AWS Certified Security – Specialty (SCS-C02) — Question 215

A medical company recently completed an acquisition and inherited an existing AWS environment. The company has an upcoming audit and is concerned about the compliance posture of its acquisition.

The company must identify personal health information inside Amazon S3 buckets and must identify S3 buckets that are publicly accessible. The company needs to prepare for the audit by collecting evidence in the environment.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose three.)

Answer options

• A. Enable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONAL_INFORMATION managed data identifier.
• B. Use AWS Glue with the Detect PII transform to identify sensitive data and to mask the sensitive data.
• C. Enable AWS Audit Manager. Create an assessment by using a supported framework.
• D. Enable Amazon GuardDuty S3 Protection. Document any findings that are related to suspicious access of S3 buckets.
• E. Enable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls.
• F. Enable AWS Config. Set up the s3-bucket-public-write-prohibited AWS Config managed rule.

Correct answer: A, C, E

Explanation

The correct steps are A, C, and E, as they directly address the need for identifying personal health information, ensuring compliance through assessment, and reviewing security controls related to S3 bucket access. Option B is incorrect because it does not specifically focus on the necessary compliance and audit preparation. Option D is irrelevant in this context, as it is more about monitoring suspicious activity rather than proactively preparing for an audit.