Data Classification & Sensitive Data Management

This guide covers the critical aspects of identifying and protecting sensitive data within the AWS ecosystem, specifically focusing on the requirements for the AWS Certified Developer - Associate (DVA-C02) exam.

Learning Objectives

After studying this guide, you should be able to:

• Define and differentiate between PII, PHI, and other data classification levels.
• Implement data masking and sanitization techniques within application code.
• Identify AWS services used to discover and secure sensitive data.
• Apply encryption strategies for environment variables and secrets.

Key Terms & Glossary

The "Big Idea"

[!IMPORTANT] You cannot protect what you haven't identified. Data Classification is the foundational step of the security lifecycle. It involves categorizing data based on its sensitivity so that appropriate security controls (encryption, access policies, logging) can be applied proportionally to the risk.

Formula / Concept Box

Data Sensitivity Levels

Hierarchical Outline

1. Understanding Sensitive Data Types
   • Personally Identifiable Information (PII): Direct identifiers (SSN) vs. Indirect identifiers (Zip code + Birthdate).
   • Protected Health Information (PHI): Governed by HIPAA in the US; requires Business Associate Addendum (BAA) with AWS.
   • Payment Card Industry (PCI): Standards for credit card data (PCI DSS).
2. Managing Sensitive Data in Code
   • Environment Variables: Never store raw secrets in app.yaml or Lambda env vars. Use AWS Secrets Manager or Systems Manager Parameter Store (SecureString).
   • Logging: Ensure logs do not contain PII. Implement interceptor patterns to scrub data before it reaches CloudWatch.
3. Data Masking & Sanitization
   • Static Masking: Permanent change to data (useful for dev/test environments).
   • Dynamic Masking: On-the-fly masking based on the user's permissions.
4. AWS Discovery Tools
   • Amazon Macie: Uses Machine Learning to automatically discover and classify PII in Amazon S3 buckets.

Visual Anchors

Data Classification Workflow

Sensitivity Pyramid

\begin{center} \begin{tikzpicture}[scale=0.8] \draw[thick] (0,0) -- (4,0) -- (2,4) -- cycle; \draw (0.5,1) -- (3.5,1); \draw (1,2) -- (3,2); \draw (1.5,3) -- (2.5,3); \node at (2,0.5) {Public (Website Content)}; \node at (2,1.5) {Internal (Company Memos)}; \node at (2,2.5) {Confidential (HR Files)}; \node at (2,3.5) {Restricted (PII/PHI)}; \end{tikzpicture} \end{center}

Definition-Example Pairs

• Term: Deterministic Masking

  • Definition: A technique where the same original value is always replaced with the same masked value, preserving data integrity for joins.
  • Example: Masking "User_123" as "ABC_999" across both the Sales and Marketing databases so records can still be linked without revealing the true ID.

• Term: Redaction

  • Definition: The absolute removal of sensitive data from a document or log file.
  • Example: A Lambda function that uses a Regular Expression (Regex) to find any 9-digit number resembling an SSN and replacing it with [REDACTED] before printing to stdout.

Worked Examples

Example 1: Securely Handling PII in Lambda

Scenario: A developer needs to process a user's profile which includes a phone number. The phone number must be logged for debugging, but must not be visible to DevOps engineers viewing CloudWatch.

Step-by-Step Solution:

1. Fetch Data: Retrieve the user record from DynamoDB.
2. Apply Masking Logic:
   pythonCopy

   def mask_phone(phone_number): # Returns only last 4 digits return "***-***-" + phone_number[-4:] raw_phone = "555-0199-1234" print(f"Processing user: {mask_phone(raw_phone)}")
3. Result: The log displays Processing user: ***-***-1234, protecting the user's privacy while allowing the developer to confirm the process triggered for some phone number.

Example 2: Automating Discovery with Macie

Scenario: An organization has 500 S3 buckets and is worried that employees might have accidentally uploaded spreadsheets containing PHI.

Step-by-Step Solution:

1. Enable Amazon Macie: Turn on the service in the AWS Management Console.
2. Run Discovery Job: Select the target S3 buckets for a "Sensitive Data Discovery" job.
3. Review Findings: Macie identifies a file patient_list.csv in a public bucket with a high "Sensitivity Score" because it detected patterns matching medical record numbers.
4. Remediate: Use an EventBridge trigger to automatically set the bucket to private or alert the security team.

Checkpoint Questions

1. What is the primary difference between PII and PHI?
2. If you need to store an API key for a third-party service, which AWS service is preferred for encryption and automatic rotation?
3. True or False: Data Masking is primarily used for encryption at rest.
4. Which AWS service uses Machine Learning to find PII in S3?
5. Why should you avoid using the "Full Name" of a customer in a Lambda function's Environment Variable?

▶View Answers

1. PII (Personally Identifiable Information) identifies an individual generally (like an SSN), whereas PHI (Protected Health Information) is specifically related to medical and health records.
2. AWS Secrets Manager (supports rotation; Parameter Store does not natively rotate secrets).
3. False. Data Masking is used to obscure data for display or testing; encryption at rest uses mathematical algorithms (like AES-256) to secure data on disk.
4. Amazon Macie.
5. Environment variables are often visible in the AWS Console and in deployment logs; sensitive data should be fetched at runtime from a secure store like Secrets Manager.