Question 1hardmultiple choice
Full question →Question 573 of 1,000
hardmultiple choiceObjective-mapped
SAA-C03 Practice Question: S3 Object Lock Compliance mode prevents deletion…
This SAA-C03 practice question tests your understanding of s3 object lock compliance mode prevents deletion…. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: s3 Object Lock Compliance mode prevents deletion by ALL users including root. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A financial services company must store audit logs in S3 for 7 years and ensure that no one — including the AWS account root user — can delete or overwrite the logs during the retention period. Which S3 Object Lock configuration should a solutions architect use?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Object Lock in Compliance mode with a 7-year retention period
Compliance mode prevents ALL users including root from deleting or overwriting objects before retention expires. The period cannot be shortened, satisfying strict financial regulatory requirements.
B
Distractor review
Object Lock in Governance mode with a 7-year retention period
Governance mode can be bypassed by the root account and users with s3:BypassGovernanceRetention. This fails the requirement that no one including root can delete the logs.
C
Distractor review
S3 Versioning with a lifecycle rule to transition objects to Glacier after 7 years
Versioning keeps prior versions but a privileged user can permanently delete all versions. Lifecycle rules change storage class — they do not provide immutability.
D
Distractor review
A bucket policy with Deny for s3:DeleteObject applied to all principals including root
Bucket policies (IAM resource policies) cannot restrict the root account. Root is exempt from IAM policies. Only Object Lock Compliance mode can prevent root from deleting S3 objects.
Common exam trap
Common exam trap: answer the scenario, not the keyword
Candidates choose Governance mode because 'governance' sounds strict. In AWS terminology, Governance is the LESS strict option — it can be bypassed by privileged users. Compliance mode is immutable: no one can remove the retention until the period expires. This distinction is critical for financial regulations like SEC Rule 17a-4 and FINRA requirements.
Technical deep dive
How to think about this question
S3 Object Lock mode comparison: - Compliance mode: Not even root can delete/overwrite before retention expires. Retention cannot be shortened. Required for strict regulatory WORM. - Governance mode: Users with s3:BypassGovernanceRetention permission and root can override. Retention can be shortened. Use when admin escape hatch is needed. - Legal Hold: Indefinite lock on individual objects, overrides retention date. Independent of mode. Important: Object Lock must be enabled at bucket creation time. It cannot be enabled retroactively. Versioning is required and is enabled automatically when Object Lock is enabled.
KKey Concepts to Remember
- S3 Object Lock Compliance mode prevents deletion by ALL users including root
- S3 Object Lock Governance mode can be overridden by users with s3:BypassGovernanceRetention and root
- Object Lock must be enabled at bucket creation — cannot be added retroactively
- Compliance mode is required for SEC Rule 17a-4, FINRA, and similar financial regulations
- Legal Holds provide indefinite object-level protection independent of retention period
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
S3 Object Lock Compliance mode prevents deletion by ALL users including root
Related practice questions
Related SAA-C03 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
SAA-C03 Auto Scaling practice questions
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
SAA-C03 disaster recovery questions
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
SAA-C03 high availability questions
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
SAA-C03 cost optimization questions
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A team needs to distribute TCP traffic (not HTTP) across multiple services. The services must see the original client source IP for auditing. Which AWS load balancer is the best fit?
Question 2
A team wants to run containerized services with AWS-managed orchestration and autoscaling. They do NOT require Kubernetes compatibility. Which AWS service choice is most appropriate to meet these goals?
Question 3
A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.
Question 4
A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
Question 5
A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?
Question 6
A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
Practice this exam
Start a free SAA-C03 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SAA-C03 question test?
S3 Object Lock Compliance mode prevents deletion by ALL users including root
What is the correct answer to this question?
The correct answer is: Object Lock in Compliance mode with a 7-year retention period — S3 Object Lock in Compliance mode prevents ALL users — including the root account — from deleting or overwriting objects before the retention period expires. The retention period itself cannot be shortened once set in Compliance mode. Governance mode also prevents most deletions, but users with s3:BypassGovernanceRetention permission (and the root account) can delete objects or shorten the retention period. For regulatory requirements where not even root can override, Compliance mode is mandatory.
What should I do if I get this SAA-C03 question wrong?
Review s3 Object Lock Compliance mode prevents deletion by ALL users including root, then practise related SAA-C03 questions on the same topic to reinforce the concept.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Discussion
Loading comments…
Sign in to join the discussion.
This SAA-C03 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAA-C03 exam.