Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 169 discussion

Make your sensitive data discovery jobs as targeted and specific as possible in their scope by using the Object criteria

A&D Options to make discovery jobs more targeted include: Include objects by using the “last modified” criterion Don’t scan CloudTrail logs Consider using random object sampling Include objects with specific extensions, tags, or storage size with specific tag key/value pairs such as Environment: Production. Consider scheduling jobs based on how long objects live in your S3 buckets

https://aws.amazon.com/blogs/security/how-to-use-amazon-macie-to-reduce-the-cost-of-discovering-sensitive-data/ Options to make discovery jobs more targeted include: Include objects by using the “last modified” criterion — Consider using random object sampling — Include objects with specific extensions, tags, or storage size —

A - No need to scan these D - Reduce costs but not functionallity

A - No need to scan these D - Reduce costs but not functionallity

AD - Correct https://aws.amazon.com/blogs/security/how-to-use-amazon-macie-to-reduce-the-cost-of-discovering-sensitive-data/

A and D are correct: A: We dont need to scan Cloudtrail logs, so this is good B: Excluding S3 that have public read is just wrong C: We have excluded cloudtrail logs S3, so scanning all S3 is not correct D: This is good E: <Amazon S3 buckets for application-specific purposes and to store AWS CloudTrail logs> means that these S3 buckets are used to store logs and for productions only. Therefore, there will be no production tag, because all of them are production S3 bukets

E sounds right, but the question is about how to optimize, so E would make sense it mentioned skipping non-prod log, or scan prod data only

Answer AD

Don’t scan CloudTrail logs, Include objects by using the “last modified” criterion :https://aws.amazon.com/blogs/security/how-to-use-amazon-macie-to-reduce-the-cost-of-discovering-sensitive-data/

Answer is A & E.

Between D and E: Since the question didn't give any details I picked the broader option. Plus the question mentioned that the account is new, so the team would probably know when the account was created and they can use the last modified criteria. But nowhere mentions the organization's tagging policy. Maybe there is no production tag.

It's A & E. See her for reference: https://aws.amazon.com/blogs/security/how-to-use-amazon-macie-to-reduce-the-cost-of-discovering-sensitive-data/

A and D is correct

B and E is correct