DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

The requirement is to prevent any product files containing unannounced product IDs (prefixed with a specific UUID) from being stored in the production S3 bucket that users can access.

To achieve this, a best practice is to use a staging bucket as a control point before files go to production, combined with Amazon Macie’s data classification capabilities.

Creating a custom data identifier in Amazon Macie allows precise detection of product IDs starting with the specific UUID, which default managed identifiers will not detect.

By running a Macie sensitive data discovery job on the staging bucket, you can identify files containing these sensitive product IDs.

Only files without findings (i.e., files that do not contain unannounced product IDs) are copied to the production bucket, ensuring no sensitive information is exposed.This approach aligns with AWS best practices for data classification and staged deployment workflows, maximizing control and reducing risk.Using Macie on the production bucket directly (options B and D) risks exposing sensitive data before detection and deletion. Option C uses managed data identifiers, which will likely not detect the custom UUID prefix pattern.

Reference from AWS Official Documentation and Study Guide:

Amazon Macie Custom Data Identifiers:"You can create custom data identifiers in Amazon Macie to find sensitive data that is unique to your organization."(Amazon Macie User Guide)

Data Security Best Practices:"Use staging environments to inspect and sanitize data before moving it to production to reduce exposure risks."(AWS Security Best Practices)

To restrict direct access to API Gateway, add a custom header in the CloudFront distribution origin request and use a Lambda authorizer in API Gateway to validate that header. Only requests routed through CloudFront will include this header. This is the AWS-recommended pattern in “Secure your APIs behind CloudFront using custom headers and Lambda authorizers.”