Q45 — AWS AIF-C01 Ch.1

Question 45 of 100 | ← Chapter 1

A company wants to develop a large language model (LLM) application using Amazon Bedrock and customer data stored in Amazon S3. The company’s security policy mandates that each team can access only its own team’s customer data. Which solution meets these requirements?

Correct Answer: A. Create a custom Amazon Bedrock service role for each team, granting access only to that team’s customer data.

Explanation

This question tests understanding of data access control solutions. In a multi-team environment, enforcing data isolation per security policy requires precise, least-privilege access delegation. Option A creates a dedicated, scoped Amazon Bedrock service role per team—ensuring strict, policy-compliant access exclusively to that team’s customer data in S3. This approach directly satisfies the requirement while maintaining security and auditability. Other options introduce risks: B lacks enforcement at the infrastructure level; C violates principle of least privilege via broad bucket policies; D conflates Bedrock roles with IAM roles and misapplies permissions (Bedrock does not assume IAM roles directly for S3 access). Thus, option A is correct.