A financial institution is building a data lake on Amazon S3. They must enforce strict data governance. Specifically, they need to ensure that sensitive data (like credit card numbers) is automatically discovered and masked before analysts can query it via Amazon Athena. They also need to manage fine-grained access control (column-level and row-level) to the data. Which combination of services should be used? (Select TWO)

Use Amazon Macie to automatically discover and classify sensitive data in the S3 buckets.

Use AWS Lake Formation to define and enforce column-level and row-level access controls for Athena queries.

Use AWS KMS to encrypt the specific columns containing sensitive data.

Use Amazon GuardDuty to monitor S3 data access patterns and block unauthorized queries.

Configure S3 Bucket Policies to restrict access to specific rows in the CSV files.

Use AWS Glue DataBrew to continuously mask data in real-time during Athena queries.