The requirement is to ensure backups cannot be deleted for a specific period, which is a Write-Once, Read-Many (WORM) model. Amazon S3 Object Lock is the service designed for this purpose. By enabling Object Lock in compliance mode on a new bucket and setting a 3-month retention period, the objects are protected from being overwritten or deleted by any user, including the root user in the AWS account. This provides the highest level of protection and directly meets the strict, non-negotiable retention requirement.

A. An IAM policy is operationally complex to manage for individual object retention periods and can be modified or removed by a privileged user, failing to guarantee non-deletion.

C. S3 Versioning protects against accidental deletion by preserving previous versions, but a user with s3:DeleteObjectVersion permissions can still permanently delete the object.

D. S3 Object Lock in governance mode is less strict, as users with the s3:BypassGovernanceRetention permission can override the lock and delete the objects before the retention period expires.

---

1. Amazon S3 User Guide

"Using S3 Object Lock": This document details the functionality of S3 Object Lock. It states

"In compliance mode

a protected object version can't be overwritten or deleted by any user

including the root user in your AWS account. When an object is locked in compliance mode

its retention mode can't be changed

and its retention period can't be shortened." This confirms that compliance mode is the correct choice for the strict requirement.

Source: AWS Documentation

Amazon S3 User Guide

"S3 Object Lock retention modes".

2. Amazon S3 User Guide

"Locking objects using S3 Object Lock": This guide specifies the difference between the two modes. It explains that in governance mode

users need special permissions (s3:BypassGovernanceRetention) to bypass retention settings

making it less suitable for a strict "must not be deleted" policy compared to compliance mode.

Source: AWS Documentation

Amazon S3 User Guide

"Comparing S3 Object Lock modes".

3. Amazon S3 User Guide

"Enabling S3 Object Lock": This section explicitly states

"You can only enable S3 Object Lock for new buckets. If you want to lock objects in an existing bucket

contact AWS Support." This supports the part of the correct answer that specifies using a new S3 bucket.

Source: AWS Documentation

Amazon S3 User Guide

"Enabling S3 Object Lock".