AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A solutions architect needs to review a company's Amazon S3 buckets to discover personally identifiable information (PII). The company stores the PII data in the us-east-1 Region and us-west-2 Region.

Which solution will meet these requirements with the LEAST operational overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Configure Amazon Macie in each Region. Create a job to analyze the data that is in Amazon S3.

Configure AWS Security Hub for all Regions. Create an AWS Config rule to analyze the data that is in Amazon S3.

Configure Amazon Inspector to analyze the data that is in Amazon S3.

Configure Amazon GuardDuty to analyze the data that is in Amazon S3.

Explanation:

Explanation

Amazon Macie is the correct choice because it is specifically designed for discovering and protecting sensitive data, including PII, in Amazon S3 buckets. Here's why:

Why Amazon Macie is the best solution:

Purpose-built for PII discovery: Amazon Macie uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data, including personally identifiable information (PII).
Least operational overhead: Macie is a managed service that requires minimal setup - you simply enable it in the required regions and create jobs to analyze your S3 buckets.
Regional deployment: The question specifies data in us-east-1 and us-west-2 Regions, and Macie can be configured in each region where you need to analyze data.
S3-specific: Macie is specifically designed to work with Amazon S3, making it the most appropriate tool for this use case.

Why other options are incorrect:

B. AWS Security Hub with AWS Config rule:

AWS Security Hub is a security service that provides a comprehensive view of your security posture, but it doesn't directly discover PII in S3 buckets.
AWS Config rules can check for compliance but aren't designed for PII discovery in data content.
This approach would require more operational overhead to configure and maintain.

C. Amazon Inspector:

Amazon Inspector is designed for automated security assessments of EC2 instances and container images, not for discovering PII in S3 buckets.
It focuses on network accessibility and software vulnerabilities, not data classification.

D. Amazon GuardDuty:

Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior.
While it can detect some data exfiltration patterns, it's not designed for discovering PII stored in S3 buckets.

Key Takeaway:

When the requirement is specifically about discovering PII in S3 buckets with minimal operational overhead, Amazon Macie is the AWS service specifically designed for this purpose. It provides automated discovery and classification of sensitive data, making it the most efficient and appropriate solution.

Powered ByGPT-5.2

Comments

Loading comments...