SCS-C03 Question #23: Real Exam Question with Answer & Explanation

Question

A security engineer needs to implement a solution to identify any sensitive data that is stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (Amazon SNS) topic. Which solution will meet these requirements with the LEAST implementation effort?

Options

• AEnable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to
• BCreate an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern.
• CConfigure Amazon Macie to use managed data identifiers to identify and categorize sensitive
• DEnable Amazon GuardDuty. Configure AWS CloudTrail S3 data events. Create an Amazon

Explanation

Amazon Macie is the AWS service designed specifically to discover, classify, and report sensitive data stored in Amazon S3. According to the AWS Certified Security - Specialty Study Guide, Macie uses machine learning and managed data identifiers to automatically detect sensitive data types such as PII and financial information. Macie integrates natively with Amazon EventBridge, allowing findings to be routed to other services such as Amazon SNS with minimal configuration. Creating an EventBridge rule to forward Macie findings to an existing SNS topic satisfies the notification requirement without Option A is invalid because AWS Config does not inspect object contents. Option B requires custom development and ongoing maintenance. Option D is incorrect because Amazon GuardDuty focuses on threat detection, not sensitive data discovery. AWS documentation emphasizes Macie as the lowest-effort and most accurate solution for sensitive data identification in S3.

No community discussion yet for this question.