Skip to Content

DVA-C02: How to Protect PII Data in Amazon S3 with AWS Lambda 

Learn how to store original customer records in Amazon S3 and use AWS Lambda to remove PII data on demand. This tutorial will show you how to create a removePii function and configure S3 access policies to meet legal and regulatory requirements.

Table of Contents

Question

A financial company must store original customer records for 10 years for legal reasons. A complete record contains personally identifiable information (PII). According to local regulations, PII is available to only certain people in the company and must not be shared with third parties. The company needs to make the records available to third-party organizations for statistical analysis without sharing the PII.

A developer wants to store the original immutable record in Amazon S3. Depending on who accesses the S3 document, the document should be returned as is or with all the PII removed. The developer has written an AWS Lambda function to remove the PII from the document. The function is named removePii.

What should the developer do so that the company can meet the PII requirements while maintaining only one copy of the document?

A. Set up an S3 event notification that invokes the removePii function when an S3 GET request is made. Call Amazon S3 by using a GET request to access the object without PII.

B. Set up an S3 event notification that invokes the removePii function when an S3 PUT request is made. Call Amazon S3 by using a PUT request to access the object without PII.

C. Create an S3 Object Lambda access point from the S3 console. Select the removePii function. Use S3 Access Points to access the object without PII.

D. Create an S3 access point from the S3 console. Use the access point name to call the GetObjectLegalHold S3 API function. Pass in the removePii function name to access the object without PII.

Answer

C. Create an S3 Object Lambda access point from the S3 console. Select the removePii function. Use S3 Access Points to access the object without PII.

Explanation

The correct answer is C. Create an S3 Object Lambda access point from the S3 console. Select the removePii function. Use S3 Access Points to access the object without PII. This answer is based on the following reasons:

  • S3 Object Lambda is a new feature that allows you to add your own code to process data retrieved from S3 before returning it to an application. You can use custom code to modify the data returned by S3 GET, LIST, or HEAD requests to perform tasks such as filtering, masking, redacting, compressing, changing the format, or modifying objects for your specific applications. S3 Object Lambda works with your existing applications and uses AWS Lambda functions to automatically process and transform your data as it is being retrieved from S3.
  • To use S3 Object Lambda, you need to create an S3 Object Lambda access point from the S3 console or by using the AWS CLI or SDK. An S3 Object Lambda access point is a service endpoint that uses a standard S3 access point, known as a supporting access point, to access Amazon S3. You can configure an S3 Object Lambda access point to invoke a Lambda function that you specify. The Lambda function receives the original object as input and returns a modified object as output. When you send a request to your S3 Object Lambda access point, Amazon S3 automatically calls your Lambda function and returns the transformed result back to the application.
  • In this scenario, the developer wants to store the original immutable record in Amazon S3 and return it as is or with all the PII removed depending on who accesses the document. The developer has already written a Lambda function named removePii that can remove the PII from the document. Therefore, the developer can create an S3 Object Lambda access point from the S3 console and select the removePii function as the transformation function. Then, the developer can use S3 Access Points to access the object without PII by sending a GET request to the S3 Object Lambda access point. This way, the company can meet the PII requirements while maintaining only one copy of the document.

The other options are not correct because:

  • Option A: Set up an S3 event notification that invokes the removePii function when an S3 GET request is made. Call Amazon S3 by using a GET request to access the object without PII is not a valid option. S3 event notifications are used to trigger actions when certain events occur in your bucket, such as object creation or deletion. They are not used to modify or transform data in response to GET requests. Moreover, setting up an event notification for every GET request would incur unnecessary costs and latency.
  • Option B: Set up an S3 event notification that invokes the removePii function when an S3 PUT request is made. Call Amazon S3 by using a PUT request to access the object without PII is not a recommended option. Although this option would allow the developer to store a modified version of the object in a different location by using the removePii function, it would violate the requirement of maintaining only one copy of the document. It would also introduce complexity and inconsistency in managing multiple versions of the same document.
  • Option D: Create an S3 access point from the S3 console. Use the access point name to call the GetObjectLegalHold S3 API function. Pass in the removePii function name to access the object without PII is not a feasible option. An S3 access point is a customized network endpoint for accessing data in your bucket. It does not support invoking Lambda functions or transforming data on-the-fly. The GetObjectLegalHold API function is used to get an object’s legal hold status, not to modify or process data. Passing in a Lambda function name as a parameter would have no effect.

Therefore, option C is the best answer for this question. I hope this explanation helps you understand how to use S3 Object Lambda to dynamically process data for different applications better.

The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.

AWS Certified Developer - Associate DVA-C02 Exam Questions and Answers