AWS Certified Data Engineer – Associate (DEA-C01) — Question 156

A company stores customer data that contains personally identifiable information (PII) in an Amazon Redshift cluster. The company's marketing, claims, and analytics teams need to be able to access the customer data.

The marketing team should have access to obfuscated claim information but should have full access to customer contact information. The claims team should have access to customer information for each claim that the team processes. The analytics team should have access only to obfuscated PII data.

Which solution will enforce these data access requirements with the LEAST administrative overhead?

Answer options

• A. Create a separate Redshift cluster for each team. Load only the required data for each team. Restrict access to clusters based on the teams.
• B. Create views that include required fields for each of the data requirements. Grant the teams access only to the view that each team requires.
• C. Create a separate Amazon Redshift database role for each team. Define masking policies that apply for each team separately. Attach appropriate masking policies to each team role.
• D. Move the customer data to an Amazon S3 bucket. Use AWS Lake Formation to create a data lake. Use fine-grained security capabilities to grant each team appropriate permissions to access the data.

Correct answer: C

Explanation

The correct answer is C because creating separate database roles with specific masking policies for each team allows for tailored access control with minimal administrative effort. Option A requires managing multiple clusters, which increases overhead, while option B involves creating and maintaining multiple views, which can also be cumbersome. Option D, while effective, introduces unnecessary complexity by moving data to S3 and setting up a data lake.