My company works in germany and we have some rules to handle data.
I have CSV files in a bucket. And those files have some PII (Publicly Identifiable Information) and non-PII data too. I want to mask the PII data and save it in the same bucket. And I would like to unmask it when doing final reporting.
Typically it's much harder in AWS to set permissions at the folder level inside a bucket than to set the permissions at a bucket level. Since buckets are basically free, I would recommend having separate buckets for PII and masked-PII data.
A better solution might be to expose the masked PII data using an Athena View. Build the view with SQL that masks the PII data and expose that masked view to your users. Then you won't need to maintain two copies of the data, ETL jobs to mask the data, or bucket permissions.