AWS Certified Security – Specialty (SCS-C03) — Question 31

A security engineer uses Amazon Macie to scan a company’s Amazon S3 buckets for sensitive data. The company has many S3 buckets and many objects stored in the S3 buckets. The security engineer must identify S3 buckets that contain sensitive data and must perform additional scanning on those S3 buckets.
Which solution will meet these requirements with the LEAST administrative overhead?

Answer options

• A. Configure S3 Cross-Region Replication (CRR) on the S3 buckets to replicate the objects to a second AWS Region. Configure Macie in the second Region to scan the replicated objects daily.
• B. Create an AWS Lambda function as an S3 event destination for the S3 buckets. Configure the Lambda function to start a Macie scan of an object when the object is uploaded to an S3 bucket.
• C. Configure Macie automated discovery to continuously sample data from the S3 buckets. Perform full scans of the S3 buckets where Macie discovers sensitive data.
• D. Configure Macie scans to run on the S3 buckets. Aggregate the results of the scans in an Amazon DynamoDB table. Use the DynamoDB table for queries.

Correct answer: C

Explanation

Option C is correct because it allows for automated continuous sampling and targeted full scans of S3 buckets based on the discovery of sensitive data, minimizing manual intervention. Option A involves unnecessary replication and additional complexity, while option B requires manual triggering of scans for each upload, increasing overhead. Option D, while useful, adds the complexity of managing a DynamoDB table for aggregating results, which is not as efficient as the automated approach in C.