AWS Certified AI Practitioner

Get started today

Ultimate access to all questions.

Explanation:

Detailed Explanation

To restrict employee access to specific foundation models (FMs) within Amazon Bedrock, the optimal solution is to use AWS Identity and Access Management (IAM) policies. Here's why:

Why Option A (IAM Policies) is Correct:

Granular Access Control: IAM policies allow administrators to define fine-grained permissions at the model level. You can specify exactly which foundation models (e.g., Anthropic Claude, AI21 Jurassic, Meta Llama) employees can access while denying others.
Native Integration: Amazon Bedrock is designed to work seamlessly with IAM for access management. The service supports IAM policy conditions that can restrict actions like InvokeModel to specific model IDs.
User/Role-Based Management: IAM policies can be attached to individual users, groups, or roles, enabling flexible permission management aligned with organizational structures.
Comprehensive Coverage: IAM policies control both who can access models and what actions they can perform (e.g., invoke, fine-tune, or manage custom models).

Why Other Options Are Less Suitable:

Option B (AWS STS): While AWS Security Token Service generates temporary credentials, it doesn't inherently restrict access to specific models. STS is typically used for federated access or cross-account scenarios, not for defining which Bedrock models users can access.
Option C (IAM Service Roles): Service roles are used by AWS services to access other AWS resources on your behalf, not for controlling user access to specific Bedrock models. This approach doesn't address the requirement of restricting employee access.
Option D (Amazon Inspector): Amazon Inspector is a security vulnerability assessment service for EC2 instances and container images. It monitors for security issues but doesn't control access permissions to Bedrock models.

Best Practice Implementation:

To implement this solution, create an IAM policy with a Deny effect for all Bedrock models, then add Allow statements for specific model ARNs that employees should access. This follows the principle of least privilege, ensuring employees only have access to necessary resources.

This approach aligns with AWS security best practices and provides the precise control required by the scenario.

Explanation:

Detailed Explanation

To restrict employee access to specific foundation models (FMs) within Amazon Bedrock, the optimal solution is to use AWS Identity and Access Management (IAM) policies. Here's why:

Why Option A (IAM Policies) is Correct:

Granular Access Control: IAM policies allow administrators to define fine-grained permissions at the model level. You can specify exactly which foundation models (e.g., Anthropic Claude, AI21 Jurassic, Meta Llama) employees can access while denying others.
Native Integration: Amazon Bedrock is designed to work seamlessly with IAM for access management. The service supports IAM policy conditions that can restrict actions like InvokeModel to specific model IDs.
User/Role-Based Management: IAM policies can be attached to individual users, groups, or roles, enabling flexible permission management aligned with organizational structures.
Comprehensive Coverage: IAM policies control both who can access models and what actions they can perform (e.g., invoke, fine-tune, or manage custom models).

Why Other Options Are Less Suitable:

Option B (AWS STS): While AWS Security Token Service generates temporary credentials, it doesn't inherently restrict access to specific models. STS is typically used for federated access or cross-account scenarios, not for defining which Bedrock models users can access.
Option C (IAM Service Roles): Service roles are used by AWS services to access other AWS resources on your behalf, not for controlling user access to specific Bedrock models. This approach doesn't address the requirement of restricting employee access.
Option D (Amazon Inspector): Amazon Inspector is a security vulnerability assessment service for EC2 instances and container images. It monitors for security issues but doesn't control access permissions to Bedrock models.

Best Practice Implementation:

This approach aligns with AWS security best practices and provides the precise control required by the scenario.

Comments (0)

No comments yet.

A company has enabled Amazon Bedrock for application development and needs to limit employee access to only certain models within Amazon Bedrock.

What solution fulfills this requirement?

Exam-Like

Last updated: February 8, 2026 at 20:17

Use AWS Identity and Access Management (IAM) policies to restrict model access.

100.0%

Use AWS Security Token Service (AWS STS) to generate temporary credentials for model use.

0.0%

Use AWS Identity and Access Management (IAM) service roles to restrict model subscription.

AWS Certified AI Practitioner

Get started today

Detailed Explanation

Why Option A (IAM Policies) is Correct:

Why Other Options Are Less Suitable:

Best Practice Implementation:

Detailed Explanation

Why Option A (IAM Policies) is Correct:

Why Other Options Are Less Suitable:

Best Practice Implementation:

Comments (0)

Get started today

Comments (0)

A company has enabled Amazon Bedrock for application development and needs to limit employee access to only certain models within Amazon Bedrock. What solution fulfills this requirement?

A company has enabled Amazon Bedrock for application development and needs to limit employee access to only certain models within Amazon Bedrock.

What solution fulfills this requirement?