Exam AWS Certified AI Practitioner AIF-C01 topic 1 question 66 discussion

This option ensures that each team has a dedicated service role with permissions specifically tailored to access only their own customer data. This approach aligns with the company's security policy by enforcing strict access controls at the role level, ensuring that teams cannot access data belonging to other teams. By creating separate roles for each team, the solution adheres to the principle of least privilege, which is a fundamental security best practice. This method also simplifies auditing and management of access permissions, as each role's permissions can be reviewed and adjusted independently.

A. Create an Amazon Bedrock custom service role for each team that has access to only the team's customer data.: This would require multiple service roles for Amazon Bedrock itself, which could lead to unnecessary complexity and overhead in role management. It's better to use IAM roles to control team-specific data access.

By creating a single Bedrock role with full S3 access and then using IAM roles to control access to the customer data folders, the company can meet its requirements for developing the LLM application while also adhering to its security policy.

A: Create an Amazon Bedrock custom service role for each team that has access to only the team's customer data. Explanation: To comply with the company's security policy requiring each team to access only their own customer data, the best approach is to create custom service roles in Amazon Bedrock for each team. These roles should have fine-grained permissions, granting access only to the specific Amazon S3 data (e.g., folders or buckets) associated with each team's customers. This ensures compliance with the principle of least privilege. Wrong: D. Create one Amazon Bedrock role that has full Amazon S3 access. Create IAM roles for each team that have access to only each team's customer folders: Giving Bedrock full S3 access is a major security risk. Even with team-specific IAM roles, the Bedrock role could be exploited to access any data in S3.

The correct answer is A. Custom service roles for each team provide granular control over customer data access.

A. Create an Amazon Bedrock custom service role for each team that has access to only the team's customer data.

A. Create an Amazon Bedrock custom service role for each team that has access to only the team's customer data While this restricts data access, managing multiple service roles for Amazon Bedrock per team is unnecessarily complex and does not align with Bedrock’s design of using a single service role. B. Create a custom service role that has Amazon S3 access. Ask teams to specify the customer name on each Amazon Bedrock request Relying on teams to specify the customer name without enforcing access control policies does not guarantee compliance with the security policy. C. Redact personal data in Amazon S3. Update the S3 bucket policy to allow team access to customer data Redacting personal data is helpful for privacy but does not solve the issue of restricting access based on team-specific customer data.

it has to be A. B, absurd C, would let all teams access all data, even if scrubbed/redacted .. D, it would not solve the problem as Bedrock would have access, know and reply with the full knowledge of all customers, IAM roles for each team won't stop Bedrock from knowing and replying with that data.. A. You can also create a custom service role and customize the attached permissions to your specific use-case. If you use the console, you can select this role instead of letting Amazon Bedrock create one for you. https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam-sr.html

Adherence to Principle of Least Privilege: By creating a custom service role for each team that grants access only to their specific customer data in S3, you ensure compliance with the principle of least privilege. Each team will have the minimum necessary permissions to access only their relevant data. D is wrong.

Creating a Bedrock role with access to all S3 data violates the principle of least privilege.

I think it should be D, one IAM role for the service, and multiple IAM roles for the teams