Exam AWS Certified AI Practitioner AIF-C01 topic 1 question 9 discussion

Amazon S3 managed keys (SSE-S3) encrypt your data using an Amazon-managed key, and to access this encrypted data, the IAM role that the service (in this case, Amazon Bedrock) assumes must have the appropriate permissions to decrypt the data. This includes permissions to read the object from the S3 bucket and decrypt it using the SSE-S3 encryption key.

A: Ensure that the role that Amazon Bedrock assumes has permission to decrypt data with the correct encryption key. Explanation: When data in an Amazon S3 bucket is encrypted using SSE-S3 (Server-Side Encryption with Amazon S3 managed keys), the IAM role used by the application (in this case, Amazon Bedrock) must have permissions to access and decrypt the data. Assigning the correct permissions to the role ensures that the Foundation Model (FM) can access the encrypted data.

>Permissions to decrypt your AWS KMS key for your data sources in Amazon S3 https://docs.aws.amazon.com/ja_jp/bedrock/latest/userguide/encryption-kb.html

None of the options are correct. To retrieve an object encrypted via SSE-S3, you just need GetObject permission. If I had this question on the exam, I'd be ticked.

A) The correct Answer! B) Not a security best practice. never open the access to public! C) Has nothing to do with security D) Doesn't solve the access permission issue

A - all the way.

A for sure

Permissions issue