AWS Certified Data Engineer Associate DEA-C01 Practice Question
Your team has registered an Amazon S3 data lake with AWS Lake Formation, and analysts query the data through Amazon Athena. The security team must ensure that any S3 object Amazon Macie flags as containing PII is automatically blocked from the analyst LF-principal but remains accessible to the governance LF-principal. The solution must rely on AWS-managed integrations and involve as little custom code as possible. Which approach meets these requirements?
Generate daily S3 Inventory reports, use S3 Batch Operations to tag files that contain sensitive keywords, and add bucket policies that block the analyst group from those objects while permitting governance access.
Configure an Amazon Macie discovery job and an EventBridge rule that starts a Step Functions workflow. The workflow calls Lake Formation AddLFTagsToResource to tag resources Classification=Sensitive and applies LF-tag policies that block analysts and allow governance users.
Use S3 Object Lambda with a Lambda function that removes or redacts PII from objects before analysts access them, while governance users read the original objects directly.
Run an AWS Glue crawler with custom classifiers that detect PII and update the Data Catalog, then attach IAM policies that deny analysts access to any tables the crawler marks as sensitive.
Create an Amazon Macie sensitive-data discovery job for the lake buckets. Configure an Amazon EventBridge rule that triggers an AWS Step Functions state machine whenever Macie publishes a sensitive-data finding. In the workflow, use an AWS SDK task to call the Lake Formation AddLFTagsToResource API and attach an LF-tag such as Classification=Sensitive to the object (or its corresponding catalog columns). Lake Formation tag-based access-control policies then deny the analyst principal and allow the governance principal for resources tagged Classification=Sensitive. This uses only managed integrations (Macie, EventBridge, Step Functions, Lake Formation) and requires minimal code-no bespoke parsing beyond the workflow definition.
The other options either rely on custom parsing inside Lambda, do not use Macie for detection, or cannot apply Lake Formation permissions automatically.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon Lake Formation and how does it help with data security?
Open an interactive chat with Bash
What is the role of Amazon Macie in detecting sensitive data?
Open an interactive chat with Bash
How does AWS Step Functions integrate with this solution?
Open an interactive chat with Bash
What is Amazon Macie and how does it identify PII?
Open an interactive chat with Bash
What are Lake Formation tags (LF-tags) and how are they used for access control?
Open an interactive chat with Bash
How does EventBridge integrate with Step Functions, and what benefit does this provide in automation?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .