Per the AWS Cloud Operations and Data Protection documentation, S3 Object Lock enforces write-once-read-many (WORM) protection on objects for a defined retention period.
There are two modes:
Compliance mode: Even the root user cannot delete or modify objects during the retention period.
Governance mode: Privileged users with special permissions can override lock settings.
For regulatory or audit requirements that prohibit deletion, Compliance mode is the correct choice. When configured with a 3-month retention period, all backup objects are protected from deletion until expiration, ensuring compliance with data retention mandates.
Versioning (Option C) alone does not prevent deletion. IAM-based restrictions (Option A) lack time-based enforcement and require manual intervention. Governance mode (Option D) is less strict and unsuitable for regulatory retention.
Thus, Option B is the correct CloudOps solution for immutable S3 backups.
[Reference: AWS Cloud Operations & Storage Governance Guide – Implementing Retention with Amazon S3 Object Lock in Compliance Mode, ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit