Q95 — AWS SCS-C02 Ch.1
Question 95 of 100 | ← Chapter 1
A company is investigating controls to protect sensitive data. The company uses Amazon Simple Notification Service (Amazon SNS) topics to publish messages from application components to custom logging services. The company is concerned that an application component might publish sensitive data that will be accidentally exposed in transaction logs and debug logs. Which solution will protect the sensitive data in these messages from accidental exposure?
- A. Use Amazon Macie to scan the SNS topics for sensitive data elements in the SNS messages. Create an AWS Lambda function that masks sensitive data inside the messages when Macie records a new finding.
- B. Configure an inbound message data protection policy. In the policy, include the De-identify operation to mask the sensitive data inside the messages. Apply the policy to the SNS topics.   ✓
- C. Configure the SNS topics with an AWS Key Management Service (AWS KMS) customer managed key to encrypt the data elements inside the messages. Grant permissions to all message publisher IAM roles to allow access to the key to encrypt data.  
- D. Create an Amazon GuardDuty finding for sensitive data that is transmitted to the SNS topics. Create an AWS Security Hub custom remediation action to block messages that contain sensitive data from being delivered to subscribers of the SNS topics.
Correct Answer: B. Configure an inbound message data protection policy. In the policy, include the De-identify operation to mask the sensitive data inside the messages. Apply the policy to the SNS topics.  
Explanation
该题涉及Amazon SNS的数据保护功能,特别是消息内容中的敏感信息处理。AWS官方文档提到,SNS支持配置数据保护策略,通过设置入站消息策略中的“De-identify”操作(如掩码)可实时对敏感字段进行脱敏。选项B直接采用内置策略,在消息发布时立即处理敏感数据,避免明文暴露于日志。选项A依赖事后扫描和Lambda处理,存在延迟风险;选项C加密并不能防止密文存储于日志;选项D依赖检测后的响应机制,无法实时阻断。正确方法为预先配置策略,即时脱敏。