AWS Certified Security – Specialty (SCS-C02) — Question 212

A security engineer needs to implement a solution to identify any sensitive data that is stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (Amazon SNS) topic.

Which solution will meet these requirements with the LEAST implementation effort?

Answer options

• A. Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic.
• B. Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic.
• C. Configure Amazon Macie to use managed data identifiers to identify and categorize sensitive data. Create an Amazon EventBridge rule to send notifications to the SNS topic.
• D. Enable Amazon GuardDuty. Configure AWS CloudTrail S3 data events. Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic.

Correct answer: C

Explanation

The correct answer is C because Amazon Macie is specifically designed for identifying and classifying sensitive data in S3 buckets with minimal setup effort. Option A requires more configuration and isn't as tailored for sensitive data detection. Option B involves creating a custom Lambda function, which entails more development work, and option D relies on GuardDuty, which is not primarily focused on data classification in S3.