Q98 — AWS DOP-C02 Ch.1

Question 98 of 100 | ← Chapter 1

A DevOps administrator manages Amazon CloudWatch Logs log groups for the company. Company security policy states that employee IDs must not be visible in logs unless accessed by authorized personnel. Employee IDs follow the pattern Emp-XXXXXX, where each X is a digit. An audit reveals employee IDs appear in individual log files. These log files are accessible to engineers, but engineers must not view employee IDs. Engineers currently have AWS IAM Identity Center permissions allowing login to resources in the account.

Correct Answer: A. Create a new data protection policy on the log group. Add a custom data identifier Emp-\d{6}. Create an IAM policy denying the logs:Unmask permission on the resource. Attach the policy to the engineering account.

Explanation

This question evaluates the application of Amazon CloudWatch Logs data protection policies and IAM permission controls. AWS documentation states that CloudWatch Logs data protection policies can define sensitive data identifiers and automatically mask matching content. Option A uses the precise custom identifier Emp-\d{6} to match employee ID format and combines it with an explicit IAM deny policy for logs:Unmask, ensuring engineers cannot unmask the data. Other options introduce unnecessary complexity and latency: Lambda (C) and Firehose (D) require additional processing steps; option B’s managed identifier cannot match the custom pattern; Macie (D) performs post-storage analysis rather than real-time masking. AWS best practices recommend native policy-based control for minimal operational overhead.