AWS Certified Security – Specialty — Question 166

A large company wants its Compliance team to audit its Amazon S3 buckets to identify if personally identifiable information (PII) is stored in them. The company has hundreds of S3 buckets and has asked the Security Engineers to scan every bucket.
How can this task be accomplished?

Answer options

• A. Configure Amazon CloudWatch Events to trigger Amazon Inspector to scan the S3 buckets daily for PII. Configure Amazon Inspector to publish Amazon SNS notifications to the Compliance team if PII is detected.
• B. Configure Amazon Macie to classify data in the S3 buckets and check the dashboard for PII findings. Configure Amazon CloudWatch Events to capture Macie alerts and target an Amazon SNS topic to be notified if PII is detected.
• C. Check the AWS Trusted Advisor data loss prevention page in the AWS Management Console. Download the Amazon S3 data confidentiality report and send it to the Compliance team. Configure Amazon CloudWatch Events to capture Trusted Advisor alerts and target an Amazon SNS topic to be notified if PII is detected.
• D. Enable Amazon GuardDuty in multiple Regions to scan the S3 buckets. Configure Amazon CloudWatch Events to capture GuardDuty alerts and target an Amazon SNS topic to be notified if PII is detected.

Correct answer: B

Explanation

The correct answer is B because Amazon Macie is specifically designed to classify and protect sensitive data like PII in S3 buckets, making it the most suitable choice for the task. Other options, while involving monitoring or alerting mechanisms, do not provide the same targeted scanning capabilities for PII as Amazon Macie does.