While preparing for the AWS SAA-C03, many candidates get confused by S3 storage classes and compliance requirements. In the real world, this is fundamentally a decision about regulatory immutability vs. long-term storage cost optimization. Let’s drill into a simulated scenario.
The Scenario #
GlobalFinance Corp, a multinational accounting firm, must store financial audit records in a cloud-based archive to comply with federal regulations. The compliance team has established the following requirements:
- Year 1: Records must be immediately accessible for ongoing audits and quarterly reviews
- Years 2-10: Records must remain archived but are rarely accessed (compliance-only)
- Critical Constraint: No one in the organization—including administrators, security teams, or even the AWS account root user—can delete these records during the entire 10-year period
- Durability Requirement: Maximum durability must be guaranteed to prevent data loss
The CFO has also mandated cost optimization wherever possible without compromising compliance.
Key Requirements #
Design a storage architecture that ensures regulatory immutability, maximum durability, and cost-effective tiering across the 10-year lifecycle.
The Options #
- A) Store records in S3 Glacier for the entire 10-year period, using access control policies to prevent deletion during this time.
- B) Use S3 Intelligent-Tiering to store records, implement IAM policies to prohibit deletion, and modify the IAM policy after 10 years to allow deletion.
- C) Use S3 lifecycle policies to transition records from S3 Standard to S3 Glacier Deep Archive after 1 year, and enable S3 Object Lock in Compliance Mode for the 10-year retention period.
- D) Use S3 lifecycle policies to transition records from S3 Standard to S3 One Zone-IA after 1 year, and enable S3 Object Lock in Governance Mode for the 10-year retention period.
Correct Answer #
Option C.
The Architect’s Analysis #
Correct Answer #
Option C – S3 Lifecycle Policy (Standard → Glacier Deep Archive) + S3 Object Lock Compliance Mode
Step-by-Step Winning Logic #
This solution satisfies all four constraints with optimal trade-offs:
- Year 1 Immediate Access: S3 Standard provides millisecond retrieval latency for active audits
- Years 2-10 Cost Optimization: Glacier Deep Archive costs $0.00099/GB/month vs. S3 Standard’s $0.023/GB/month—a 96% reduction
- Absolute Immutability: Compliance Mode Object Lock is the only mechanism that prevents deletion even by the root user (IAM policies can be modified; Compliance Mode cannot be altered once set)
- Maximum Durability: Both S3 Standard and Glacier Deep Archive provide 11 nines of durability (99.999999999%)
Key FinOps Win: For 1TB of data over 10 years:
- Year 1 (S3 Standard): ~$276
- Years 2-10 (Glacier Deep Archive): ~$107
- Total: ~$383 vs. $2,760 if kept in S3 Standard (86% savings)
The Traps (Distractor Analysis) #
-
Why not Option A?
- Glacier lacks millisecond retrieval needed for Year 1 active access (retrieval takes 3-5 hours in standard mode)
- Access control policies (IAM/bucket policies) can be modified by privileged users; they don’t guarantee immutability
-
Why not Option B?
- IAM policies are mutable—administrators can modify or delete them, violating the “no one can delete” requirement
- Intelligent-Tiering is more expensive than the Standard → Deep Archive transition for predictable access patterns
- No true immutability guarantee
-
Why not Option D?
- S3 One Zone-IA offers only 99.5% durability (stores data in a single AZ), failing the “maximum durability” requirement (multi-AZ storage classes provide 11 nines)
- Governance Mode Object Lock can be bypassed by users with
s3:BypassGovernanceRetentionpermission—not compliant with the “including root user” constraint - One Zone-IA is inappropriate for regulatory workloads due to single-AZ risk
The Architect Blueprint #
Diagram Note: Records flow from S3 Standard (hot access) to Glacier Deep Archive (cold archive) via automated lifecycle policy, while Object Lock Compliance Mode enforces immutability across both tiers for the entire 10-year period.
Real-World Practitioner Insight #
Exam Rule #
“For the AWS SAA-C03 exam, when you see ’no one including root user can delete’ + ‘regulatory/compliance retention’, always select S3 Object Lock Compliance Mode. When you see ‘maximum durability’, eliminate single-AZ storage classes (One Zone-IA).”
Real World #
In production environments, we typically add these layers:
- Versioning: Enable S3 Versioning in combination with Object Lock to protect against accidental overwrites
- MFA Delete: Require multi-factor authentication for object deletion operations (defense-in-depth)
- Cross-Region Replication (CRR): For critical compliance data, replicate to a second region with Object Lock enabled for disaster recovery
- CloudTrail Logging: Maintain an immutable audit trail of all access attempts to the compliance bucket
- Retrieval SLAs: For Glacier Deep Archive, plan for 12-48 hour retrieval times and implement expedited retrieval budgets for urgent legal holds
Cost Consideration: The scenario assumes infrequent access post-year 1. If regulators require faster retrieval during years 2-10, consider S3 Glacier Flexible Retrieval instead (3-5 hour retrieval at $0.004/GB/month—still 83% cheaper than Standard).