The key reasons are: Lake Formation data filters allow restricting access to rows or cells in data tables based on conditions. This allows preventing access to sensitive data. Data filters are implemented within Lake Formation and do not require additional coding or Lambda functions. Lambda functions to pre-process data or purge tables would require ongoing development and maintenance. IAM roles only provide user-level permissions, not row or cell level security. Data filters give granular access control over Lake Formation data with minimal configuration, avoiding complex custom code.

B. Create data filters to implement row-level security and cell-level security. Explanation: Row-Level and Cell-Level Security: AWS Lake Formation provides built-in support for row-level and cell-level security. By using data filters, you can define policies that control access to specific rows and cells within your tables. This allows you to restrict access to sensitive information without needing to manually filter or remove data. Least Operational Overhead: This solution leverages built-in Lake Formation capabilities, reducing the need for additional infrastructure or custom code. Once the data filters are set up, they automatically enforce the security policies, minimizing ongoing operational overhead.

As it said “prevent access to portions of the data that contain sensitive information”, not the access to S3, so data filter is enough

Focus on the exact wordings: "to prevent access to portions of the data that contain sensitive information." Only option B restricts the platform to access sensitive data, option A restrict users to restrict access that doesn't serve the req here, C and D are talking about removing the sensitive data which is not the ask here

portions of the data that contain sensitive information = Filtered data.

A is possible but it does not secure the data properly and only provides table level access control (if any). CD are too much overhead B is exactly for this purpose and is a built-in feature of Lake formation

https://docs.aws.amazon.com/lake-formation/latest/dg/data-filters-about.html

You can create data filters based on the values of columns in a Lake Formation table. Easy. Lowest operational overhead.

The best solution to meet the requirements with the least operational overhead is to create data filters to implement row-level security and cell-level security. Data filters are a feature of Lake Formation that allow you to restrict access to data based on row and column values. This can be used to implement row-level security and cell-level security. To implement row-level security, you would create a data filter that only allows users to access rows where the values in certain columns meet certain criteria. For example, you could create a data filter that only allows users to access rows where the value in the customer_id column matches the user's own customer ID.