Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 46 discussion

I have a problem with answer B. The question says: "automate remediation". B says that you inform the administrator and he removes the data manually, that's not automating remediation. Very weird, that would mean that D is correct - but it's so much harder to implement.

Amazon Macie is a data security and data privacy service that uses machine learning (ML) and pattern matching to discover and protect your sensitive data

Although I selected B on the account of "Least Developmental Effort", However I feel the question itself is wrong. In lieu of being a difficult and tricky question, it contradicts itself too many times. 1. Macie has a S3 file limitation of 20 GB (in case of ZIP archive), here the files are exceeding 200 GB with no indication of breaking the file or compression. 2. The question states that the customer wants to automate remediation; now the word remediation means "to solve" and automate remediation means that there should not be any manual effort. But none of the options provide any solution for that. I would rate the trust of this question pretty low.

Can't be B Macie has a 5Gb limit C is better than D Lambda can be set up to remove data immediately and AWS state their #1 priority is security.

You can also leverage Macie integration with Amazon EventBridge and AWS Security Hub to monitor, process, and remediate findings by using other services, applications, and systems.

The remediation must be automated

I think "The company wants administrators to be alerted if PII is shared again" is the key here.. so B is correct answer.

None are correct. A does not alert the admins. B does not automate solution. C and D imply dev effort.

Macie has file limitation of 5 GB whereas Custom Lambda function allows you to handle files larger than 5 GB, overcoming Macie’s limitation.

B appears most appropriate out of the given option, however it does not address automation of remediation. However in the view of remediation, the other options do not address it either, so B is most appropriate.

The good anwser is D, even if "sensitive data" = "macie". Macie has imits for analythins files, so 200GB won't pass : ------ Size of an individual file to analyze: Adobe Portable Document Format (.pdf) file: 1,024 MB Apache Avro object container (.avro) file: 8 GB Apache Parquet (.parquet) file: 8 GB Email message (.eml) file: 20 GB GNU Zip compressed archive (.gz or .gzip) file: 8 GB Microsoft Excel workbook (.xls or .xlsx) file: 512 MB Microsoft Word document (.doc or .docx) file: 512 MB Non-binary text file: 20 GB TAR archive (.tar) file: 20 GB ZIP compressed archive (.zip) file: 8 GB ------- Also, the anwser B doesn't provide an auto-remediation, the admin still needs to remove the file manually. Very tricky question, but I think the right fit is D.

PII + S3 == Amazon Macie

Notificações com Amazon SNS: Quando o Macie detecta PII, ele pode ser configurado para acionar uma notificação via SNS, alertando os administradores para tomar as ações necessárias. Automação parcial: Embora o Macie não remova automaticamente os objetos, ele permite que administradores sejam informados para realizar a correção manualmente, garantindo controle sobre os dados. Mínimo esforço de desenvolvimento: Essa abordagem utiliza serviços nativos da AWS sem necessidade de scripts ou funções personalizadas, reduzindo significativamente o tempo e o custo de implementação.

Using Amazon Macie is most suitable for a S3 bucket and using SNS is also suitable as both of these services resolve the issues with least operational overhead.

Amazon macie is used to fish out pii

I would say the answer is D - Macie maximum file size is 20GB (If a file is larger than the applicable quota, Macie doesn't analyze any data in the file. according to AWS documentation: https://docs.aws.amazon.com/macie/latest/user/macie-quotas.html Also, B option doesn´t meet the requirement of automate remediation.

B is closest, but Macie should trigger Lambda for remediation