Which combination of actions should the developer take to log the LARGEST amount of AWS API operational information without exposing the PII?

By:
In: DVA-C01
Tagged:
With: 1 Comment
A company is building a cloud solution to analyze customer demographic data.The data includes personally identifiable information (PII) such as full names, street addresses, and financial records.A developer is configuring a source Amazon DynamoDB table with a DynamoDB stream.The developer is writing an AWS Lambda function that will ingest the demographic data from the DynamoDB stream.perform analytics, and write results to a separate DynamoDB table.The application must log important AWS API workflow events for monitoring purposes, but the application must expose the PII.

Which combination of actions should the developer take to log the LARGEST amount of AWS API operational information without exposing the PII?

(Choose two.)

Configure the DynamoDB stream to record KEYS_ONLY events.

Configure the DynamoDB stream to record NEW_IMAGE events.

Log the received event. Fetch the items from the source DynamoDB table. Log the response metadata from the API. Process and record the result in the separate DynamoDB table. Log the response metadata from the API.

Log the received event. Fetch the items from the source DynamoDB table. Log the response from the API. Process and record the result in the separate DynamoDB table. Log the response metadata from the API.

Fetch the items from the source DynamoDB table. Process the data and log workflow events without referring to the PII. Record the result in the separate DynamoDB table.

Explanations:

Configuring the DynamoDB stream to record KEYS_ONLY events ensures that only the primary keys of the items that changed are captured in the stream. This approach does not expose PII, as it excludes sensitive data from being logged.

Configuring the DynamoDB stream to record NEW_IMAGE events captures the entire item after the change, including any PII. This would expose sensitive information, which is not compliant with the requirement to avoid exposing PII.

Logging the received event and fetching items from the source DynamoDB table exposes the PII in the response. Even if the response metadata is logged instead of the full data, the initial fetch could still lead to logging of sensitive information, violating the requirement to avoid exposing PII.

This option logs the full response from the API after fetching items from DynamoDB, which includes PII. Logging the complete response exposes sensitive data, contrary to the requirement to avoid exposing PII.

This option suggests processing data and logging workflow events without referencing PII. By not logging any PII and only focusing on operational metrics, it adheres to the requirement of minimizing exposure of sensitive information while still logging important operational details.

2025-10-08

1 Comment

  1. George
    Author

    I systematize that the answer is:
    Configure the DynamoDB stream to record KEYS_ONLY events.

Leave a Reply

Your email address will not be published. Required fields are marked *

20 − 6 =