A company is strengthening the security of an AI system that uses Bedrock. The requirements are to detect sensitive data such as personal information contained in the training data stored in S3, and to control access to AI resources with least privilege. Which TWO AWS services meet these requirements? (Choose TWO.)

1 / 1
Select all that apply
CorrectA, E

Explanation

Question Overview

A question about choosing the services that meet two security requirements.

Requirements to satisfy
  • 1detect sensitive dataFinding personal information in S3 = Amazon Macie
  • 2control access to AI resources with least privilegeDefining who can do what = AWS IAM
Per-option explanation
ACorrect

AWS IAM

Correct. AWS IAM defines who can do what to which resource with roles and policies. It directly meets this question's requirement to 'control access with least privilege.'

BIncorrect

Amazon GuardDuty

Amazon GuardDuty is a service that detects threats (suspicious activity) against accounts and workloads.

It is a security service, but what it detects is threats, not sensitive data in S3, and it does not perform access control, so it matches neither of this question's two requirements, so this is incorrect.

CIncorrect

AWS CloudTrail

AWS CloudTrail is an audit-oriented service that records the history of API actions.

You can trace who did what after the fact, but it does not perform pre-emptive allow/deny control of actions or detect sensitive data, so it does not match this question's requirements, so this is incorrect.

DIncorrect

Amazon Inspector

Amazon Inspector is a service that automatically scans for software vulnerabilities in EC2, container images, and similar resources.

It is a security service, but its target is vulnerabilities, not detecting sensitive data or access control, so it does not match this question's requirements, so this is incorrect.

ECorrect

Amazon Macie

Correct. Amazon Macie detects and classifies sensitive data such as personal information in S3 using ML and pattern matching. It directly meets this question's requirement to 'detect sensitive data.'

Key Takeaway

Identify security services by 'what they target and what they do.'
- IAM: defining permissions (pre-emptive control).
- Macie: detecting and classifying sensitive data in S3.
- GuardDuty: detecting threats (suspicious behavior).
- CloudTrail: recording API actions (after-the-fact audit).
- Inspector: scanning for software vulnerabilities.
They are all security services and easily confused, so match the verb of the requirement (what to detect, what to control) to choose.

Related Links