Which solutions will meet these requirements?
(Choose two.)
Exclude S3 buckets that contain CloudTrail logs from automated discovery.
Exclude S3 buckets that have public read access from automated discovery.
Configure scheduled daily discovery jobs for all S3 buckets in the account.
Configure discovery jobs to include S3 objects based on the last modified criterion.
Configure discovery jobs to include S3 objects that are tagged as production only.
Explanations:
Excluding S3 buckets that contain CloudTrail logs will reduce unnecessary processing and optimize Macie costs. CloudTrail logs are typically not sensitive and don’t need to be analyzed by Macie.
Excluding S3 buckets with public read access could result in missing valuable data. Public access alone is not a sufficient reason to exclude these buckets from discovery, as they may still contain sensitive data.
Configuring scheduled daily discovery jobs for all S3 buckets increases the frequency of scans, which can raise costs unnecessarily. It is better to schedule jobs based on need.
Configuring discovery jobs based on the last modified criterion can reduce the scope of the discovery jobs, focusing on objects that have been recently updated or accessed, optimizing costs.
Limiting discovery to only production-tagged objects might exclude important data from discovery, which may not be desirable in optimizing security analysis. Including only tagged objects could lead to incomplete coverage.
I chart that the answer is:
Exclude S3 buckets that contain CloudTrail logs from automated discovery.