retention periods and legal holds apply to individual object versions.
Placing a retention period or legal hold on an object protects only the version specified in the request. It doesn’t prevent new versions of the object from being created.
An object version can have both a retention period and a legal hold, one but not the other, or neither.
provides two retention modes that apply different levels of protection to the objects
S3 buckets with S3 Object Lock can’t be used as destination buckets for server access logs.
has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
S3 Object Lock – Retention Modes
Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions.
Objects can be protected from being deleted by most users, but some users can be granted permission to alter the retention settings or delete the object if necessary.
Can be used to test retention-period settings before creating a compliance-mode retention period.
To override or remove governance-mode retention settings, a user must have the s3:BypassGovernanceRetention permission and must explicitly include x-amz-bypass-governance-retention:true as a request header.
A protected object version can’t be overwritten or deleted by any user, including the root user in the AWS account.
Object retention mode can’t be changed, and its retention period can’t be shortened.
Object versions can’t be overwritten or deleted for the duration of the retention period.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
A company needs to store its accounting records in Amazon S3. No one at the company; including administrative users and root users, should be able to delete the records for an entire 10-year period. The records must be stored with maximum resiliency. Which solution will meet these requirements?
Use an access control policy to deny deletion of the records for a period of 10 years.
Use an IAM policy to deny deletion of the records. After 10 years, change the IAM policy to allow deletion.
Use S3 Object Lock in compliance mode for a period of 10 years.
Use S3 Object Lock in governance mode for a period of 10 years.