A company utilizes an Amazon S3 bucket to store datasets accessed by various applications, including a financial services application that generates datasets containing personally identifiable information (PII). There is also an internal application that does not need access to this PII. To adhere to regulations, the company must avoid unnecessary sharing of PII. A data engineer is tasked with finding a solution that can dynamically redact PII depending on the specific needs of each application accessing the dataset. What solution can achieve this with minimal operational overhead?