AWS Certified Security – Specialty — Question 62

The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.
Pattern:
"randomID_datestamp_PII.csv"
Example:
"1234567_12302017_000-00-0000 csv"
The bucket where these objects are being stored is using server-side encryption (SSE).
Which solution is the most secure and cost-effective option to protect the sensitive data?

Answer options

• A. Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.
• B. Add an S3 bucket policy that denies the action s3:GetObject
• C. Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
• D. Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

Correct answer: C

Explanation

The correct answer is C because using a random and unique S3 object key alongside a metadata index in DynamoDB ensures that sensitive data is not exposed in the object names while maintaining secure access through encryption. Option A does not fully protect the sensitive data since it can still be accessed through metadata. Option B only restricts access without addressing the underlying naming issue. Option D involves more complexity and cost without directly solving the key pattern problem.