AWS Certified Security – Specialty (SCS-C02) — Question 162

A company is investigating controls to protect sensitive data. The company uses Amazon Simple Notification Service (Amazon SNS) topics to publish messages from application components to custom logging services.

The company is concerned that an application component might publish sensitive data that will be accidentally exposed in transaction logs and debug logs.

Which solution will protect the sensitive data in these messages from accidental exposure?

Answer options

• A. Use Amazon Made to scan the SNS topics for sensitive data elements in the SNS messages. Create an AWS Lambda function that masks sensitive data inside the messages when Macie records a new finding.
• B. Configure an inbound message data protection policy. In the policy, include the De-identify operation to mask the sensitive data inside the messages. Apply the policy to the SNS topics.
• C. Configure the SNS topics with an AWS Key Management Service (AWS KMS) customer managed key to encrypt the data elements inside the messages. Grant permissions to all message publisher IAM roles to allow access to the key to encrypt data.
• D. Create an Amazon GuardDuty finding for sensitive data that is transmitted to the SNS topics. Create an AWS Security Hub custom remediation action to block messages that contain sensitive data from being delivered to subscribers of the SNS topics.

Correct answer: B

Explanation

Option B is correct because it directly addresses the concern by implementing a data protection policy that de-identifies sensitive data before it can be exposed. Option A is not as effective as it relies on a reactive approach after the data has been published. Option C, while it encrypts the data, does not prevent sensitive information from being logged in an unencrypted form before encryption occurs. Option D focuses on detection and blocking after the fact, which does not prevent sensitive data from being published initially.