AWS Certified Cloud Practitioner
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company wants to develop a large language model (LLM) application by using Amazon Bedrock and customer data that is uploaded to Amazon S3. The company's security policy states that each team can access data for only the team's own customers. Which solution will meet these requirements?
Exam-Like
Community
RRitesh
A
Create an Amazon Bedrock custom service role for each team that has access to only the team's customer data.
B
Create a custom service role that has Amazon S3 access. Ask teams to specify the customer name on each Amazon Bedrock request.
C
Redact personal data in Amazon S3. Update the S3 bucket policy to allow team access to customer data.
D
Create one Amazon Bedrock role that has full Amazon S3 access. Create IAM roles for each team that have access to only each team's customer folders.
Explanation:
Explanation
Correct Answer: D
Why Option D is correct:
- Amazon Bedrock Role with Full S3 Access: This role allows Amazon Bedrock to access all customer data in S3 as needed for processing.
- Team-Specific IAM Roles: Each team gets IAM roles with permissions limited to their specific customer folders in S3. This implements the principle of least privilege.
- Separation of Concerns: The Bedrock role handles the AI/ML processing, while IAM roles control data access at the team level.
- AWS Best Practice: This follows AWS security best practices by using IAM roles to control access to S3 resources based on team requirements.
Why other options are incorrect:
A: Creating custom service roles for each team in Bedrock would be complex and doesn't directly address S3 data access control at the folder level.
B: Relying on teams to specify customer names in requests is not secure and doesn't enforce access control at the infrastructure level.
C: Redacting personal data doesn't solve the access control problem - teams would still need controlled access to the data, and redaction doesn't address the requirement for team-specific data isolation.
Key AWS Concepts:
- IAM Roles: Provide temporary security credentials for AWS service access
- S3 Folder-Level Permissions: Can be controlled using IAM policies with resource ARNs
- Amazon Bedrock Service Role: Needs appropriate permissions to access data sources
- Principle of Least Privilege: Grant only necessary permissions to perform required tasks
Comments
Loading comments...