Home » Amazon » AWS Certified Security – Specialty v.2 » What is the MOST cost-effective way to correct this?
A company is storing data in Amazon S3 Glacier. The security engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault.
What is the MOST cost-effective way to correct this?
A. Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.
B. Copy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data.
C. Update the policy to keep the vault lock in place.
D. Update the policy. Call initiate-vault-lock operation again to apply the new policy.
Correct Answer: A
Explanation/Reference:
Explanation:
Initiate the lock by attaching a vault lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID.
While in the in-progress state, you have 24 hours to validate your vault lock policy before the lock ID expires.
Use the lock ID to complete the lock process. If the vault lock policy doesn’t work as expected, you can abort the lock and restart from the beginning. For information on how to use the S3 Glacier API to lock a vault, see Locking a Vault by Using the Amazon S3 Glacier API.
Reference: https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html
