Which combination of steps should the DevOps engineer take to meet these requirements?
(Choose two.)
Activate Amazon Macie on the S3 bucket in the production account. Create an AWS Step Functions state machine to initiate a discovery job and redact all PII before copying files to the S3 bucket in the development account. Give the state machine tasks decrypt permissions on the KMS key in the production account. Give the state machine tasks encrypt permissions on the KMS key in the development account.
Set up S3 replication between the production S3 bucket and the development S3 bucket. Activate Amazon Macie on the development S3 bucket. Create an AWS Step Functions state machine to initiate a discovery job and redact all PII as the files are copied to the development S3 bucket. Give the state machine tasks encrypt and decrypt permissions on the KMS key in the development account.
Set up an S3 Batch Operations job to copy files from the production S3 bucket to the development S3 bucket. In the development account, configure an AWS Lambda function to redact ail PII. Configure S3 Object Lambda to use the Lambda function for S3 GET requests. Give the Lambda function’s IAM role encrypt and decrypt permissions on the KMS key in the development account.
Create a development environment from the CloudFormation template in the development account. Schedule an Amazon EventBridge rule to start the AWS Step Functions state machine once a week.
Create a development environment from the CloudFormation template in the development account. Schedule a cron job on an Amazon EC2 instance to run once a week to start the S3 Batch Operations job.
Explanations:
Activating Amazon Macie helps identify PII in the production S3 bucket, and using an AWS Step Functions state machine to redact PII ensures compliance with the requirement of anonymizing data before transfer. Permissions on the KMS keys for both the production and development accounts are necessary to enable decryption of the original data and encryption of the anonymized data, respectively.
While this option discusses the use of Amazon Macie and AWS Step Functions, it incorrectly suggests setting up S3 replication directly, which would transfer data unaltered, violating the requirement to anonymize PII before moving it to the development account. Moreover, using Macie after the data is in the development account would not prevent PII from being transferred initially.
Although using S3 Batch Operations can facilitate the copying of files, this option incorrectly assumes that a Lambda function configured for GET requests would effectively redact PII before any data transfer, which does not happen. The Lambda function would not be able to redact PII during the copy process; it should occur before the data reaches the development bucket.
Creating a development environment from the CloudFormation template ensures that the environment is set up correctly. Scheduling an Amazon EventBridge rule to trigger the AWS Step Functions state machine weekly aligns with the requirement to update the development environment weekly while ensuring PII is handled properly through anonymization.
While using a cron job on an EC2 instance to run an S3 Batch Operations job might achieve the task of copying files, it does not inherently ensure that the PII is anonymized before the transfer. Additionally, relying on an EC2 instance for scheduling adds unnecessary complexity and potential failure points compared to using AWS native services like EventBridge.