AWS Certified Data Engineer Associate DEA-C01 Practice Question
A multinational retailer stores product images and customer PII in an Amazon S3 bucket in eu-west-1. Business analysts in us-east-1 need access to only non-sensitive objects for ad-hoc reporting. How can a data engineer ensure that objects containing PII never replicate outside the EU while other objects continue to replicate automatically with the least operational overhead?
Encrypt the destination bucket with a customer-managed KMS key restricted to EU principals; replicated PII objects will be unreadable outside the EU.
Attach an IAM permission boundary to the replication role that denies s3:PutObject to the destination bucket when the object prefix indicates /pii/ data.
Enable S3 Object Lock compliance mode on the source bucket and place a legal hold on objects identified as PII so replication skips locked objects.
Use Amazon Macie to classify the source bucket and publish findings to Amazon EventBridge; trigger an AWS Lambda function that tags flagged objects with pii=true, and configure an S3 replication rule that only replicates objects whose tag pii=false.
Amazon Macie can scan objects in the source bucket and publish findings that indicate which objects contain PII. EventBridge rules can invoke a Lambda function for each finding and tag the affected object (for example, pii=true). S3 replication rules support filters based on object tags, so a rule that replicates only objects where pii=false will copy non-sensitive data to the us-east-1 bucket while automatically excluding tagged PII objects. This solution keeps sensitive data inside the EU, requires no manual object classification, and preserves automated replication for permitted files.
Object Lock, KMS encryption, and IAM permission boundaries do not stop PII objects from being physically replicated to another Region, nor do they provide tag-based selective replication. Lake Formation LF-tags work for analytics permissions but do not control S3 replication, so those alternatives fail the residency requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon Macie and how does it classify objects containing PII?
Open an interactive chat with Bash
What is the role of Amazon EventBridge and AWS Lambda in this solution?
Open an interactive chat with Bash
How do S3 replication rules use tags to filter objects for replication?
Open an interactive chat with Bash
What is Amazon Macie and how does it help in identifying PII?
Open an interactive chat with Bash
How does S3 replication work with tag-based filtering?
Open an interactive chat with Bash
What role does EventBridge play in automating workflows in this solution?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .