AWS Certified Security – Specialty (SCS-C03) — Question 39

A security engineer needs to implement a solution to identify any sensitive data that is stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (Amazon SNS) topic.
Which solution will meet these requirements with the LEAST implementation effort?

Answer options

• A. Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic.
• B. Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic.
• C. Configure Amazon Macie to use managed data identifiers to identify and categorize sensitive data. Create an Amazon EventBridge rule to send notifications to the SNS topic.
• D. Enable Amazon GuardDuty. Configure AWS CloudTrail S3 data events. Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic.

Correct answer: C

Explanation

The correct answer is C because Amazon Macie is specifically designed to identify and categorize sensitive data in S3 buckets with minimal setup effort. Option A requires configuring AWS Config, which is more complex and less suited for this task. Option B involves creating a Lambda function, which requires more development work. Option D relies on GuardDuty and CloudTrail, which adds unnecessary complexity to the solution.