Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 241

A company has an application that stores data that includes personally identifiable information (PII) in an Amazon S3 bucket. All data is encrypted with AWS Key Management Service (AWS KMS) customer managed keys. All AWS resources are deployed from an AWS CloudFormation template.

A DevOps engineer needs to set up a development environment for the application in a different AWS account. The data in the development environment's S3 bucket needs to be updated once a week from the production environment's S3 bucket.

The company must not move PII from the production environment without anonymizing the PII first. The data in each environment must be encrypted with different KMS customer managed keys.

Which combination of steps should the DevOps engineer take to meet these requirements? (Choose two.)

Activate Amazon Macie on the S3 bucket in the production account. Create an AWS Step Functions state machine to initiate a discovery job and redact all PII before copying files to the S3 bucket in the development account. Give the state machine tasks decrypt permissions on the KMS key in the production account. Give the state machine tasks encrypt permissions on the KMS key in the development account.

Set up S3 replication between the production S3 bucket and the development S3 bucket. Activate Amazon Macie on the development S3 bucket. Create an AWS Step Functions state machine to initiate a discovery job and redact all PII as the files are copied to the development S3 bucket. Give the state machine tasks encrypt and decrypt permissions on the KMS key in the development account.

Set up an S3 Batch Operations job to copy files from the production S3 bucket to the development S3 bucket. In the development account, configure an AWS Lambda function to redact ail PII. Configure S3 Object Lambda to use the Lambda function for S3 GET requests. Give the Lambda function's IAM role encrypt and decrypt permissions on the KMS key in the development account.

Create a development environment from the CloudFormation template in the development account. Schedule an Amazon EventBridge rule to start the AWS Step Functions state machine once a week.

Create a development environment from the CloudFormation template in the development account. Schedule a cron job on an Amazon EC2 instance to run once a week to start the S3 Batch Operations job.

Correct Answer: A, D

To meet the requirements, the solution needs to ensure that PII data is anonymized before it is moved to the development environment and that the data in each environment is encrypted with different KMS customer managed keys. Activating Amazon Macie on the S3 bucket in the production account and using AWS Step Functions to initiate a discovery job and redact all PII before copying files to the S3 bucket in the development account ensures PII is handled properly. Additionally, creating the development environment from the CloudFormation template and scheduling an Amazon EventBridge rule to start the AWS Step Functions state machine once a week ensures the data transfer happens regularly and automatically without manual intervention or additional infrastructure costs.

Discussion

tgvOptions: AD

---> A D

trungtdOptions: AD

A. Anonymizing PII in the Production Account D. Automating the Weekly Data Transfer B suggests replicating the data before redacting PII, which violates the requirement C does not ensure that the PII is redacted before the data is stored in the development environment E introduces additional infrastructure management and costs

getadroit

redact should be done before

getadroit

A & D https://aws.amazon.com/blogs/security/how-to-use-amazon-macie-to-preview-sensitive-data-in-s3-buckets/