Exam AIP-C01 Topic 2 Question 65 Discussion

Actual exam question for Amazon's AIP-C01 exam
Question #: 65
Topic #: 2

A company runs a generative AI (GenAI)-powered summarization application in an application AWS account that uses Amazon Bedrock. The application architecture includes an Amazon API Gateway REST API that forwards requests to AWS Lambda functions that are attached to private VPC subnets. The application summarizes sensitive customer records that the company stores in a governed data lake in a centralized data storage account. The company has enabled Amazon S3, Amazon Athena, and AWS Glue in the data storage account.
The company must ensure that calls that the application makes to Amazon Bedrock use only private connectivity between the company's application VPC and Amazon Bedrock. The company's data lake must provide fine-grained column-level access across the company's AWS accounts.
Which solution will meet these requirements?

A. In the application account, create interface VPC endpoints for Amazon Bedrock runtimes. Run Lambda functions in private subnets. Use IAM conditions on inference and data-plane policies to allow calls only to approved endpoints and roles. In the data storage account, use AWS Lake Formation LF-tag- based access control to create table-level and column-level cross-account grants. B. Run Lambda functions in private subnets. Configure a NAT gateway to provide access to Amazon Bedrock and the data lake. Use S3 bucket policies and ACLs to manage permissions. Export AWS CloudTrail logs to Amazon S3 to perform weekly reviews. C. Create a gateway endpoint only for Amazon S3 in the application account. Invoke Amazon Bedrock through public endpoints. Use database-level grants in AWS Lake Formation to manage data access.
Stream AWS CloudTrail logs to Amazon CloudWatch Logs. Do not set up metric filters or alarms. D. Use VPC endpoints to provide access to Amazon Bedrock and Amazon S3 in the application account.Use only IAM path-based policies to manage data lake access. Send AWS CloudTrail logs to Amazon CloudWatch Logs. Periodically create dashboards and allow public fallback for cross-Region reads to reduce setup time.

Suggested Answer: B Vote an answer

The first option labeled B is the correct solution because it fully satisfies both private connectivity and fine- grained cross-account data governance requirements using AWS-native services.
Creating interface VPC endpoints for Amazon Bedrock runtimes ensures that all inference calls remain on the AWS private network and never traverse the public internet. Running AWS Lambda functions in private subnets enforces network isolation, and using IAM conditions that restrict access to specific VPC endpoints and roles prevents unauthorized inference calls.
For the governed data lake, AWS Lake Formation LF-tag-based access control is the recommended AWS mechanism for enforcing cross-account, column-level permissions. LF-tags allow the company to define data access policies once and apply them consistently across accounts, databases, tables, and even individual columns. This is required for sensitive customer records and is not achievable with S3 bucket policies or IAM alone.
The second option labeled B uses a NAT gateway, which violates the private connectivity requirement.
Option C uses public Bedrock endpoints and only database-level grants, which are insufficient. Option D relies on IAM path-based policies, which cannot enforce column-level access and introduces public fallback paths.
Therefore, the first option labeled B is the only solution that meets all networking, security, and data governance requirements.

by Adolph at Feb 10, 2026, 01:26 PM

Limited Time Offer

15%

Off

Get Premium AIP-C01 Questions as Interactive Self Test Engine or PDF

Comments

0 Satisfied Customers

0 Shares

0 Demo Downloads

10 Years in Business