A data engineer is configuring a data lake on Amazon S3 that contains sensitive customer information. The company requires that all access to this data be logged and monitored, and that any data shared with external partners must be anonymized before leaving the S3 bucket. Which combination of AWS services should the engineer use to meet these requirements? (Choose THREE.)
Lake Formation provides fine-grained access control and can be used to enforce anonymization policies.
Why this answer
AWS Lake Formation (B) is correct because it provides fine-grained access control and data anonymization capabilities for data lakes on Amazon S3. It allows you to define column-level and row-level security policies, and can automatically anonymize sensitive data (e.g., via masking or tokenization) before it is shared with external partners, ensuring compliance with data governance requirements.
Exam trap
The trap here is that candidates often confuse AWS WAF (a web-layer security tool) with data-level security, or assume Direct Connect provides logging and monitoring, when in fact neither service addresses S3 data access logging or anonymization.