Answer-first summary for fast verification
Answer: Use an Amazon S3 bucket as a secure transfer point. Use Amazon Macie to scan the objects in the bucket. If objects contain PII, use Amazon Simple Notification Service (Amazon SNS) to trigger a notification to the administrators to remove the objects that contain PII.
## Explanation **Correct Answer: B** **Why Option B is correct:** 1. **Amazon Macie** is specifically designed for PII detection and data security. It uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data (including PII) in Amazon S3. 2. **Least development effort**: Amazon Macie is a managed service that requires minimal configuration and no custom code development. 3. **Automated remediation**: While the option mentions notification via SNS, administrators can also configure automated remediation actions through AWS Lambda functions triggered by Macie findings. 4. **S3 as secure transfer point**: This provides a scalable and secure storage solution for large files (up to 200 GB). **Why other options are incorrect:** **Option A:** - **Amazon Inspector** is for security assessment of EC2 instances and container images, not for scanning S3 objects for PII. - S3 Lifecycle policies cannot be triggered based on content analysis; they are based on age or other metadata. **Option C:** - Requires **custom scanning algorithms** which means significant development effort. - Lambda functions have execution time limits (15 minutes) and memory constraints that may not handle 200 GB files efficiently. - Does not provide automated remediation, only notification. **Option D:** - Similar to C, requires custom development effort. - Contains a typo ("remove the meats" instead of "remove the objects"). - S3 Lifecycle policies cannot be triggered based on content analysis. **Key AWS Services for this use case:** 1. **Amazon S3**: For secure file storage and transfer 2. **Amazon Macie**: For automated PII detection and classification 3. **Amazon SNS**: For notifications to administrators 4. **AWS Lambda**: For automated remediation actions (can be triggered by Macie findings) **Best Practice Approach:** 1. Configure S3 bucket with appropriate encryption and access controls 2. Enable Amazon Macie for the S3 bucket 3. Configure Macie findings to trigger SNS notifications 4. Optionally, create Lambda functions for automated remediation (e.g., quarantining or deleting PII-containing files) 5. Use AWS Step Functions if complex remediation workflows are needed
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has an application that provides marketing services to stores. The services are based on previous purchases by store customers. The stores upload transaction data to the company through SFTP, and the data is processed and analyzed to generate new marketing offers. Some of the files can exceed 200 GB in size.
Recently, the company discovered that some of the stores have uploaded files that contain personally identifiable information (PII) that should not have been included. The company wants administrators to be alerted if PII is shared again. The company also wants to automate remediation.
What should a solutions architect do to meet these requirements with the LEAST development effort?
A
Use an Amazon S3 bucket as a secure transfer point. Use Amazon Inspector to scan the objects in the bucket. If objects contain PII, trigger an S3 Lifecycle policy to remove the objects that contain PII.
B
Use an Amazon S3 bucket as a secure transfer point. Use Amazon Macie to scan the objects in the bucket. If objects contain PII, use Amazon Simple Notification Service (Amazon SNS) to trigger a notification to the administrators to remove the objects that contain PII.
C
Implement custom scanning algorithms in an AWS Lambda function. Trigger the function when objects are loaded into the bucket. If objects contain PII, use Amazon Simple Notification Service (Amazon SNS) to trigger a notification to the administrators to remove the objects that contain PII.
D
Implement custom scanning algorithms in an AWS Lambda function. Trigger the function when objects are loaded into the bucket. If objects contain PII, use Amazon Simple Email Service (Amazon SES) to trigger a notification to the administrators and trigger an S3 Lifecycle policy to remove the meats that contain PII.