Skip to main content
  1. Home
  2. >
  3. AWS
  4. >
  5. SAA-C03
  6. >
  7. This article

AWS SAA-C03 Drill: S3 Data Protection - The Access Control vs. Data Integrity Trade-off

·897 words·5 mins·
Architecture Drills AWS SAA-C03 FinOps Decision Matrix Amazon S3 Data Protection Compliance
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AWS SAA-C03, many candidates confuse access control with data protection. In the real world, this is fundamentally a decision about preventing irreversible data loss vs. managing operational friction. Let’s drill into a simulated scenario.

The Scenario
#

FinAudit Corp, a financial services consultancy, stores highly sensitive audit reports in Amazon S3. These documents are subject to regulatory retention requirements and must remain accessible for up to 7 years. The S3 bucket currently uses a restrictive bucket policy that grants read/write access only to a small team of certified auditors via their IAM user credentials, following the principle of least privilege.

Recently, the Chief Compliance Officer raised concerns after learning about an incident at a peer organization where an authorized user accidentally deleted critical audit files. Leadership has mandated that the architecture team implement additional safeguards to prevent accidental or unauthorized deletion of objects in the bucket, even by users with valid credentials.

Key Requirements
#

Implement the most secure solution to protect audit documents from accidental deletion while maintaining auditability and compliance with minimal operational overhead.

The Options
#

  • A) Enable versioning on the S3 bucket and activate MFA Delete protection.
  • B) Require multi-factor authentication (MFA) for all IAM user accounts in the audit team.
  • C) Add an S3 Lifecycle policy for the audit team’s IAM users to deny s3:DeleteObject actions during the audit period.
  • D) Encrypt the S3 bucket using AWS KMS and restrict audit team IAM users’ access to the KMS key.

Correct Answer
#

Option A.

The Architect’s Analysis
#

Correct Answer
#

Option A: Enable versioning on the S3 bucket and activate MFA Delete protection.

Step-by-Step Winning Logic
#

This solution addresses the core requirement through layered data protection:

  1. S3 Versioning ensures that when an object is “deleted,” S3 actually creates a delete marker rather than permanently removing the object. Previous versions remain recoverable, providing a safety net against accidental deletion.

  2. MFA Delete adds a second layer of protection by requiring physical possession of an MFA device and the root account or bucket owner credentials to:

    • Permanently delete an object version
    • Suspend versioning on the bucket

This combination ensures that even if an auditor’s IAM credentials are compromised or misused, the attacker cannot irreversibly destroy audit data without:

  • Gaining access to the AWS root account or bucket owner account
  • Possessing the physical MFA device

Why this matters for the exam:

  • The keyword “protect documents from accidental deletion” signals you need data integrity controls, not just access controls.
  • The phrase “more secure solution” indicates a defense-in-depth approach.

The Traps (Distractor Analysis)
#

Why not Option B?
#

Requiring MFA for IAM user sign-in only protects against unauthorized access to the AWS Management Console or API. It does NOT prevent an authenticated user (who successfully passed MFA) from deleting objects once they’re logged in.

  • What it solves: Credential theft
  • What it doesn’t solve: Accidental or intentional deletion by authorized users

Why not Option C?
#

S3 Lifecycle policies are designed to transition or expire objects based on age or storage class criteria. They cannot be used to conditionally deny IAM actions based on user identity.

The correct tool for denying s3:DeleteObject would be an IAM policy or bucket policy with a Deny statement, but this approach has critical flaws:

  • It completely blocks deletion, making routine operations (like correcting errors) impossible.
  • It doesn’t provide recoverability—if a policy misconfiguration occurs, data could still be lost.

Lifecycle policies ≠ IAM permission policies.

Why not Option D?
#

AWS KMS encryption protects data at rest and in transit by ensuring that only users with kms:Decrypt permissions can read objects. However:

  • Encryption does NOT prevent deletion. An IAM user with s3:DeleteObject permission can delete an encrypted object without ever decrypting it.
  • Restricting KMS key access only impacts data readability, not data durability.

What it solves: Unauthorized data disclosure
What it doesn’t solve: Accidental deletion

The Architect Blueprint
#

graph TD Auditor([Auditor with IAM Credentials]) -->|Upload/Read| S3Bucket[S3 Bucket<br/>Versioning Enabled] Auditor -->|Attempts Delete| DeleteAction{Delete Request} DeleteAction -->|Without MFA| DeleteMarker[Delete Marker Created<br/>Object Preserved as Version] DeleteAction -->|Permanent Delete Attempt| MFACheck{MFA Delete Enabled?} MFACheck -->|Yes| MFARequired[Requires Root Account<br/>+ MFA Device] MFACheck -->|No| PermanentDelete[Version Permanently Deleted] MFARequired -->|MFA Verified| PermanentDelete MFARequired -->|MFA Failed| Blocked[Action Blocked] style S3Bucket fill:#FF9900,stroke:#232F3E,color:#FFF style MFARequired fill:#D13212,stroke:#232F3E,color:#FFF style DeleteMarker fill:#1E8900,stroke:#232F3E,color:#FFF

Diagram Note: Versioning creates delete markers instead of destroying data, while MFA Delete requires root-level authentication and a physical MFA token to permanently remove versions.

Real-World Practitioner Insight
#

Exam Rule
#

For the SAA-C03 exam, when you see “protect against accidental deletion” combined with S3, immediately think:

  1. Versioning (recoverability)
  2. MFA Delete (irreversibility protection)
  3. Object Lock (compliance/legal hold—not applicable here as it wasn’t an option)

Real World
#

In production environments, we typically combine multiple controls:

  • Option A (Versioning + MFA Delete) as the foundation
  • Option B (MFA for IAM users) to reduce credential compromise risk
  • AWS CloudTrail to log all S3 API calls for forensic analysis
  • S3 Object Lock (Compliance Mode) if regulatory requirements mandate WORM (Write Once Read Many) storage
  • Cross-Region Replication (CRR) to a separate AWS account as an air-gapped backup for catastrophic scenarios

FinOps Consideration:
For a 10 TB audit archive with 5% monthly change rate:

  • Versioning cost: ~$230/month (10 TB × $0.023)
  • CRR cost: ~$200/month (0.5 TB transfer × $0.02 + 10 TB storage in secondary region)
  • Total added cost: ~$430/month
  • Avoided cost of compliance violation: $50,000–$500,000 per incident

ROI is immediate.

Related Articles

Weekly AWS SAA-C03 Drills: Think Like a CTO

Get 3-5 high-frequency scenarios every week. No brain-dumping, just pure architectural trade-offs.