What solution will allow the Security team to complete this request?
Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.
Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing AWS CloudTrail logs and S3 bucket logs for GET operations.
Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.
Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.
Explanations:
While Amazon Athena can query S3 buckets and CloudWatch can alert on object access, it does not provide a direct mechanism to identify PII in the data. This option lacks a specific method for classifying or identifying PII data before querying access logs.
Enabling Amazon Macie provides a robust way to discover, classify, and protect PII in S3 buckets. It identifies sensitive data and allows for auditing through AWS CloudTrail logs and S3 bucket logs to track access to those objects, effectively meeting the auditor’s request.
Amazon GuardDuty focuses on security monitoring and threat detection but does not classify data types like PII. Although it can alert on anomalies, it does not perform data classification needed to identify PII, and querying logs via Athena for access operations is secondary to classification needs.
Amazon Inspector is primarily for assessing the security of applications and does not provide capabilities for data classification or identifying PII in S3 buckets. It lacks the direct functionality needed to meet the auditor’s request for identifying and auditing PII access.
From what I’ve seen, the answer is:
Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing AWS CloudTrail logs and S3 bucket logs for GET operations.