Domain 4 of 4 · Chapter 5 of 5

Data Privacy and Governance

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Data Engineer - Associate premium course — no separate purchase.

Included in this chapter:

  • Discovering and classifying PII with Amazon Macie
  • Sharing live data without copying it
  • Residency, sovereignty, and the Region-deny SCP
  • Operationalizing governance: catalogs, frameworks, and exam patterns

Choosing the data-sharing and governance mechanism

MechanismWhat it governsScope of reachBest for
Redshift datashareLive, read/write access to warehouse objectsClusters, serverless workgroups, accounts, RegionsSharing live Redshift data with no copy
AWS Data ExchangeLicensed subscription to a published datasetExternal subscribers, billed via AWSSelling or licensing data to third parties
Lake Formation cross-account (LF-Tags)Fine-grained catalog access shared via AWS RAMOther accounts, down to column and rowTag-driven sharing of data-lake tables at scale
Region-deny SCP (aws:RequestedRegion)Where resources may exist or be replicatedOrg root or OU, all member accountsEnforcing data residency and sovereignty
Amazon MacieDiscovery and classification of sensitive dataS3 estate, automated or job-basedLocating and reporting PII before governing it
AWS Config conformance packConfiguration compliance against rulesAccount or whole AWS OrganizationContinuous, auditable governance evidence

Decision tree

What is the goal?Find PII in S3?discover & classifyShare live data?no copyGovern / enforce?residency & complianceAmazon Macieauto discovery or jobRedshiftdatashare (internal)Data Exchangeexternal licenseLake Formationcross-account lakeRegion-deny SCPaws:RequestedRegionAWS Configconformance packSageMaker Cataloggoverned project accesswarehouseexternaldata lakeresidencycompliancecatalog

Cheat sheet

  • Use Amazon Macie to discover and classify sensitive data in S3
  • Automated discovery samples the whole estate; a discovery job goes deep on chosen buckets
  • Macie matches with managed identifiers, custom identifiers, or both, refined by allow lists
  • Macie publishes findings to Security Hub in ASFF and to EventBridge as a separate destination
  • Share live Redshift data with a datashare instead of copying it
  • Redshift datashares now support writes, not only reads
  • License a Redshift dataset to outside subscribers through AWS Data Exchange
  • Share data-lake tables across accounts with Lake Formation LF-Tags through AWS RAM
  • Enforce data residency with a Region-deny SCP on aws:RequestedRegion
  • Exempt global services from a Region-deny SCP
  • SCPs never affect the management account, so enforce residency through member accounts
  • Block backups and replicas to disallowed Regions with AWS Backup Region controls
  • Track resource configuration and compliance over time with AWS Config
  • Deploy a conformance pack to operate many Config rules as one governed framework
  • Govern data access through Amazon SageMaker Catalog projects
  • Sensitive data findings differ from sensitive data discovery results in Macie
  • Combine privacy and governance controls; they answer different requirements
  • Glue 5.0 captures data lineage with built-in OpenLineage sent to Amazon DataZone

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Discovering sensitive data with Amazon Macie
  2. Evaluating Macie findings with AWS Security Hub
  3. Data sharing in Amazon Redshift
  4. Controls that enhance data residency protection (AWS Control Tower)
  5. Conformance Packs for AWS Config