nerdexam
ExamsDEA-C01Questions#190
AmazonAmazon

DEA-C01 · Question #190

DEA-C01 Question #190: Real Exam Question with Answer & Explanation

The correct answer is A: Use AWS Glue DataBrew to perform extract, transform, and load (ETL) tasks that mask the PII. {"question_number": 5, "correct_answer": "A and D", "explanation": "Option A (AWS Glue DataBrew) is the correct masking solution because DataBrew provides built-in PII detection and data masking transformations (e.g., hashing, substitution, redaction) within ETL pipelines - no cu

Data Security and Governance

Question

A company saves customer data to an Amazon S3 bucket. The company uses server-side encryption with AWS KMS keys (SSE-KMS) to encrypt the bucket. The dataset includes personally identifiable information (PII) such as social security numbers and account details. Data that is tagged as PII must be masked before the company uses customer data for analysis. Some users must have secure access to the PII data during the pre-processing phase. The company needs a low-maintenance solution to mask and secure the PII data throughout the entire engineering pipeline. Which combination of solutions will meet these requirements? (Choose two.)

Options

  • AUse AWS Glue DataBrew to perform extract, transform, and load (ETL) tasks that mask the PII
  • BUse Amazon GuardDuty to monitor access patterns for the PII data that is used in the
  • CConfigure an Amazon Macie discovery job for the S3 bucket.
  • DUse AWS Identity and Access Management (IAM) to manage permissions and to control access
  • EWrite custom scripts in an application to mask the PII data and to control access.

Explanation

{"question_number": 5, "correct_answer": "A and D", "explanation": "Option A (AWS Glue DataBrew) is the correct masking solution because DataBrew provides built-in PII detection and data masking transformations (e.g., hashing, substitution, redaction) within ETL pipelines - no custom code required, making it low-maintenance. Option D (IAM permissions) is the correct access control solution because IAM policies can restrict which users/roles can access the S3 bucket and KMS keys, ensuring only authorized users can access raw PII during pre-processing. Option B (GuardDuty) monitors for security threats like unauthorized access attempts but does not mask data. Option C (Macie) discovers and classifies PII but does not mask it. Option E (custom scripts) is high-maintenance and contradicts the 'low-maintenance' requirement.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

Topics

#PII Masking#Data Transformation#Access Control#Data Security

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full DEA-C01 PracticeBrowse All DEA-C01 Questions