Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 63 discussion

Explanation: By manually instrumenting the X-Ray SDK in the application code, the developer can have full control over which data is included in the trace messages. This way, the developer can ensure that no PII is sent to X-Ray by carefully handling the PII within the application and not including it in the trace messages.

A Not to send any PII to AWS X-Ray service, add instrumentation code in your application at each location to send trace information that PII is eliminated. https://docs.aws.amazon.com/xray/latest/devguide/xray-instrumenting-your-app.html

Currently, with the all-at-once deployment policy, Elastic Beanstalk updates all EC2 instances simultaneously. This can cause issues with application performance, as the entire fleet of instances is replaced at once, leading to potential downtime or degraded performance if the number of available instances falls below the necessary threshold (fewer than four EC2 instances in your case). Switching to a rolling deployment with a batch size of 2 will allow Elastic Beanstalk to update the instances in smaller batches. During each batch update, only two instances will be updated at a time, which means that there will always be a sufficient number of EC2 instances running (at least three instances at all times). This avoids the performance degradation caused by having fewer than four EC2 instances available.

C) Eliminated - Amazon Macie is designed for identifying and securing sensitive data stored in AWS services like S3 A) A (manual instrumentation) is the best solution because it gives the developer full control over what data is sent to X-Ray, ensuring that no PII leaves the EC2 instances. B) Eliminated - Auto-instrumentation automatically captures data without offering granular control over what is sent to X-Ray. This approach could inadvertently send sensitive PII data to X-Ray, violating the requirements.

A is the correct answer.

X-Ray auto-instrumentation agent itself does not inherently remove or redact Personally Identifiable Information (PII). The primary purpose of the auto-instrumentation agent is to automate the process of instrumenting supported frameworks and libraries for tracing with AWS X-Ray. When dealing with PII or any sensitive information, the responsibility for ensuring that such data is not exposed in traces lies with the application code and configuration, rather than the X-Ray auto-instrumentation agent. While the X-Ray auto-instrumentation agent simplifies the instrumentation process, the need for precise control over PII and the ability to implement custom security measures make manual instrumentation more suitable in this scenario.

A.To ensure that no personally identifiable information (PII) goes outside of the EC2 instances while incorporating AWS X-Ray into an application that handles PII, the developer should manually instrument the X-Ray SDK in the application code. This approach allows for precise control over what data is captured and sent to X-Ray, enabling the developer to exclude or anonymize PII before it leaves the application environment, thereby meeting the requirement to ensure that no PII goes outside of the EC2 instances.

This approach allows for granular control over what data is captured and sent to AWS X-Ray. The developer can instrument the code to ensure that PII is either not included in the trace data or is properly encrypted before being sent. This method provides the necessary control to meet the requirement.

The X-Ray auto-instrumentation agent can help ensure that sensitive information like PII is not transmitted outside of the EC2 instances. It automatically instruments the application without requiring manual intervention, making it easier to maintain traceability without risking the exposure of sensitive data. Options A and D involve manual or custom instrumentations, which might inadvertently expose PII if not implemented correctly. Option C, using Amazon Macie to detect and hide PII and calling the X-Ray API from Lambda, might add complexity to the architecture and doesn't directly address the prevention of PII leaving the EC2 instances.

Option B, using the X-Ray auto-instrumentation agent, is the most appropriate solution for ensuring that no PII goes outside of the EC2 instances.

The X-Ray auto-instrumentation agent is designed to automatically trace and collect data from AWS resources and services without requiring manual instrumentation in your application code. It helps ensure that sensitive information, such as PII, remains within the EC2 instances by not transmitting the data outside explicitly. The agent focuses on tracing the application behavior and performance without directly sending PII to external services. This solution is suitable for ensuring compliance and data security while still benefiting from X-Ray's tracing and insights.

Option "B" : Because. Avoids human error.

Using the X-Ray auto-instrumentation agent (Option B) is the best choice in this scenario because it will automatically instrument the application without requiring any manual code changes. Additionally, when using X-Ray with auto-instrumentation, you can control the sampling rate to ensure that only a subset of trace data (and encrypted PII) is sent to X-Ray and CloudWatch, reducing the risk of sensitive data being exposed outside of the instances.

For non-Java applications running on EC2 instances, you will need to use the appropriate X-Ray SDKs to manually instrument the application code. You can't use auto-agent

Its very clear from Macie definition that it also provides automated protection as well apart from findings the PII data

I think B is incorrect as the auto instrument cannot hide it, right?

C is wrong, Amazon Macie discover PII but dont hide it