AWS Certified Data Engineer Associate DEA-C01 Practice Question

An online marketplace stores raw customer data, such as email addresses and credit-card numbers, in an Amazon S3 data lake. Compliance requires that newly ingested objects be automatically scanned for PII and that Amazon Athena queries expose only non-sensitive columns to data analysts. The data must stay in place, and the solution must use only AWS managed services. Which approach satisfies these requirements?

Deploy Amazon Inspector to scan the bucket and use AWS Config rules to move files with PII to a separate prefix inaccessible to analysts.
Enable Amazon GuardDuty S3 protection and attach IAM policies that deny access to objects tagged as sensitive.
Run an AWS Glue crawler to catalog the S3 data and create IAM policies that block analysts from reading columns identified as PII by the crawler.
Set up an Amazon Macie sensitive-data discovery job on the S3 bucket and use the findings to apply LF-tags in AWS Lake Formation that restrict column-level access for Athena queries.

Report Issue

Answer Description

Amazon Macie can be configured to run recurring sensitive-data discovery jobs on the S3 bucket. Macie's findings are published to Amazon EventBridge, where a rule can invoke an AWS Lambda function to create or update LF-tags in AWS Lake Formation that mark columns containing PII. Lake Formation then enforces column-level permissions so that Athena reveals only non-sensitive data to analysts. The other options fail to provide both automated PII discovery and column-level governance with supported AWS services: GuardDuty detects security threats, not PII; AWS Glue crawlers and IAM policies do not classify or mask sensitive columns automatically; Amazon Inspector and AWS Config cannot scan S3 objects for PII or manage column-level access.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.