Question 38
Domain 6: Management and Security GovernanceA privacy team wants Amazon Macie to continuously scan S3 buckets across 40 member accounts for sensitive data, with the ability to manage allow lists and custom data identifiers from one place. The team also wants Macie findings to flow into the same Security Hub console the SecOps team already uses. Which configuration meets these goals?
Correct answer: B
Explanation
Amazon Macie supports a delegated administrator in AWS Organizations, letting one account centrally manage Macie across member accounts and “auto-enable” it for new accounts. Macie also lets you manage allow lists and custom data identifiers centrally, and it can send findings to Security Hub so SecOps can view them in the same console.
Why each option is right or wrong
A. Enable Macie in every account independently; export findings via per-account EventBridge rules to a central S3 bucket; manage allow lists by copying them between accounts manually.
Independent account setup defeats centralized Macie administration and manual copying does not provide unified policy management.
B. From the management account, register the Audit account as the Macie delegated administrator; from the Audit account, enable Macie for all member accounts with auto-enable for new accounts; manage allow lists and custom data identifiers centrally; Macie automatically forwards findings to Security Hub.
Under Amazon Macie’s AWS Organizations integration, the management account can designate one member as the delegated administrator, and that delegated admin can then enable Macie organization-wide for all member accounts and turn on automatic enrollment for new accounts. Macie’s organization-level settings also let you centrally manage allow lists and custom data identifiers, and Macie findings can be sent to AWS Security Hub for aggregation in the SecOps console.
C. Enable Macie only in the management account and grant cross-account read access to S3 buckets in member accounts via bucket policies.
Single-account Macie cannot serve as the organization-wide management model for member accounts’ Macie configuration.
D. Replace Macie with AWS Glue DataBrew classification jobs scheduled per account; aggregate via Athena queries.
Glue DataBrew is for data preparation, not managed S3 sensitive-data discovery with native Security Hub findings.