AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A large online retailer has hundreds of AWS accounts that are organized under AWS Organizations. Developers in non-production accounts sometimes upload production data that includes customer credit card numbers to Amazon S3. The security team must automatically detect any S3 object that contains credit card data in any account or Region, quarantine the object in an encrypted S3 bucket that only the security team can access, record each incident centrally for analyst review, and minimize custom code while adhering to least-privilege principles. Which approach will meet these requirements MOST effectively?
Add an S3 event notification to every bucket that triggers a Lambda function with custom regular-expression logic to detect credit-card numbers; if detected, the function copies the object to a quarantine bucket and updates a DynamoDB table for reporting.
Enable Amazon Macie organization-wide automated sensitive-data discovery, publish Macie findings to AWS Security Hub and Amazon EventBridge, and configure an EventBridge rule that invokes an AWS Systems Manager Automation runbook to move the offending object to a centrally encrypted quarantine bucket and remove it from the source bucket.
Create an AWS Config managed rule package that evaluates whether S3 objects are encrypted with AWS KMS keys and sets an automatic remediation action to deny all access to any object that is not encrypted.
Enable Amazon GuardDuty with S3 Protection across the organization and configure the built-in quarantine action to move any object that triggers a GuardDuty finding to a secure S3 bucket.
Amazon Macie can be enabled organization-wide and uses managed data identifiers (including credit-card numbers) to scan every S3 object. Macie automatically publishes sensitive-data findings to Amazon EventBridge and, when enabled, to AWS Security Hub, giving analysts a central place to track incidents. An EventBridge rule can invoke an AWS Systems Manager Automation runbook-such as a custom document that calls the AWSSupport-ContainS3Resource runbook or an equivalent-to copy the offending object to an encrypted quarantine bucket and delete or lock down the source object. Because Macie, EventBridge, Security Hub, and SSM Automation are all managed services, the solution meets the detection, quarantine, and central-tracking requirements with minimal custom code and follows least-privilege by delegating narrowly scoped roles only to the automation.
GuardDuty S3 Protection does not inspect object contents and has no native quarantine action; a purely Lambda-based regex solution requires substantial custom code and management overhead; an AWS Config rule that checks encryption addresses only at-rest protection and does not detect credit-card data or quarantine objects. Therefore, enabling Macie with EventBridge-triggered SSM remediation is the most effective solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon Macie and how does it detect sensitive data in S3 objects?
Open an interactive chat with Bash
How do Amazon EventBridge and AWS Systems Manager Automation work together in this solution?
Open an interactive chat with Bash
Why is GuardDuty not suitable for detecting sensitive object contents in S3?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access