Explanation:
Option C is the correct solution because it enforces privacy controls at inference time, not at ingestion time, which is required when different user roles require different visibility into the same underlying data.
Using an S3 Lifecycle configuration ensures that documents older than 3 years are automatically removed, guaranteeing that the knowledge base references only compliant, recent medical reports. Scheduling Lambda-based syncs keeps the knowledge base aligned with the bucket contents without introducing complex per-upload orchestration.
The most important requirement is role-based PII exposure. Amazon Bedrock guardrails support dynamic application at inference time, allowing the system to select a guardrail configuration based on the authenticated user's Amazon Cognito group. Surgeons can receive full responses, while engineers receive responses with PII masked—without duplicating data or maintaining multiple knowledge bases.
This approach preserves a single source of truth for medical reports while enforcing privacy through response-level controls. It also maintains full auditability of access and redaction behavior.
Option A permanently removes PII and violates surgeon access requirements. Option B redacts data inconsistently and couples privacy logic to ingestion. Option D doubles storage, increases cost, and introduces data drift risk.
Therefore, Option C best meets privacy, compliance, scalability, and operational efficiency requirements.
Ultimate access to all questions.
No comments yet.
A healthcare company is building a generative AI application that will answer questions about patient medical reports. The reports are stored in an Amazon S3 bucket and contain protected health information (PHI). The company must comply with regulations that require medical reports older than 3 years to be deleted. The application will be used by two types of users: surgeons, who need to see PHI to make treatment decisions, and biomedical engineers, who should see only de-identified data for research purposes. The company wants to use Amazon Bedrock knowledge bases to retrieve relevant information from the reports. Which solution will meet these requirements?
A
Create a single knowledge base. Use an AWS Lambda function to redact PHI from the reports before syncing them to the knowledge base. Configure the knowledge base to use an S3 Lifecycle configuration to delete documents older than 3 years.
B
Create a single knowledge base. Use an AWS Lambda function to redact PHI from the reports before syncing them to the knowledge base. Schedule a weekly Lambda function to scan the S3 bucket and remove documents older than 3 years.
C
Create a single knowledge base. Use an S3 Lifecycle configuration to delete documents older than 3 years. Schedule a Lambda function to sync the knowledge base with the S3 bucket weekly. Configure Amazon Bedrock guardrails to mask PHI in responses for biomedical engineers.
D
Create a second knowledge base. Use Lambda and Amazon Comprehend to redact PII before syncing to the second knowledge base. Route users to the appropriate knowledge base based on Cognito group membership.