AWS AI Practitioner - AWS Security Services

Q1. A SageMaker training job needs to read training data from an encrypted S3 bucket. The bucket uses AWS KMS for encryption. Which combination of IAM permissions must the SageMaker execution role include?

• S3 read permission only -- KMS access is automatically inherited
• S3 read permission AND KMS decrypt permission -- both are needed to access encrypted data
• KMS decrypt permission only -- S3 access is implicit when KMS is permitted
• No IAM role is needed -- SageMaker accesses S3 by default

Answer: B

To access an encrypted S3 object, the SageMaker execution role needs: (1) S3 permission to read the object, and (2) KMS decrypt permission to unlock the encryption. Without both, the job will fail. IAM roles are always required to authorize cross-service access in AWS.

Q2. A company has 50 data scientists who all need the same read-only access to Amazon SageMaker. What is the most efficient and maintainable IAM approach?

• Attach an inline policy with read-only access directly to each of the 50 users
• Create a DataScientists IAM group, attach the read-only policy to the group, and add all 50 users to the group
• Create 50 IAM roles and assign one to each user
• Give all 50 users the root account credentials for efficiency

Answer: B

Creating a group with the correct policy and adding users to it is the most scalable approach. All 50 users inherit the group permissions automatically. If permissions change, updating the group policy updates all members simultaneously -- no need to modify 50 individual users.

Q3. An Amazon Bedrock knowledge base needs to access documents stored in an S3 bucket and use an AWS KMS key for encryption. How should permissions be configured?

• Create an IAM user with S3 and KMS permissions and embed the credentials in the Bedrock configuration
• Create an IAM role with S3 read and KMS decrypt permissions and assign it to the Bedrock knowledge base
• Make the S3 bucket public so Bedrock can access it without credentials
• Use the AWS root account credentials for the Bedrock knowledge base

Answer: B

IAM roles are the correct mechanism for granting AWS services permissions to access other AWS resources. The role should include both S3 read permission for the bucket contents and KMS decrypt permission to access encrypted data. Never embed credentials or use root accounts for service access.

Q4. A Lambda function needs to invoke Amazon Bedrock foundation models and log results to CloudWatch. What is the correct IAM configuration?

• Create a Lambda execution role with Bedrock invoke permissions and CloudWatch Logs write permissions
• Attach an inline policy to the Lambda function code with the required permissions
• Use the default Lambda permissions which include all AWS service access
• Create an IAM user for the Lambda function with Bedrock and CloudWatch access

Answer: A

Lambda functions require an execution role that defines which AWS services the function can access. The role should include permissions to invoke Bedrock models and write to CloudWatch Logs. IAM roles (not users) are always used for service-to-service permissions.

Q5. Which IAM security principle states that users and services should only be granted the minimum permissions necessary to perform their tasks?

• Role-based access control
• Least privilege principle
• Defense in depth
• Zero trust architecture

Answer: B

The least privilege principle is a core AWS security best practice stating that users, groups, and roles should be granted only the minimum permissions required to accomplish their specific tasks. This minimizes the potential impact of compromised credentials or accidental misuse.

Q1. A team wants to automatically process images uploaded to an S3 bucket -- running them through an Amazon Rekognition API call and writing results to DynamoDB -- without managing any servers. Which compute service is MOST appropriate?

• Amazon EC2 -- to host a continuously running image processing server
• AWS Lambda -- to trigger automatically on S3 uploads and run the processing logic serverlessly
• Amazon SageMaker -- to deploy the image processing as a hosted endpoint
• AWS Fargate -- to containerize the image processing workflow

Answer: B

AWS Lambda is ideal for this event-driven, serverless pattern. An S3 event trigger fires the Lambda function for each image upload, the function calls Rekognition and writes to DynamoDB, and Lambda scales automatically with no server management required.

Q2. A company needs to train a large deep learning model that requires multiple GPUs and will run for several days. Which compute option is MOST appropriate?

• AWS Lambda with maximum memory allocation
• Amazon EC2 P4d instances with multiple GPUs
• AWS Fargate containers
• Amazon Lightsail virtual servers

Answer: B

EC2 P4d instances provide multiple high-performance GPUs designed for intensive ML training workloads. Lambda has a 15-minute timeout making it unsuitable for long-running training, and Fargate/Lightsail don't offer GPU instances optimized for deep learning.

Q3. An ML engineer wants to automate a daily job that invokes Amazon Bedrock to summarize news articles and stores results in S3. The job runs for about 2 minutes each day. What is the MOST cost-effective compute solution?

• An always-running EC2 instance that executes the job on a cron schedule
• An AWS Lambda function triggered by Amazon EventBridge on a daily schedule
• A SageMaker Processing job scheduled via Step Functions
• An ECS Fargate task running continuously

Answer: B

Lambda is ideal for short-duration scheduled tasks. The function only runs (and incurs charges) for the 2 minutes it executes each day. EventBridge provides cron-like scheduling capability. Running EC2 or Fargate continuously would cost significantly more for a task that only runs 2 minutes daily.

Q4. Which EC2 instance families are optimized for ML inference workloads?

• T3 and T4 instances for burstable performance
• P3, P4, and P5 instances for training GPUs
• G4, G5, and G6 instances for graphics and inference GPUs
• M5 and M6 instances for general purpose computing

Answer: C

G4, G5, and G6 instances are optimized for graphics-intensive applications and ML inference workloads. They provide cost-effective GPU compute ideal for deploying trained models. P-series instances (P3, P4, P5) are designed for training with more powerful but more expensive GPUs.

Q5. What happens to an EC2 instance's public IP address when the instance is stopped and restarted?

• The public IP remains the same
• The public IP changes to a new address
• The public IP is permanently released and cannot be reassigned
• The instance cannot be restarted without assigning a new IP manually

Answer: B

EC2 public IP addresses change each time an instance is stopped and restarted. Only the private IP remains constant throughout the instance's lifecycle. To maintain a consistent public IP, you must use an Elastic IP address.

Q1. A company stores ML training datasets in S3 Standard. After model training completes, datasets are accessed about once per quarter for retraining. After 2 years, they need to be retained for regulatory compliance but will almost never be accessed. Which storage transition strategy is MOST cost-effective?

• Keep everything in S3 Standard -- simplicity outweighs cost savings
• Move to S3 Standard-IA after 30 days, then to S3 Glacier Deep Archive after 2 years
• Move immediately to S3 One Zone-IA -- regulatory archives don't need multi-AZ redundancy
• Use S3 Intelligent-Tiering and let AWS handle all transitions automatically

Answer: B

After training completes, the quarterly access pattern suits Standard-IA (lower cost, instant retrieval, retrieval fee acceptable for infrequent use). After 2 years of near-zero access, Glacier Deep Archive provides the lowest possible storage cost for compliance retention. A lifecycle rule can automate both transitions.

Q2. A SageMaker training job in a private VPC subnet needs to access training data in an S3 bucket. The company's security policy prohibits any internet traffic. How should this be configured?

• Add a NAT Gateway to allow internet access for S3 calls
• Move the training job to a public subnet with direct internet access
• Create an S3 Gateway VPC Endpoint to access S3 privately within AWS network
• Make the S3 bucket public so no authentication is required

Answer: C

An S3 Gateway VPC Endpoint allows resources in private subnets to access S3 directly through AWS's private network without requiring internet access. This meets the security requirement of no internet traffic while enabling the training job to read data from S3.

Q3. A company needs to store model artifacts that may be accessed frequently during the first month after training, but access patterns become unpredictable after that. Which S3 storage class is MOST appropriate?

• S3 Standard for the first month, then manual transition to Glacier
• S3 Intelligent-Tiering to automatically optimize based on actual access patterns
• S3 One Zone-IA for cost savings
• S3 Glacier Instant Retrieval from the start

Answer: B

S3 Intelligent-Tiering is designed for data with unknown or changing access patterns. It automatically moves objects between frequent and infrequent access tiers based on usage, with no retrieval fees. This eliminates the need to predict access patterns or manually manage transitions.

Q4. An S3 bucket uses SSE-KMS encryption. A Bedrock knowledge base needs to read documents from this bucket. What permissions must the Bedrock service role include?

• Only S3:GetObject permission for the bucket
• S3:GetObject for the bucket AND kms:Decrypt for the KMS key
• Only kms:Decrypt permission for the KMS key
• S3:* and KMS:* wildcard permissions

Answer: B

When accessing SSE-KMS encrypted S3 objects, the accessing role needs both S3 read permission to retrieve the object AND KMS decrypt permission to decrypt the data. Without both permissions, the access will fail.

Q5. What is the maximum size for a single object stored in Amazon S3?

• 5 GB
• 5 TB
• 50 TB
• Unlimited

Answer: B

The maximum size for a single S3 object is 5 TB. However, files larger than 5 GB must use multi-part upload to transfer the data in smaller chunks that are reassembled in S3.

Q1. A healthcare company stores patient records in an S3 bucket that will be used as training data for a clinical AI model. Before training begins, they want to verify no PHI or PII is present in the dataset. Which AWS service should they use?

• Amazon Comprehend Medical -- to extract medical entities from the text
• Amazon Macie -- to automatically scan the S3 bucket and detect any PII in the stored data
• AWS Config -- to audit the S3 bucket configuration for public access
• Amazon Inspector -- to scan for software vulnerabilities in the data pipeline

Answer: B

Amazon Macie is specifically designed to scan S3 buckets and automatically detect PII using machine learning. It will flag any sensitive data in the healthcare records before they are used for training, helping the company avoid training a model on PII and maintain compliance.

Q2. A data science team wants to be automatically notified via email whenever Amazon Macie detects PII in their ML training data buckets. Which service integration enables this notification workflow?

• Macie sends findings to AWS CloudTrail which triggers email notifications
• Macie sends findings to Amazon EventBridge which can trigger SNS to send emails
• Macie sends findings directly to Amazon SES for email delivery
• Macie has built-in email notification that requires no additional configuration

Answer: B

Macie findings are sent to Amazon EventBridge, which can be configured with rules to trigger downstream actions. An EventBridge rule can invoke SNS to send email notifications, Lambda functions for automated remediation, or other AWS services for custom workflows.

Q3. What types of sensitive data does Amazon Macie primarily detect?

• Software vulnerabilities and security misconfigurations
• PII such as names, social security numbers, credit card numbers, and addresses
• Malware and viruses in uploaded files
• Network intrusion attempts and suspicious traffic patterns

Answer: B

Amazon Macie uses machine learning to detect personally identifiable information (PII) in S3 buckets. This includes names, addresses, social security numbers, credit card numbers, passport numbers, and other regulated data types relevant to GDPR, HIPAA, and privacy compliance.

Q4. Which AWS storage services does Amazon Macie scan for sensitive data?

• Amazon S3, Amazon EBS, and Amazon RDS
• Amazon S3 only
• Amazon S3 and Amazon EFS
• All AWS storage services

Answer: B

Amazon Macie exclusively scans Amazon S3 buckets for sensitive data. It does not scan EBS volumes, RDS databases, EFS file systems, or other storage services. For PII detection in other contexts, you would need different solutions.

Q5. A GenAI application collects user-submitted documents and stores them in S3 before processing with Bedrock. The company wants to ensure no PII enters their AI pipeline. What is the recommended approach?

• Trust users to not submit PII and proceed with processing
• Configure Amazon Macie to scan the S3 bucket and trigger alerts when PII is detected before Bedrock processing
• Use Amazon Inspector to scan the documents for sensitive content
• Enable S3 encryption which automatically removes PII from documents

Answer: B

Amazon Macie should be configured to scan the S3 bucket containing user-submitted documents. When PII is detected, findings trigger EventBridge events that can pause processing, alert security teams, or invoke Lambda for automated remediation before the data enters the AI pipeline.

Q1. A security team wants to automatically detect whenever any security group in their AWS account is modified to allow unrestricted inbound SSH access (port 22 open to all IPs). Which service provides this capability?

• AWS CloudTrail -- to log who modified the security group
• AWS Config with the 'restricted-ssh' rule -- to continuously evaluate security group compliance and flag violations
• Amazon Inspector -- to scan EC2 instances for SSH vulnerabilities
• AWS Trusted Advisor -- to recommend security best practices

Answer: B

AWS Config's 'restricted-ssh' rule continuously evaluates security groups and marks any that allow unrestricted SSH access as noncompliant. Unlike CloudTrail (which logs the change after it happens), Config evaluates the resulting configuration state and flags violations proactively.

Q2. A compliance team needs to track all configuration changes to their Bedrock knowledge bases and SageMaker endpoints over the past 90 days. Which service provides this historical configuration data?

• AWS CloudTrail -- to see who made API calls
• AWS Config -- to view resource configuration history and compliance timeline
• Amazon Inspector -- to audit resource security posture
• AWS Trusted Advisor -- to get configuration recommendations

Answer: B

AWS Config continuously records resource configurations and maintains a historical timeline. You can view exactly how a resource's configuration changed over time, when changes occurred, and whether the resource remained compliant throughout. CloudTrail shows WHO called an API, but Config shows WHAT the configuration looked like.

Q3. What is the relationship between AWS Config and AWS CloudTrail?

• They are the same service with different names
• Config records WHAT changed; CloudTrail records WHO made the change
• CloudTrail replaces Config for newer AWS accounts
• Config is for compliance; CloudTrail is for billing

Answer: B

AWS Config and CloudTrail complement each other. Config tracks WHAT a resource's configuration looks like now versus before and whether it's compliant. CloudTrail tracks WHO made an API call, WHAT action they took, and WHEN. Together they provide complete visibility: who changed it and what changed.

Q4. An organization wants to ensure all their S3 buckets have server-side encryption enabled. How can they automatically verify this across all buckets?

• Manually check each bucket's properties monthly
• Use AWS Config with the 's3-bucket-server-side-encryption-enabled' rule to continuously evaluate all buckets
• Enable CloudTrail to log encryption status of all buckets
• Use Amazon Macie to scan for unencrypted buckets

Answer: B

AWS Config rules continuously evaluate resource configurations against compliance requirements. The 's3-bucket-server-side-encryption-enabled' rule automatically checks all S3 buckets and marks any without encryption as noncompliant, providing ongoing visibility without manual auditing.

Q5. Which statement about AWS Config is correct?

• AWS Config is free to use with no charges
• AWS Config is a global service that runs in all regions automatically
• AWS Config is a per-region service but supports multi-region aggregation
• AWS Config only tracks EC2 and S3 resources

Answer: C

AWS Config operates per-region, meaning you need to enable it in each region where you want to track resources. However, you can aggregate Config data from multiple regions and accounts into a central dashboard for unified visibility. Note that Config is NOT free -- charges apply per configuration item recorded.

Q1. A DevOps team deploys ML inference containers to Amazon ECR. They want to automatically identify any security vulnerabilities in the container images' dependencies as part of the CI/CD pipeline. Which AWS service provides this?

• AWS Config -- to check container image configuration compliance
• AWS Macie -- to scan container images for sensitive data
• Amazon Inspector -- to automatically scan ECR container images for known vulnerabilities when pushed
• AWS CloudTrail -- to log all container image pushes to ECR

Answer: C

Amazon Inspector automatically scans container images pushed to Amazon ECR for known software vulnerabilities (CVE database). This integrates naturally into CI/CD pipelines -- each push triggers an Inspector scan, and findings are reported to Security Hub and EventBridge for automated response.

Q2. Which compute resources does Amazon Inspector scan for security vulnerabilities?

• EC2 instances, S3 buckets, and RDS databases
• EC2 instances, ECR container images, and Lambda functions
• All AWS services with security configurations
• Only EC2 instances with the Inspector agent installed

Answer: B

Amazon Inspector scans three types of compute resources: EC2 instances (via SSM agent), container images in Amazon ECR (on push), and Lambda functions (on deployment). It does NOT scan S3, RDS, or other non-compute services.

Q3. A company's ML inference Lambda functions use several third-party libraries. How can they automatically detect if any of these libraries have known security vulnerabilities?

• Manually review the CVE database for each library version
• Use Amazon Inspector which automatically scans Lambda function dependencies for known CVEs
• Use Amazon Macie to scan the Lambda code for vulnerabilities
• Use AWS Config to check if Lambda functions are compliant

Answer: B

Amazon Inspector automatically scans Lambda functions when deployed, checking both the function code and package dependencies against the CVE database. When vulnerabilities are found, Inspector generates findings with risk scores sent to Security Hub and EventBridge.

Q4. How does Amazon Inspector prioritize the security findings it generates?

• All findings are treated with equal priority
• Each finding is assigned a risk score for prioritization
• Findings are sorted alphabetically by vulnerability name
• Findings are prioritized by the resource's creation date

Answer: B

Amazon Inspector assigns a risk score to each vulnerability finding, helping security teams prioritize remediation efforts. Higher-risk vulnerabilities with greater potential impact are scored higher, enabling teams to address the most critical issues first.

Q5. What triggers Amazon Inspector to re-scan EC2 instances for vulnerabilities?

• Manual scans must be initiated by administrators
• Scans only occur once when Inspector is first enabled
• Inspector continuously scans and re-scans when the CVE database is updated
• Scans are triggered only when instances are restarted

Answer: C

Amazon Inspector provides continuous, automated scanning of EC2 instances. When the CVE database is updated with newly discovered vulnerabilities, Inspector automatically re-scans resources to detect if they are affected by the new CVEs, without requiring manual intervention.

Q1. A security team suspects that an IAM user is repeatedly attempting to access Amazon Bedrock custom models without proper authorization. Which service can confirm this and provide details of each attempt?

• Amazon Inspector -- to scan the user's workstation for vulnerabilities
• AWS Config -- to check if the user's IAM permissions are compliant
• AWS CloudTrail -- to show all Bedrock API calls made by the user, including denied attempts
• Amazon Macie -- to scan S3 buckets the user accessed

Answer: C

AWS CloudTrail records all API calls to Amazon Bedrock, including calls that were denied by IAM. Each denied attempt creates a CloudTrail event recording the user's identity, the specific API they tried to call, the timestamp, and the denial reason -- providing exactly the evidence needed for this investigation.

Q2. An administrator needs to determine who deleted a SageMaker endpoint yesterday afternoon. Which service provides this information?

• AWS Config -- shows what changed on the endpoint
• AWS CloudTrail -- shows who called the DeleteEndpoint API and when
• Amazon Inspector -- scans for security issues with the endpoint
• AWS Trusted Advisor -- provides recommendations for endpoint configuration

Answer: B

AWS CloudTrail logs all API calls including DeleteEndpoint. The CloudTrail event shows exactly who made the call (IAM user or role identity), when it occurred (timestamp), from where (source IP), and the result. This is the audit trail for all AWS account activity.

Q3. How long does AWS CloudTrail retain management event history in the console by default?

• 30 days
• 90 days
• 365 days
• Events are not retained by default

Answer: B

CloudTrail retains 90 days of management event history in the console at no additional charge. This is automatically enabled for all AWS accounts. For longer retention, you must configure CloudTrail to send logs to an S3 bucket or CloudWatch Logs.

Q4. A company needs to detect when users make unauthorized attempts to invoke Bedrock foundation models. How should they configure monitoring?

• Enable Bedrock model invocation logging to S3
• Analyze CloudTrail logs for denied InvokeModel API calls using CloudWatch or EventBridge
• Use Amazon Macie to detect unauthorized model access
• Configure AWS Config rules to monitor Bedrock access

Answer: B

CloudTrail records all Bedrock API calls including denied requests. By analyzing CloudTrail logs with CloudWatch Logs Insights or configuring EventBridge rules to detect denied InvokeModel events, the company can identify and alert on unauthorized access attempts in near real-time.

Q5. What types of API calls does AWS CloudTrail record?

• Only successful API calls
• Only API calls made through the AWS Console
• Both successful and denied API calls from console, CLI, SDK, and service-to-service
• Only API calls made by IAM users, not roles

Answer: C

CloudTrail records ALL API calls regardless of how they were made (console, CLI, SDK, or service-to-service) and whether they succeeded or were denied. This comprehensive logging enables complete audit trails and security investigation capabilities.

Q1. A healthcare company is deploying an AI-powered clinical documentation tool on AWS and needs to ensure they meet HIPAA requirements. As part of this, they need to sign a Business Associate Addendum with AWS. Where do they access this?

• AWS Audit Manager -- to generate HIPAA compliance evidence
• AWS Artifact Agreements -- to review and accept the HIPAA Business Associate Addendum
• AWS Trusted Advisor -- to get HIPAA compliance recommendations
• AWS Config -- to configure HIPAA compliance rules

Answer: B

AWS Artifact Agreements is where customers access, review, and accept legal agreements with AWS -- including the Business Associate Addendum (BAA) required for HIPAA compliance. The BAA is available for individual accounts or entire organizations.

Q2. An auditor requests AWS's SOC 2 and ISO 27001 compliance certifications to verify the company's cloud security posture. Where can these AWS compliance reports be obtained?

• AWS Artifact Reports -- to download AWS's third-party audit reports
• AWS Audit Manager -- to generate compliance reports
• AWS Security Hub -- to view compliance dashboards
• AWS Trusted Advisor -- to access security recommendations

Answer: A

AWS Artifact Reports provides on-demand access to AWS's compliance documentation produced by third-party auditors, including SOC reports, ISO certifications, PCI DSS compliance reports, and more. These documents can be downloaded and provided to auditors as evidence of AWS's compliance posture.

Q3. What are the two main components of AWS Artifact?

• Artifact Inspector and Artifact Scanner
• Artifact Reports and Artifact Agreements
• Artifact Monitor and Artifact Remediation
• Artifact Audit and Artifact Compliance

Answer: B

AWS Artifact has two components: Reports (download AWS security and compliance reports from third-party auditors) and Agreements (review and accept legal agreements like BAA for HIPAA and GDPR addenda). It's a document portal, not a technical security service.

Q4. A startup using AWS for their GenAI application needs to demonstrate to investors that AWS infrastructure meets PCI DSS requirements. What is the quickest way to obtain this documentation?

• Request a custom audit from AWS support
• Download the PCI DSS compliance report from AWS Artifact
• Generate a PCI compliance assessment using AWS Config
• Review PCI status in AWS Trusted Advisor

Answer: B

AWS Artifact provides immediate, self-service access to AWS's PCI DSS compliance reports. These pre-existing third-party audit reports can be downloaded instantly and shared with investors to demonstrate AWS's compliance with payment card industry standards.

Q5. Which statement about AWS Artifact is correct?

• Artifact automatically monitors and enforces compliance in your AWS account
• Artifact scans your resources for compliance violations
• Artifact is a self-service portal for downloading compliance documents and signing legal agreements
• Artifact generates compliance evidence from your AWS resources

Answer: C

AWS Artifact is a document and agreement management portal -- not a technical security or monitoring service. It provides access to AWS's compliance reports and legal agreements. It does NOT monitor, scan, or enforce compliance in your account.

Q1. A company is preparing for a PCI DSS audit for their AI-powered payment processing application on AWS. They need to automatically collect evidence of their infrastructure configurations across multiple accounts and generate a report ready for external auditors. Which service addresses this?

• AWS Artifact -- to download AWS's PCI DSS compliance report
• AWS Config -- to track configuration changes to payment resources
• AWS Audit Manager -- to continuously collect evidence mapped to PCI DSS controls and generate audit-ready reports
• AWS Trusted Advisor -- to check for PCI DSS best practice violations

Answer: C

AWS Audit Manager is specifically designed to automate evidence collection for compliance framework audits like PCI DSS. It continuously gathers configuration evidence across accounts and generates audit-ready reports with the collected evidence mapped to specific controls -- exactly what external auditors require.

Q2. What is the key difference between AWS Artifact and AWS Audit Manager?

• Artifact is for security; Audit Manager is for compliance
• Artifact downloads AWS's compliance reports; Audit Manager collects YOUR infrastructure's compliance evidence
• Artifact is free; Audit Manager requires payment
• Artifact is for HIPAA; Audit Manager is for GDPR

Answer: B

Artifact provides AWS's pre-existing compliance documentation and legal agreements. Audit Manager collects evidence from YOUR AWS resources and configurations to prepare YOUR organization's audit reports. Both support compliance, but they serve different purposes.

Q3. AWS Trusted Advisor provides recommendations across how many categories?

• 3 categories: Cost, Security, and Performance
• 4 categories: Cost, Security, Reliability, and Compliance
• 6 categories: Cost Optimization, Performance, Security, Fault Tolerance, Service Limits, and Operational Excellence
• 2 categories: Security and Cost

Answer: C

AWS Trusted Advisor analyzes your AWS account and provides recommendations across six categories: Cost Optimization, Performance, Security, Fault Tolerance, Service Limits, and Operational Excellence. Full access to all checks requires Business or Enterprise Support plans.

Q4. A company on the AWS Basic Support plan wants to use Trusted Advisor. Which checks are available to them?

• All Trusted Advisor checks are available on Basic Support
• No Trusted Advisor checks are available on Basic Support
• Core security checks and service limits checks only
• Only cost optimization checks

Answer: C

AWS Basic Support includes access to core Trusted Advisor checks: essential security checks (like S3 bucket permissions and security group open ports) and service limits checks. Full access to all Trusted Advisor checks requires Business or Enterprise Support plans.

Q5. Which statement correctly describes AWS Trusted Advisor?

• Trusted Advisor automatically remediates security issues it finds
• Trusted Advisor provides recommendations but does NOT automatically make changes
• Trusted Advisor is a compliance certification service
• Trusted Advisor scans S3 buckets for sensitive data

Answer: B

AWS Trusted Advisor is an advisory service that analyzes your account and provides recommendations. It does NOT automatically remediate issues or make changes to your resources -- it only advises. You must take action based on its recommendations.

Q1. A company deploys SageMaker training jobs in a private VPC subnet with no internet access. The training jobs need to read large training datasets from Amazon S3. How can this be achieved without routing traffic over the internet?

• Add a NAT Gateway to allow the training jobs to access S3 via the internet
• Move the training jobs to a public subnet so they can access S3 directly
• Create an S3 Gateway VPC Endpoint and configure the route table to route S3 traffic through it
• Use an Internet Gateway in the private subnet to route only S3 traffic

Answer: C

An S3 Gateway VPC Endpoint allows resources in a private subnet to access Amazon S3 directly through the AWS private network, without requiring internet access via NAT or an Internet Gateway. The route table is updated to direct S3-bound traffic through the endpoint, keeping all data transfer within AWS infrastructure.

Q2. A GenAI application in a private VPC subnet needs to invoke Amazon Bedrock models. The security team requires that no traffic leave the AWS network. What should be configured?

• A NAT Gateway in a public subnet to route Bedrock traffic
• A Bedrock VPC Interface Endpoint (PrivateLink) to access Bedrock privately
• An Internet Gateway with security group rules limiting traffic to Bedrock IPs only
• An S3 Gateway Endpoint since Bedrock uses S3 internally

Answer: B

A Bedrock VPC Interface Endpoint (powered by PrivateLink) allows applications in private subnets to invoke Bedrock APIs entirely within the AWS private network. No internet gateway or NAT gateway is needed, and all traffic stays on AWS infrastructure.

Q3. What is the difference between an Internet Gateway and a NAT Gateway?

• Internet Gateway is for public subnets (bidirectional); NAT Gateway is for private subnets (outbound only)
• Internet Gateway is for IPv6; NAT Gateway is for IPv4
• Internet Gateway is free; NAT Gateway is paid
• Internet Gateway is for AWS services; NAT Gateway is for external websites

Answer: A

An Internet Gateway enables bidirectional internet access for resources in public subnets. A NAT Gateway allows resources in private subnets to make outbound internet requests while remaining inaccessible from the internet. NAT Gateway is deployed in a public subnet but serves the private subnet.

Q4. An organization wants to restrict which S3 buckets can be accessed through their S3 VPC Endpoint. How can this be achieved?

• Configure security group rules on the VPC endpoint
• Attach an endpoint policy to the VPC endpoint specifying allowed buckets
• Use S3 bucket policies only -- VPC endpoints cannot be restricted
• Create separate VPC endpoints for each bucket

Answer: B

VPC Endpoint policies are IAM-based policies attached to VPC endpoints that restrict which principals can use the endpoint and which resources they can access through it. By specifying allowed S3 buckets in the endpoint policy, you limit access to only approved buckets.

Q5. Which type of VPC endpoint is used to access Amazon S3 and DynamoDB?

• Interface Endpoint (creates an ENI in your subnet)
• Gateway Endpoint (configured at the route table level)
• PrivateLink Endpoint (creates a private DNS entry)
• Direct Connect Endpoint (uses dedicated network connection)

Answer: B

S3 and DynamoDB use Gateway Endpoints, which are free and configured at the route table level. Most other AWS services (including Bedrock and SageMaker) use Interface Endpoints, which create elastic network interfaces (ENIs) in your subnet and use PrivateLink.

Q1. A company's security team receives an alert that an IAM user repeatedly attempted to list all custom Bedrock models but was denied each time. Which combination of services captured this activity and sent the alert?

• AWS Config captured the denied API calls; SNS sent the alert
• AWS CloudTrail captured all denied Bedrock API calls; EventBridge or CloudWatch triggered the alert
• Amazon Inspector detected the unauthorized access pattern; Security Hub raised the alert
• Amazon Macie detected the unauthorized user; Trusted Advisor raised the alert

Answer: B

AWS CloudTrail logs ALL API calls to Amazon Bedrock -- including those that are denied by IAM. Each denied attempt creates a CloudTrail event. CloudWatch or EventBridge rules can be configured to detect denied Bedrock API calls and trigger alerts automatically.

Q2. A GenAI application is deployed in a private VPC subnet with no internet access. The application needs to invoke Amazon Bedrock foundation models. Which AWS networking feature enables this?

• Internet Gateway -- to allow outbound calls from the private subnet to Bedrock
• NAT Gateway -- to route Bedrock API calls through a public subnet
• Amazon Bedrock VPC Interface Endpoint (PrivateLink) -- to access Bedrock privately without internet traffic
• S3 Gateway Endpoint -- to route Bedrock API calls through the S3 network path

Answer: C

A Bedrock VPC Interface Endpoint (powered by PrivateLink) allows applications in private subnets to invoke Bedrock APIs entirely within the AWS private network -- no internet gateway or NAT gateway needed. All traffic between the application and Bedrock stays on AWS infrastructure.

Q3. A SageMaker endpoint needs to read model artifacts from an encrypted S3 bucket and call Bedrock for additional processing. What IAM configuration is required?

• Create an IAM user with S3 and Bedrock credentials embedded in the endpoint configuration
• Create an IAM role with S3 read, KMS decrypt, and Bedrock invoke permissions and assign it to the SageMaker endpoint
• Use the default SageMaker permissions which include all AWS service access
• Create separate roles for S3 access and Bedrock access

Answer: B

SageMaker endpoints require an IAM role that defines their permissions to access other AWS services. The role should include S3 GetObject permission, KMS Decrypt permission for the encrypted bucket, and Bedrock InvokeModel permission. IAM roles are always used for service-to-service permissions.

Q4. If an exam question asks 'How do you detect PII in S3 training data?', which service is the answer?

• Amazon Comprehend
• Amazon Macie
• AWS Config
• Amazon Inspector

Answer: B

Amazon Macie is the service specifically designed to scan S3 buckets and detect PII using machine learning. While Comprehend can detect PII in text input, Macie is the answer when the question specifically mentions S3 data or training datasets stored in buckets.

Q5. Which keyword mapping is CORRECT for AWS security services?

• 'Who made this API call?' -> AWS Config
• 'Software vulnerability in Lambda' -> Amazon Macie
• 'Download AWS SOC report' -> AWS Artifact
• 'PII in S3 bucket' -> Amazon Inspector

Answer: C

AWS Artifact is where you download AWS's compliance reports (SOC, ISO, PCI). The correct mappings are: 'Who made this API call?' -> CloudTrail, 'Software vulnerability in Lambda' -> Inspector, 'PII in S3 bucket' -> Macie.