A company is designing a data lake on Amazon S3. Data is ingested from various sources and processed by AWS Glue. The security team requires that all data be encrypted at rest using a customer-managed KMS key. Furthermore, access to the data must be strictly controlled based on user roles, and all data access must be audited. Which combination of services and configurations should be used? (Select THREE)

Answer options:

Configure S3 bucket policies to deny uploads unless encrypted with the specific KMS key.

Use AWS Lake Formation to define fine-grained access controls at the database, table, and column levels.

Enable AWS CloudTrail data events for the S3 buckets.

Use Amazon Macie to enforce access controls based on data classification.

Configure AWS IAM permissions boundaries on the S3 buckets.

Use Amazon GuardDuty to encrypt the data at rest.

How to approach this question

Select the tools for encryption enforcement, fine-grained access, and auditing.

Full Answer

S3 bucket policies enforce KMS encryption. Lake Formation provides fine-grained (column/row level) access control for data lakes. CloudTrail Data Events audit object-level access.

Common mistakes

Confusing Macie's discovery capabilities with access control enforcement.

Question 23 All questions Question 25

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 7

75 questions · hints · full answers · grading

More questions from this exam

Q01A global enterprise is designing a multi-region network architecture connecting 50 AWS accounts a...Hard Q02A company is migrating its hybrid network to AWS. They have two 10 Gbps AWS Direct Connect connec...Hard Q03An enterprise has 100 AWS accounts in AWS Organizations. The security team mandates that all Amaz...Medium Q04A financial company requires that all EBS volumes, S3 buckets, and RDS databases be encrypted usi...Easy Q05An enterprise is designing a disaster recovery strategy for a critical application running on Ama...Hard

View all 75 questions →