Q18 — AWS AIF-C01 Ch.2
Question 18 of 100 | ← Chapter 2
A company wants to build a large language model (LLM) application using Amazon Bedrock and customer data stored in Amazon S3. Its security policy mandates that each team can access only its own team’s customer data. Which solution satisfies these requirements?
- A. Create an Amazon Bedrock custom service role for each team, granting access only to that team’s customer data. ✓
- B. Create a custom service role with Amazon S3 permissions and require teams to specify customer names in every Amazon Bedrock request.
- C. Edit personal data in Amazon S3 and update the S3 bucket policy to allow team access to customer data.
- D. Create an Amazon Bedrock role with full Amazon S3 access and assign each team an IAM role restricted to its customer folder.
Correct Answer: A. Create an Amazon Bedrock custom service role for each team, granting access only to that team’s customer data.
Explanation
Option A implements least-privilege access by assigning each team a dedicated Amazon Bedrock service role scoped exclusively to its designated customer data in S3—enforcing data isolation per security policy. Option D conflates Bedrock execution roles with IAM roles and risks over-permissioning; B introduces insecure client-side enforcement; C violates data minimization and lacks access control granularity.