AWS Certified Security – Specialty (SCS-C03) — Question 34

A company is running its application on AWS. The company has a multi-environment setup, and each environment is isolated in a separate AWS account. The company has an organization in AWS Organizations to manage the accounts. There is a single dedicated security account for the organization.
The company must create an inventory of all sensitive data that is stored in Amazon S3 buckets across the organization’s accounts. The findings must be visible from a single location.
Which solution will meet these requirements?

Answer options

• A. Set the security account as the delegated administrator for Amazon Macie and AWS Security Hub. Enable and configure Macie to publish sensitive data findings to Security Hub.
• B. Set the security account as the delegated administrator for AWS Security Hub. In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Publish sensitive data findings to Security Hub.
• C. In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Enable Amazon Inspector integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.
• D. In each account, enable and configure Amazon Macie to detect sensitive data. Enable Macie integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.

Correct answer: A

Explanation

Option A is correct because it allows the security account to manage findings from Amazon Macie, which is specifically designed to discover sensitive data in Amazon S3, and publish them to AWS Security Hub for centralized visibility. Options B, C, and D do not provide the same level of integration and visibility for sensitive data findings across multiple accounts as effectively as Macie does in conjunction with Security Hub.