AWS Certified Solutions Architect – Associate (SAA-C03) — Question 529

A company stores data in Amazon S3. According to regulations, the data must not contain personally identifiable information (PII). The company recently discovered that S3 buckets have some objects that contain PII. The company needs to automatically detect PII in S3 buckets and to notify the company’s security team.

Which solution will meet these requirements?

Answer options

• A. Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData event type from Macie findings and to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
• B. Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type from GuardDuty findings and to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
• C. Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData:S3Object/Personal event type from Macie findings and to send an Amazon Simple Queue Service (Amazon SQS) notification to the security team.
• D. Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type from GuardDuty findings and to send an Amazon Simple Queue Service (Amazon SQS) notification to the security team.

Correct answer: A

Explanation

Amazon Macie is the native AWS service designed to automatically discover, classify, and protect sensitive data like PII within Amazon S3. When Macie discovers sensitive data, it generates a finding of type 'SensitiveData', which can be intercepted by Amazon EventBridge to trigger an Amazon SNS topic for immediate security team notification. Amazon GuardDuty is a threat detection service and does not scan S3 objects for PII, while Amazon SQS is a message queuing service rather than a direct alerting tool like SNS.