AWS Certified Data Engineer – Associate (DEA-C01) — Question 208

A company stores sensitive data in an Amazon Redshift table. The company needs to give specific users the ability to access the sensitive data. The company must not create duplication in the data.

Customer support users must be able to see the last four characters of the sensitive data. Audit users must be able to see the full value of the sensitive data. No other users can have the ability to access the sensitive information.

Which solution will meet these requirements?

Answer options

• A. Create a dynamic data masking policy to allow access based on each user role. Create IAM roles that have specific access permissions. Attach the masking policy to the column that contains sensitive data.
• B. Enable metadata security on the Redshift cluster. Create IAM users and IAM roles for the customer support users and the audit users. Grant the IAM users and IAM roles permissions to view the metadata in the Redshift cluster.
• C. Create a row-level security policy to allow access based on each user role. Create IAM roles that have specific access permissions. Attach the security policy to the table.
• D. Create an AWS Glue job to redact the sensitive data and to load the data into a new Redshift table.

Correct answer: A

Explanation

Option A is the correct solution because it allows for the creation of a dynamic data masking policy that meets the specific access requirements for different user roles without duplicating data. Option B fails to address the requirement of providing different access levels to sensitive data, as it only grants access to metadata. Option C focuses on row-level security, which does not meet the need for masking specific characters based on user roles. Option D involves creating a new table, which contradicts the requirement to avoid data duplication.