A company uses an organization in AWS Organizations to manage multiple AWS accounts.

The company requires an organization-wide, centralized, and automated solution to detect sensitive data in Amazon S3, aggregate findings in one location, and quarantine affected objects with minimal operational overhead. AWS provides a native service specifically designed for this purpose: Amazon Macie.

Option A is essential because Amazon Macie automatically discovers and classifies sensitive data such as PII in S3 buckets using managed machine learning models. When enabled at the organization level, Macie scans buckets across all accounts and Regions. Integrating Macie with AWS Security Hub centralizes all findings in a single dashboard, allowing the company’s security officer to review and manage sensitive data alerts across the organization without building custom aggregation pipelines.

Detection alone is not sufficient; remediation is also required. Option C completes the solution by using Amazon EventBridge, which natively receives Macie findings in near real time. An EventBridge rule can trigger a Lambda function whenever Macie identifies sensitive data. The Lambda function can then copy the affected object to a quarantine S3 bucket and delete the original object, meeting the remediation requirement automatically and consistently.

Option D requires custom sensitive data detection logic, which is complex, error-prone, and unnecessary given Macie’s capabilities. Option E is invalid because SCPs cannot inspect or move data. Option B does not detect sensitive information.

Therefore, A and C together provide the most efficient, scalable, and AWS-recommended solution.