AWS Certified SysOps Administrator – Associate (legacy) — Question 739
A company is creating an application that will keep records. The application will run on Amazon EC2 instances and will use an Amazon Aurora MySQL database as its data store. To maintain compliance, the application must not retain information that is determined to be sensitive.
Which technique should a SysOps administrator use to detect if sensitive data is being stored in the application?
Answer options
- A. Export data from the database by using an AWS Lambda function. Store the data in Amazon S3. Use Amazon Macie to examine the stored data. Examine the report for any sensitive data that is discovered.
- B. Install the Amazon GuardDuty plugin for Aurora. Configure GuardDuty to examine the database. Add the corresponding EC2 CIDR ranges to the trusted IP list in GuardDuty. Examine the report for any sensitive data that is discovered.
- C. Deploy Amazon Inspector by installing the Amazon Inspector agent on all EC2 instances. Set the Amazon Inspector assessment type to HOST assessment. Include NETWORK communications with the Aurora DB cluster. Examine the report for any sensitive data that is discovered.
- D. Use VPC Flow Logs to examine traffic between the EC2 instances and the Aurora DB cluster. Store the log files in Amazon S3. Use Amazon Detective to examine the extracted log files. Examine the report for any sensitive data that is discovered.
Correct answer: A
Explanation
Amazon Macie is a data security service that uses machine learning and pattern matching to discover and protect sensitive data, such as personally identifiable information (PII), specifically within Amazon S3. By exporting the Aurora MySQL database data to S3 using an AWS Lambda function, Macie can successfully scan the exported files to detect any sensitive content. Other tools like Amazon GuardDuty, Amazon Inspector, and Amazon Detective are meant for threat detection, host vulnerability scanning, and security investigation, respectively, and cannot inspect database payloads for sensitive data patterns.