A company needs to save confidential medical results in an Amazon S3 bucket.

The correct answer isBbecause the requirement explicitly calls for awrite once, read many (WORM)approach and a mandatory retention period of1 year.Amazon S3 Object Lock in compliance modeis the AWS feature designed specifically for this purpose. It prevents objects from being deleted or overwritten for a fixed retention period, even by privileged users. That directly satisfies the need to preserve confidential medical results for at least one year after creation.

Usingcompliance modeis important because it enforces retention in a way that cannot be bypassed by users or administrators. This is appropriate for regulated workloads such as medical records, where strong immutability controls are required. The company can then useIAM policiesto allow only a small set of approved users to upload new files while granting other authorized users read-only access.

Option A is incorrect becauseMFA Deletehelps protect against accidental deletion, but it does not provide a full WORM retention model and does not prevent overwrites in the same way as Object Lock. Option C is not sufficient because IAM and bucket policies can be changed by administrators with enough permissions and therefore do not provide the same immutable retention guarantee. Option D is overly complex and does not enforce WORM behavior; tracking object hashes only detects changes after the fact.

AWS best practices for immutable retention on S3 recommendS3 Object Lockwhen legal hold or retention requirements exist. For least implementation effort and proper WORM enforcement,S3 Object Lock in compliance modeis the most appropriate solution.