The correct answer is Failure to log and review user access to confidential records.

Role based access controls can restrict who is allowed to access sensitive datasets but they do not show what actions an authorized user actually performed. When access is not logged or logs are not reviewed there is no audit trail to detect suspicious downloads or transfers nor to support timely investigation. Regular logging and periodic review of user access are the controls that would most likely have revealed and deterred a staff member selling client data.

Insufficient employee security awareness training is not the best choice because training can reduce risky behavior but it does not account for why actions by a legitimate, authorized user went unnoticed. The scenario points to missing detection and audit rather than a training gap alone.

Weak policies and procedures for granting and reviewing user permissions is less likely because the question states role based controls were applied. That implies permissions were governed and the root failure was the lack of visibility into how those permissions were used.

Lack of data loss prevention and anomaly detection controls can increase risk of exfiltration but these measures often depend on proper logging and review to be effective. The primary failure in this case was the absence of logs or their review, which directly prevented detection of the misuse.

Full AWS Practitioner Certification Question