Which technique should a SysOps administrator use to detect if sensitive data is being stored in the application?
Export data from the database by using an AWS Lambda function. Store the data in Amazon S3. Use Amazon Macie to examine the stored data. Examine the report for any sensitive data that is discovered.
Install the Amazon GuardDuty plugin for Aurora. Configure GuardDuty to examine the database. Add the corresponding EC2 CIDR ranges to the trusted IP list in GuardDuty. Examine the report for any sensitive data that is discovered.
Deploy Amazon Inspector by installing the Amazon Inspector agent on all EC2 instances. Set the Amazon Inspector assessment type to HOST assessment. Include NETWORK communications with the Aurora DB cluster. Examine the report for any sensitive data that is discovered.
Use VPC Flow Logs to examine traffic between the EC2 instances and the Aurora DB cluster. Store the log files in Amazon S3. Use Amazon Detective to examine the extracted log files. Examine the report for any sensitive data that is discovered.
Explanations:
Exporting the data from the Aurora MySQL database to Amazon S3 and using Amazon Macie to analyze the data for sensitive information is a valid method to detect sensitive data. Amazon Macie is designed specifically to discover and protect sensitive data such as Personally Identifiable Information (PII) and other confidential content.
Amazon GuardDuty is a threat detection service for monitoring AWS accounts and workloads for malicious activity. It does not specifically scan for sensitive data within a database. GuardDuty would not be appropriate for detecting sensitive data in Aurora.
Amazon Inspector is used to assess the security posture of EC2 instances and networks, but it is not designed to scan databases for sensitive information. The focus is on finding vulnerabilities and misconfigurations, not on discovering sensitive data in the database.
VPC Flow Logs capture traffic between resources in a VPC and are primarily used for network monitoring and troubleshooting. While they provide insight into communication patterns, they do not analyze or detect sensitive data being transmitted between EC2 instances and Aurora. Amazon Detective also focuses on security investigation, not data sensitivity detection.
As far as I’m aware, the answer is:
Export data from the database by using an AWS Lambda function. Store the data in Amazon S3. Use Amazon Macie to examine the stored data. Examine the report for any sensitive data that is discovered.