AWS Certified Cloud Practitioner
Get started today
Ultimate access to all questions.
A company wants to develop a large language model (LLM) application by using Amazon Bedrock and customer data that is uploaded to Amazon S3. The company's security policy states that each team can access data for only the team's own customers. Which solution will meet these requirements?
Exam-Like
Community
RRitesh
Explanation:
Explanation
Correct Answer: D
Why Option D is correct:
- Amazon Bedrock Role with Full S3 Access: This role allows Amazon Bedrock to access all customer data in S3 as needed for processing.
- Team-Specific IAM Roles: Each team gets IAM roles with permissions limited to their specific customer folders in S3. This implements the principle of least privilege.
- Separation of Concerns: The Bedrock role handles the AI/ML processing, while IAM roles control data access at the team level.
- AWS Best Practice: This follows AWS security best practices by using IAM roles to control access to S3 resources based on team requirements.
Why other options are incorrect:
A: Creating custom service roles for each team in Bedrock would be complex and doesn't directly address S3 data access control at the folder level.
B: Relying on teams to specify customer names in requests is not secure and doesn't enforce access control at the infrastructure level.
C: Redacting personal data doesn't solve the access control problem - teams would still need controlled access to the data, and redaction doesn't address the requirement for team-specific data isolation.
Key AWS Concepts:
- IAM Roles: Provide temporary security credentials for AWS service access
- S3 Folder-Level Permissions: Can be controlled using IAM policies with resource ARNs
- Amazon Bedrock Service Role: Needs appropriate permissions to access data sources
- Principle of Least Privilege: Grant only necessary permissions to perform required tasks
Comments
Loading comments...