A large corporation owns a huge amount of data which is located in AWS S3. There are applications that keep reading or writing data in these S3 buckets. The security auditor was worried that there may be some sensitive data that was exposed in S3. For example, certain applications may store some text files which contain customers’ PII information. The auditor asked for a solution to quickly scan potential security related issues in these S3 buckets. Which solution is the best?

Answer options:

A.Configure AWS Inspector in S3. It is able to use machine learning to search for security issues in S3 and provide CloudWatch alarms to the admin users.
B.Enable Amazon Macie as it can scan security issues in S3 and generate alerts based on the level of risks.
C.Enable AWS GuardDuty as it can analyze all the application data in S3 and generate security findings.
D.Configure Amazon Athena in S3 and create Athena SQL tables. Query security issues by using SQL commands.

Correct Answer – B
When talking about PII security issues in S3, the first service to be considered should be Amazon Macie. Check out
https://docs.aws.amazon.com/macie/latest/userguide/macie-dashboard.html#s3objectspii.
Option A is incorrect: Because AWS Inspector is a security service installed in EC2 rather than S3.
Option B is CORRECT: After Macie is enabled, it can scan S3 objects by PII priority as below:
Option C is incorrect: Because AWS GuardDuty is based on the data in AWS CloudTrail logs, VPC Flow Logs, and DNS query logs and it cannot search for common data in S3 buckets.
Option D is incorrect: Amazon Athena cannot create tables if the data in S3 is not in particular format. Besides, the company owns a large number of S3 buckets so it is impractical to use Athena in this case.