Learn how to use Amazon S3 Object Lambda to store customer records with PII in a single copy and access them with or without PII depending on the user. Find out how to create an S3 Object Lambda access point and use a Lambda function to remove PII.
Table of Contents
Question
A financial company must store original customer records for 10 years for legal reasons. A complete record contains personally identifiable information (PII). According to local regulations, PII is available to only certain people in the company and must not be shared with third parties. The company needs to make the records available to third-party organizations for statistical analysis without sharing the PII.
A developer wants to store the original immutable record in Amazon S3. Depending on who accesses the S3 document, the document should be returned as is or with all the PII removed. The developer has written an AWS Lambda function to remove the PII from the document. The function is named removePii.
What should the developer do so that the company can meet the PII requirements while maintaining only one copy of the document?
A. Set up an S3 event notification that invokes the removePii function when an S3 GET request is made. Call Amazon S3 by using a GET request to access the object without PII.
B. Set up an S3 event notification that invokes the removePii function when an S3 PUT request is made. Call Amazon S3 by using a PUT request to access the object without PII.
C. Create an S3 Object Lambda access point from the S3 console. Select the removePii function. Use S3 Access Points to access the object without PII.
D. Create an S3 access point from the S3 console. Use the access point name to call the GetObjectLegalHold S3 API function. Pass in the removePii function name to access the object without PII.
Answer
C. Create an S3 Object Lambda access point from the S3 console. Select the removePii function. Use S3 Access Points to access the object without PII.
Explanation
The correct answer is C. Create an S3 Object Lambda access point from the S3 console. Select the removePii function. Use S3 Access Points to access the object without PII.
This solution allows the company to meet the PII requirements while maintaining only one copy of the document. An S3 Object Lambda access point is a feature that enables you to add your own code to process data retrieved from S3 before returning it to an application or user. By creating an S3 Object Lambda access point and selecting the removePii function, the developer can ensure that when a GET request is made through this access point, the Lambda function will process the document and remove all PII before returning it. This way, third-party organizations can perform statistical analysis on the data without accessing any PII.
The other options are not suitable because:
- Option A: Setting up an S3 event notification to invoke the removePii function when a GET request is made would not work because event notifications in S3 are used to respond to changes in state (such as PUT, POST, DELETE, etc.) rather than read operations like GET requests.
- Option B: Setting up an S3 event notification for PUT requests would not address the requirement either, as PUT requests are used for uploading objects, not retrieving them.
- Option D: Creating a standard S3 access point and using GetObjectLegalHold API does not involve processing or transforming the object’s content and therefore would not remove PII from the document.
Therefore, option C is the best approach for providing access to documents with PII removed while maintaining compliance with legal and regulatory requirements.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.
