Data Privacy and Governance
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing AWS Certified Data Engineer - Associate premium course — no separate purchase.
Included in this chapter:
- Discovering and classifying PII with Amazon Macie
- Sharing live data without copying it
- Residency, sovereignty, and the Region-deny SCP
- Operationalizing governance: catalogs, frameworks, and exam patterns
Choosing the data-sharing and governance mechanism
| Mechanism | What it governs | Scope of reach | Best for |
|---|---|---|---|
| Redshift datashare | Live, read/write access to warehouse objects | Clusters, serverless workgroups, accounts, Regions | Sharing live Redshift data with no copy |
| AWS Data Exchange | Licensed subscription to a published dataset | External subscribers, billed via AWS | Selling or licensing data to third parties |
| Lake Formation cross-account (LF-Tags) | Fine-grained catalog access shared via AWS RAM | Other accounts, down to column and row | Tag-driven sharing of data-lake tables at scale |
| Region-deny SCP (aws:RequestedRegion) | Where resources may exist or be replicated | Org root or OU, all member accounts | Enforcing data residency and sovereignty |
| Amazon Macie | Discovery and classification of sensitive data | S3 estate, automated or job-based | Locating and reporting PII before governing it |
| AWS Config conformance pack | Configuration compliance against rules | Account or whole AWS Organization | Continuous, auditable governance evidence |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.