Q95 — AWS SCS-C02 Ch.1

Question 95 of 100 | ← Chapter 1

A company is investigating controls to protect sensitive data. The company uses Amazon Simple Notification Service (Amazon SNS) topics to publish messages from application components to custom logging services. The company is concerned that an application component might publish sensitive data that will be accidentally exposed in transaction logs and debug logs. Which solution will protect the sensitive data in these messages from accidental exposure?

Correct Answer: B. Configure an inbound message data protection policy. In the policy, include the De-identify operation to mask the sensitive data inside the messages. Apply the policy to the SNS topics.  

Explanation

该题涉及Amazon SNS的数据保护功能,特别是消息内容中的敏感信息处理。AWS官方文档提到,SNS支持配置数据保护策略,通过设置入站消息策略中的“De-identify”操作(如掩码)可实时对敏感字段进行脱敏。选项B直接采用内置策略,在消息发布时立即处理敏感数据,避免明文暴露于日志。选项A依赖事后扫描和Lambda处理,存在延迟风险;选项C加密并不能防止密文存储于日志;选项D依赖检测后的响应机制,无法实时阻断。正确方法为预先配置策略,即时脱敏。