Amazon S3 Object Lock in compliance mode provides immutable storage that prevents objects from being deleted or overwritten for a defined retention period. In compliance mode, even the root user cannot remove the retention or delete the object before the retention period expires. This makes it suitable for regulatory and strict data-protection requirements.

Because Object Lock must be enabled at bucket creation time, a new bucket is required. Setting a retention period of 3 months ensures that backups cannot be deleted before that time under any circumstances.

Option D (governance mode) allows privileged users to bypass retention, which violates the strict “must not be deleted” requirement. Option A relies on IAM policy changes, which are reversible and error-prone. Option C does not prevent deletion; versioning only retains previous versions if objects are deleted, but users can still delete versions unless additional controls are applied.

Therefore, S3 Object Lock in compliance mode is the correct and most secure solution.