AWS Certified Data Engineer – Associate (DEA-C01) — Question 176

A company saves customer data to an Amazon S3 bucket. The company uses server-side encryption with AWS KMS keys (SSE-KMS) to encrypt the bucket. The dataset includes personally identifiable information (PII) such as social security numbers and account details.

Data that is tagged as PII must be masked before the company uses customer data for analysis. Some users must have secure access to the PII data during the pre-processing phase. The company needs a low-maintenance solution to mask and secure the PII data throughout the entire engineering pipeline.

Which combination of solutions will meet these requirements? (Choose two.)

Answer options

• A. Use AWS Glue DataBrew to perform extract, transform, and load (ETL) tasks that mask the PII data before analysis.
• B. Use Amazon GuardDuty to monitor access patterns for the PII data that is used in the engineering pipeline.
• C. Configure an Amazon Macie discovery job for the S3 bucket.
• D. Use AWS Identity and Access Management (IAM) to manage permissions and to control access to the PII data.
• E. Write custom scripts in an application to mask the PII data and to control access.

Correct answer: A, D

Explanation

Option A is correct as AWS Glue DataBrew can efficiently handle ETL tasks and mask PII data before it is analyzed. Option D is also correct since AWS IAM provides a robust way to manage permissions and secure access to sensitive PII data. Options B, C, and E do not directly address the requirement for a low-maintenance solution for masking and securing PII data throughout the engineering pipeline.