The requirement is to redact PII before the object content reaches the consumer, while the analytics service continues to use standard S3 GET requests. The most operationally efficient way is Amazon S3 Object Lambda.
S3 Object Lambda lets you add your own code to process and transform data as it is retrieved from S3. Instead of the analytics service reading directly from the bucket, it reads through an S3 Object Lambda Access Point. When the service performs a GET request, S3 invokes the associated Lambda function, which can modify the object payload on the fly—for example, by calling an external or internal PII redaction API and returning a redacted version of the report. The original object remains unchanged in the bucket, while consumers receive the transformed (redacted) response.
This approach is operationally efficient because it avoids:
duplicating and storing redacted copies of every report,
refactoring the analytics service to use a different datastore or ingestion path,
building a separate proxy service layer.
Option A requires significant refactoring and ongoing ETL/warehouse ops.
Option C provides confidentiality via encryption but does not perform redaction (analytics would still see PII after decryption).
Option D changes the access pattern completely (analytics no longer uses GET) and adds messaging complexity without directly returning redacted object content.
Therefore, S3 Object Lambda + Object Lambda Access Point is the most efficient solution to redact data at retrieval time.
