AWS SAP-C02 · Question 24 · Domain 2.3: Security Controls
A company is designing a data lake on Amazon S3. Data is ingested from various sources and processed by AWS Glue. The security team requires that all data be encrypted at rest using a customer-managed KMS key. Furthermore, access to the data must be strictly controlled based on user roles, and all data access must be audited. Which combination of services and configurations should be used? (Select THREE)
Answer options:
Configure S3 bucket policies to deny uploads unless encrypted with the specific KMS key.
Use AWS Lake Formation to define fine-grained access controls at the database, table, and column levels.
Enable AWS CloudTrail data events for the S3 buckets.
Use Amazon Macie to enforce access controls based on data classification.
Configure AWS IAM permissions boundaries on the S3 buckets.
Use Amazon GuardDuty to encrypt the data at rest.
75 questions · hints · full answers · grading
Expert