A company stores critical data in an S3 bucket. There is a requirement to ensure that an extra level of security is added to the S3 bucket. In addition, it should be ensured that objects are available in a secondary region if the primary one goes down. Which of the following can help fulfill these requirements? (Select TWO.)

Answer options:

A.Enable bucket versioning and also enable Cross-Region Replication.
B.Enable bucket versioning and enable Master Pays.
C.For the Bucket policy add a condition for { "Null": { "aws:MultiFactorAuthAge":true }}.
D.Enable the Bucket ACL and add a condition for { "Null": {"aws:MultiFactorAuthAge": true }}.

Answer: A and C
Option A is CORRECT as this solution meets the requirement of having S3 bucket contents available in the secondary region if the primary one goes down.
Option B is incorrect because AWS requester pays (master pays) does not solve either of the two requirements of security and availability. With Requester Pays buckets, the requester, instead of the bucket owner, pays the cost of the request and the data download from the bucket.
Option C is CORRECT because adding a bucket policy to require MFA would provide an extra level of security with only authorized and authenticated user`s access to the S3 bucket.
Option D is incorrect because MFA on S3 is applied using bucket policy and not by ACL.
The AWS Documentation mentions the following:
You can enforce the MFA authentication requirement using the aws:MultiFactorAuthAge key in a bucket policy. IAM users can access Amazon S3 resources by using temporary credentials issued by the AWS Security Token Service (STS). You provide the MFA code at the time of the STS request.
When Amazon S3 receives a request with MFA authentication, the aws:MultiFactorAuthAge key provides a numeric value indicating how long ago (in seconds) the temporary credential was created. If the temporary credential provided in the request was not created using an MFA device, this key value is null (absent). You can add a condition to check this value in a bucket policy, as shown in the following example bucket policy. The policy denies any Amazon S3 operation on the /taxdocuments folder in the examplebucket bucket if the request is not MFA authenticated. To learn more about MFA authentication, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.
 {
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
"Condition": { "Null": { "aws:MultiFactorAuthAge": true }}
}
]
 }
For more information on S3 bucket policies, kindly visit the following URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
For more information on Cross-region replication (CRR), kindly visit the following URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html