Q57 — AWS SCS-C02 Ch.1
Question 57 of 100 | ← Chapter 1
A medical company recently completed an acquisition and inherited an existing AWS environment. The company has an upcoming audit and is concerned about the compliance posture of its acquisition. The company must identify personal health information inside Amazon S3 buckets and must identify S3 buckets that are publicly accessible. The company needs to prepare for the audit by collecting evidence in the environment. Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose three.)
- A. Enable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONAL_INFORMATION managed data identier. ✓
- B. Use AWS Glue with the Detect PII transform to identify sensitive data and to mask the sensitive data.
- C. Enable AWS Audit Manager. Create an assessment by using a supported framework.
- D. Enable Amazon GuardDuty S3 Protection. Document any ndings that are related to suspicious access of S3 buckets.
- E. Enable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls. ✓
- F. Enable AWS Cong. Set up the s3-bucket-public-write-prohibited AWS Cong managed rule. ✓
Correct Answer: A. Enable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONAL_INFORMATION managed data identier., E. Enable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls., F. Enable AWS Cong. Set up the s3-bucket-public-write-prohibited AWS Cong managed rule.
Explanation
Amazon Macie专门用于通过机器学习自动发现、分类和保护AWS中的敏感数据,如个人健康信息(PHI)。使用其预定义的PERSONAL_INFORMATION标识符可快速扫描S3存储桶(AWS官方文档:Amazon Macie功能)。AWS Security Hub整合多服务安全状态,使用AWS基础安全最佳实践标准可自动检查S3公共访问控制配置,直接生成合规证据(AWS Security Hub用户指南)。AWS Config持续评估资源配置是否符合规则,s3-bucket-public-write-prohibited托管规则自动检测并报告公开可写的存储桶(AWS Config开发者指南)。选项B涉及数据处理而非单纯识别,选项C/D侧重审计框架或威胁检测,与题目要求的直接证据收集场景匹配度较低。