Which design meets these requirements?
Apply a service control policy (SCP) that allows access to IAM, Amazon RDS, and AWS CloudTrail. Load customer records in Amazon RDS MySQL and train users to execute queries using the AWS CLI. Stream the query logs to Amazon CloudWatch Logs from the RDS database instance. Use a subscription filter with AWS Lambda functions to audit and alarm on queries against personal data.
Apply a service control policy (SCP) that denies access to all services except IAM, Amazon Athena, Amazon S3, and AWS CloudTrail. Store customer record files in Amazon S3 and train users to execute queries using the CLI via Athena. Analyze CloudTrail events to audit and alarm on queries against personal data.
Apply a service control policy (SCP) that denies access to all services except IAM, Amazon DynamoDB, and AWS CloudTrail. Store customer records in DynamoDB and train users to execute queries using the AWS CLI. Enable DynamoDB streams to track the queries that are issued and use an AWS Lambda function for real-time monitoring and alerting.
Apply a service control policy (SCP) that allows access to IAM, Amazon Athena, Amazon S3, and AWS CloudTrail. Store customer records as files in Amazon S3 and train users to leverage the Amazon S3 Select feature and execute queries using the AWS CLI. Enable S3 object-level logging and analyze CloudTrail events to audit and alarm on queries against personal data.
Explanations:
While this option allows the Marketing team to access Amazon RDS and manage IAM users, it does not adequately address the requirement for querying data spread across hundreds of files. Additionally, it lacks a clear mechanism for auditing and alerting on violations related to personal data queries. The reliance on AWS CLI for querying may also hinder usability for marketing users.
This option effectively restricts access to only the necessary services: IAM, Amazon Athena, Amazon S3, and AWS CloudTrail. By storing customer records in S3 and utilizing Athena for querying, it meets the requirement of managing large datasets across multiple files. Auditing through CloudTrail ensures compliance, and the solution can be designed to alert on any rule violations concerning personal data.
This option uses DynamoDB, which is not ideal for handling hundreds of files and does not align with the requirement for SQL-like querying across large datasets. Although it mentions monitoring through DynamoDB streams, it lacks a robust method for auditing queries against personal data, and access to IAM, DynamoDB, and CloudTrail may not suffice for the marketing team’s needs.
While this option permits access to IAM, Athena, S3, and CloudTrail, it does not sufficiently restrict access as per the requirements. The use of S3 Select for querying is advantageous, but it does not provide the same level of SQL capabilities as Amazon Athena. Furthermore, the auditing and alerting mechanisms are not clearly defined to monitor queries against personal data.
I assess that the answer is:
Apply a service control policy (SCP) that denies access to all services except IAM, Amazon Athena, Amazon S3, and AWS CloudTrail. Store customer record files in Amazon S3 and train users to execute queries using the CLI via Athena. Analyze CloudTrail events to audit and alarm on queries against personal data.