Data Security and Governance

Question 1

What authorization types can be used to grant access to a resource for a user or application?

Answer 1

1. Role based
2. Policy based
3. Tag based
4. attribute based

Question 2

Which AWS services can be used to securely store secrets?

Answer 2

1. AWS Secrets Manager
2. AWS Key Management Service (KMS)

Question 3

What steps should be taken to securely manage secrets?

Answer 3

Use IAM to grant permissions to users and roles, allowing them to perform specific actions (such as retrieve, update, and rotate) on the secrets.
2. Use AWS KMS to create and manage the encryption keys used to encrypt the secrets stored in Secrets Manager. This ensures that the secrets are confidential.
3. Integrate Secrets Manager with IAM and AWS KMS to provide a comprehensive solution for storing, managing, and accessing the sensitive information.

Question 4

Define an identity based policy in IAM

Answer 4

defines what the user or service assuming the role is able to do

Question 5

Define a trust policy in IAM

Answer 5

defines who or what is able to assume the role

Question 6

Define an inline policy

Answer 6

a policy created for a single IAM identity, which is a user, group, or role.

Inline policies maintain a strict one-to-one relationship between a policy and an identity. They are deleted when you delete the identity.

Question 7

A company is collecting data that is generated by its users for analysis by using an Amazon S3 data lake. Some of the data being collected and stored in Amazon S3 includes personally identifiable information (PII).

The company wants a data engineer to design an automated solution to identify new and existing data that needs PII to be masked before analysis is performed. Additionally, the data engineer must provide an overview of the data that is identified. The task of masking the data will be handled by an application already created in the AWS account. The data engineer needs to design a solution that can invoke this application in real time when PII is found.

Which solution will meet these requirements with the LEAST operational overhead?

Answer 7

Enable Macie in the AWS account. Create an EventBridge rule for the default event bus for Macie findings. Set the maksing application as the target for the rule.

Macie can analyze data in S3 buckets and determine if the data contains sensitive data like PII. Macie creates findings based on its analysis. Users can view the findings as a report in the AWS Management Console. Macie can also create events that are sent to the default event bus for EventBridge. You can create a rule that filters the findings being generated by Macie. Then, EventBridge can invoke the masking application. This solution meets all requirements and has the lowest operational overhead.

Question 8

A data engineer has created a new account to deploy an AWS Glue extract, transform, and load (ETL) pipeline. The pipeline jobs need to ingest raw data from a source Amazon S3 bucket. Then, the pipeline jobs write the transformed data to a destination S3 bucket in the same account. The data engineer has written an IAM policy with permissions for AWS Glue to access the source S3 bucket and destination S3 bucket. The data engineer needs to grant the permissions in the IAM policy to AWS Glue to run the ETL pipeline.

Which solution will meet these requirements?

Answer 8

Create a new IAM service role for AWS Glue. Attach the policy to the new role. Configure AWS Glue to use the new role.

Permissions for AWS Glue are granted through an IAM service role for AWS Glue. A default role exists in the account with loose permissions that allow the service to use any S3 bucket. You can create and attach a new IAM role to AWS Glue. This solution would give you the ability to use more strict permissions in the AWS Glue jobs.

Question 9

A data engineer must deploy a centralized metadata storage solution on AWS. The solution needs to be reliable and scalable. The solution needs to ensure that fine-grained permissions can be controlled at the database, table, column, row, and cell levels.

Which solution will meet these requirements with the LEAST operational overhead?

Answer 9

Use AWS Lake Formation to create a data lake and a data catalog. Control access by using Lake Formation (LF) data filters.

You can use Lake Formation to implement security at the database, table, column, row, and cell levels. To implement security at these levels, you can create data filters. This solution would be reliable and scalable. This solution would ensure that you can apply the correct permissions.

Question 10

A company is running a cloud-based software application in an Amazon EC2 instance backed by an Amazon RDS for Microsoft SQL Server database. The application collects, processes, and stores confidential information and records in the database. The company wants to eliminate the risk of credential exposure.

Which solution will meet this requirement?

Answer 10

Use AWS Secrets Manager to store the credentials. Configure automatic rotation in Secrets Manager to rotate the credentials every 30 days.

You can use Secrets Manager to store credentials and to configure automatic rotation.

Parameter Store does not support the automatic rotation of credentials.