What should the developer do so that the company can meet the PII requirements while maintaining only one copy of the document?

By:
On:
In: DVA-C02
Tagged:
With: 0 Comments
A financial company must store original customer records for 10 years for legal reasons.A complete record contains personally identifiable information (PII).According to local regulations, PII is available to only certain people in the company and must not be shared with third parties.The company needs to make the records available to third-party organizations for statistical analysis without sharing the PII.A developer wants to store the original immutable record in Amazon S3.Depending on who accesses the S3 document, the document should be returned as is or with all the PII removed.The developer has written an AWS Lambda function to remove the PII from the document.The function is named removePii.

What should the developer do so that the company can meet the PII requirements while maintaining only one copy of the document?

Set up an S3 event notification that invokes the removePii function when an S3 GET request is made. Call Amazon S3 by using a GET request to access the object without PII.

Set up an S3 event notification that invokes the removePii function when an S3 PUT request is made. Call Amazon S3 by using a PUT request to access the object without PII.

Create an S3 Object Lambda access point from the S3 console. Select the removePii function. Use S3 Access Points to access the object without PII.

Create an S3 access point from the S3 console. Use the access point name to call the GetObjectLegalHold S3 API function. Pass in the removePii function name to access the object without PII.

Explanations:

S3 event notifications can trigger Lambda functions only for PUT, POST, COPY, or DELETE events, not for GET requests. This setup does not satisfy the requirement to modify the document on retrieval.

Triggering the Lambda function on a PUT request would modify the original document in S3, which conflicts with the requirement to maintain a single original, immutable document.

S3 Object Lambda access points allow for modifying object data on retrieval. By configuring the removePii function with an Object Lambda access point, PII can be removed on demand based on access context, without creating multiple copies of the document.

The GetObjectLegalHold API function does not support invoking a Lambda function or modifying the retrieved object, so it does not meet the requirement to return a version without PII.

Leave a Reply

Your email address will not be published. Required fields are marked *

seven − 4 =