Exam AIP-C01 Topic 2 Question 3 Discussion

Actual exam question for Amazon's AIP-C01 exam
Question #: 3
Topic #: 2

A company is building a video analysis platform on AWS. The platform will analyze a large video archive by using Amazon Rekognition and Amazon Bedrock. The platform must comply with predefined privacy standards. The platform must also use secure model I/O, control foundation model (FM) access patterns, and provide an audit of who accessed what and when.
Which solution will meet these requirements?

A. Configure VPC endpoints for Amazon Bedrock model API calls. Implement Amazon Bedrock guardrails to filter harmful or unauthorized content in prompts and responses. Use Amazon Bedrock trace events to track all agent and model invocations for auditing purposes. Export the traces to Amazon CloudWatch Logs as an audit record of model usage. Store all prompts and outputs in Amazon S3 with server-side encryption with AWS KMS keys (SSE-KMS). B. Define access control by using IAM with attribute-based access control (ABAC) to map departments to specific permissions. Configure VPC endpoints for Amazon Bedrock model API calls. Use IAM condition keys to enforce specific GuardrailIdentifier and ModelId values. Configure AWS CloudTrail to capture management and data events for S3 objects and KMS key usage activities. Enable S3 server access logging to record detailed file-level interactions with the video archives. Send all CloudTrail logs to AWS CloudTrail Lake. Set up Amazon CloudWatch alarms to detect and alert on unexpected activity from Amazon Bedrock, Amazon Rekognition, and AWS KMS. C. Restrict access to services by using VPC endpoint policies. Use AWS Config to track resource changes and compliance with security rules. Use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt data at rest. Store the model's I/O in separate Amazon S3 buckets. Enable S3 server access logging to track file-level interactions. D. Configure AWS CloudTrail Insights to analyze API call patterns across accounts and detect anomalous activity in Amazon Bedrock, Amazon Rekognition, Amazon S3, and AWS KMS. Deploy Amazon Macie to scan and classify the video archive. Use server-side encryption with AWS KMS keys (SSE- KMS) to encrypt all stored data. Configure CloudTrail to capture KMS API usage events for audit purposes. Configure Amazon EventBridge rules to process CloudTrail Insights anomalies and Macie findings. Use CloudWatch alarms to trigger automated notifications and security responses when potential security issues are detected.

Suggested Answer: B Vote an answer

Option B is the correct solution because it delivers end-to-end governance, security, and auditability across Amazon Bedrock, Amazon Rekognition, and the underlying data layer while meeting strict privacy and compliance requirements.
Using IAM attribute-based access control (ABAC) allows the company to control access to foundation models and data based on department, role, or workload attributes rather than static permissions. This is critical for controlling FM access patterns at scale. Enforcing specific ModelId and GuardrailIdentifier values with IAM condition keys ensures that only approved models and guardrails are used, which directly supports secure model I/O and governance requirements.
Configuring VPC endpoints for Amazon Bedrock ensures that all model invocations remain on private AWS network paths, reducing data exfiltration risk and supporting privacy standards. AWS CloudTrail captures both management and data events, providing a definitive audit trail of who accessed which resources and when. Sending logs to CloudTrail Lake enables centralized, long-term, queryable auditing across services.
Amazon S3 server access logging adds file-level visibility into video archive access, which is essential for compliance and forensic analysis. Amazon CloudWatch alarms provide near real-time detection of anomalous or unauthorized activity across Amazon Bedrock, Amazon Rekognition, and AWS KMS.
Option A focuses primarily on model-level tracing but lacks comprehensive IAM governance and S3 access auditing. Option C provides partial controls but lacks identity-aware auditing and model governance. Option D focuses on anomaly detection and classification but does not explicitly control FM access patterns.
Therefore, Option B best satisfies all stated requirements in a unified, auditable, and security-first architecture.

by Laura at Apr 14, 2026, 04:16 AM

Limited Time Offer

15%

Off

Get Premium AIP-C01 Questions as Interactive Self Test Engine or PDF

Comments

Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test pdf to succeed.

RECENT DISCUSSIONS

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Disclaimer:
Actual4test doesn't offer Real SANS and GIAC Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
Actual4test material do not contain actual actual Oracle Exam Questions or material.
Actual4test doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
Actual4test Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Actual4test does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners prepare for those exams. All certification brands used on the website are owned by the respective brand owners. Actual4test does not own or claim any ownership on any of the brands.