You are working as a SysOps administrator for a legal organization.
All contractual documents need to be archived for 5 years without modifications.
You are planning to store these documents in Amazon S3 Glacier with Vault lock.
Initiate Vault Lock is initiated to add controls that will deny any user to make changes in these documents.
Which of the following additional actions must be initiated to complete the Amazon S3 Glacier Vault lock policy?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
A Vault lock policy can be used to lock the vault for any future changes.
Attaching a Vault lock policy is a 2-step process.
First, an Initiate Vault Lock is called to attach a vault lock policy to the vault & returns a unique lock ID.
Post verification, a Complete Vault Lock must be initiated within 24 hours using lock ID generated from Initiate Vault Lock.
If a Complete Vault is not initiated within 24 hours, the vault lock policy is removed.
Option B is incorrect as Complete Vault Operation can be initiated within 24 hours after Initiate Vault lock is created & not within 12 hours.
Options A & C are incorrect as Lock ID should match with that created during Initiate Vault Lock operations & cannot be set manually.
For more information on attaching a vault lock policy to Amazon Glacier vault, refer to the following URL-
https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-how-to-api.htmlSure, I'd be happy to explain!
To store the contractual documents in Amazon S3 Glacier with Vault Lock, the SysOps administrator must initiate the Initiate Vault Lock operation. This operation adds controls that will deny any user to make changes in the documents. However, to complete the Vault lock policy, an additional action must be initiated, which is the Complete Vault Lock operation.
The Complete Vault Lock operation is used to enforce compliance controls over the data archived in Amazon S3 Glacier with Vault Lock. It is important to note that once a Vault Lock policy is in place, it cannot be removed or altered. Therefore, it is crucial to ensure that the policy is set up correctly before initiating the Complete Vault Lock operation.
Now, let's move on to the options provided in the question:
A. Initiate Complete Vault Lock operation within 12 hours using customized Lock ID as per security guidelines. B. Initiate Complete Vault Lock operation within 12 hours using Lock ID generated during Initiate Vault Lock. C. Initiate Complete Vault Lock operation within 24 hours using customized Lock ID as per security guidelines. D. Initiate Complete Vault Lock operation within 24 hours using Lock ID generated during Initiate Vault Lock.
The correct answer is option B, "Initiate Complete Vault Lock operation within 12 hours using Lock ID generated during Initiate Vault Lock."
The reason for this is that when you initiate the Vault Lock, a unique Lock ID is generated. This Lock ID is used to initiate the Complete Vault Lock operation. The Lock ID must be used within 12 hours of initiating the Vault Lock operation, otherwise, it will expire, and a new Vault Lock operation will need to be initiated.
Option A is incorrect because the Lock ID must be generated during the Initiate Vault Lock operation and not customized. Option C is incorrect because it allows for a longer time period of 24 hours instead of 12 hours, which is the actual timeframe for using the Lock ID. Option D is incorrect because it suggests generating a new Lock ID during the Complete Vault Lock operation, which is not possible as the Lock ID must be generated during the Initiate Vault Lock operation.
In summary, the SysOps administrator should initiate the Initiate Vault Lock operation to add controls that will deny any user to make changes in the documents. Then, within 12 hours, the administrator should initiate the Complete Vault Lock operation using the Lock ID generated during the Initiate Vault Lock operation to complete the Vault Lock policy.