Answer-first summary for fast verification
Answer: Ensure that the role that Amazon Bedrock assumes has permission to decrypt data with the correct encryption key.
## Detailed Explanation When Amazon Bedrock needs to access encrypted data stored in Amazon S3 using SSE-S3 (Server-Side Encryption with Amazon S3 managed keys), the IAM role that Bedrock assumes must have the appropriate permissions to decrypt the data. Here's the reasoning for each option: **Option A (Correct):** This is the optimal solution because SSE-S3 encryption requires the IAM role to have explicit permissions to decrypt the data using the S3-managed encryption key. The role needs both `s3:GetObject` permission to retrieve the object from S3 and implicit permissions to decrypt SSE-S3 encrypted data. Without these permissions, Bedrock cannot access the encrypted content, which explains the access failure. **Option B (Incorrect):** Setting S3 buckets to allow public access is a security anti-pattern and violates AWS best practices. Public access exposes data to the internet, creating significant security risks. This approach does not address the specific encryption-related permission issue and introduces unnecessary vulnerabilities. **Option C (Incorrect):** Prompt engineering techniques instruct the model on how to process or interpret data, but they do not resolve underlying infrastructure permission issues. The failure occurs at the data access layer before the model can process any content, so prompt engineering is irrelevant to solving this technical access problem. **Option D (Incorrect):** While ensuring S3 data doesn't contain sensitive information is a good security practice, it doesn't resolve the immediate access failure. The encryption status of the data (SSE-S3) is the root cause, not the sensitivity of the content. Removing sensitive data wouldn't change the encryption requirements or permission needs. **Key Technical Points:** - SSE-S3 encryption is transparent to applications when proper IAM permissions are configured - The IAM role must have `s3:GetObject` permission and implicit decrypt permissions for SSE-S3 - Amazon Bedrock assumes an IAM role to access AWS resources, and this role's permissions must be properly configured - Unlike SSE-KMS, SSE-S3 doesn't require explicit KMS key permissions, but still requires appropriate IAM role permissions for decryption
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is developing a chatbot using a foundation model (FM) on Amazon Bedrock. The FM must retrieve encrypted data from an Amazon S3 bucket, where the data is encrypted using Amazon S3 managed keys (SSE-S3). The FM is currently failing to access the data in the S3 bucket. What solution will resolve this failure and meet the requirements?
A
Ensure that the role that Amazon Bedrock assumes has permission to decrypt data with the correct encryption key.
B
Set the access permissions for the S3 buckets to allow public access to enable access over the internet.
C
Use prompt engineering techniques to tell the model to look for information in Amazon S3.
D
Ensure that the S3 data does not contain sensitive information.