Q92 — AWS DVA-C02 Ch.3

Question 92 of 100 | ← Chapter 3

Due to regulatory requirements, a financial company must retain original customer records for 10 years. The complete record includes personally identifiable information (PII). Per local regulations, PII may only be accessed by specific personnel within the company and must not be shared with third parties. The company wishes to provide anonymized records to third-party organizations for statistical analysis without sharing PII. Developers want to store the original immutable records in Amazon S3. Documents should be returned unchanged—or with PII removed—depending on who accesses them in S3. Developers have written an AWS Lambda function named removePii to remove PII from documents. How should developers implement this solution to meet PII compliance requirements while retaining only one copy of each document?

Correct Answer: C. Create an S3 Object Lambda Access Point from the S3 console and select the removePii function. Access objects without PII using the S3 Object Lambda Access Point.

Explanation

Option C is correct because S3 Object Lambda Access Points allow you to apply Lambda functions at the object level. By configuring an S3 Object Lambda Access Point and selecting the removePii function, data is processed before being returned to the requester—ensuring PII is removed prior to delivery—while preserving the original unmodified object in S3. This satisfies the requirement to avoid sharing PII and retain only one immutable copy of each document. Options A and B misuse S3 event notifications (which trigger asynchronously and cannot transform responses in real time), and option D references a non-existent API (GetObjectLegalHold) and misrepresents S3 Access Points, which do not support inline transformation.