The company does not have a data inventory and needs to identify which S3 buckets contain sensitive data. The appropriate AWS managed service for discovering and classifying sensitive data in S3 is Amazon Macie. Macie is designed to discover, classify, and report on sensitive data such as PII in S3 buckets. Amazon Inspector is primarily focused on vulnerability management for compute and container resources and does not provide S3 sensitive data classification in the way Macie does.
After identifying sensitive data locations, the company needs to ensure sensitive data is encrypted with a key that only administrators can access. SSE-S3 uses S3-managed keys and does not provide fine-grained administrative control of key usage in the same way as SSE-KMS with a customer managed key. Using AWS KMS customer managed keys allows the company to control access through key policies and IAM policies so that only designated administrator principals can use or manage the key.
The requirement also implies existing objects already encrypted with SSE-S3 need to be re-encrypted with SSE-KMS for sensitive objects. Changing default encryption only affects new objects. Existing objects must be rewritten (copied over themselves or copied to a new location) using SSE-KMS with the customer managed key. An orchestrated workflow is a common approach to iterate over identified objects and perform copy operations with the desired encryption settings.
Option C uses Macie for discovery, creates a KMS customer managed key restricted to administrators, sets bucket default encryption to SSE-KMS for future objects, and uses a Step Functions workflow to re-encrypt existing sensitive objects. This meets both the discovery requirement and the encryption/control requirement.
Option A is incorrect because Inspector is not the right service to inventory sensitive data in S3. Although the use of a customer managed KMS key and bucket policy enforcement is directionally correct for controlling encryption on writes, the first step (sensitive data discovery) is wrong.
Option B is incorrect because AWS managed keys cannot have their key policies modified by customers in the way customer managed keys can. Also, Inspector is not the right tool for sensitive data discovery in S3.
Option D is incorrect for the same reasons: it relies on Macie correctly for discovery but then attempts to modify an AWS managed key policy, which is not the correct method for restricting access. To restrict access, the company should use a KMS customer managed key with an appropriate key policy.
Therefore, using Amazon Macie plus an AWS KMS customer managed key and a workflow to re-encrypt existing sensitive objects is the correct solution.
[References:AWS documentation on Amazon Macie for discovering and classifying sensitive data in Amazon S3.AWS documentation on SSE-KMS with AWS KMS customer managed keys for encryption control and administrative access restrictions.AWS documentation and best practices describing that changing S3 default encryption affects new objects and that existing objects must be rewritten to change encryption settings., , , , , , ]
