Security, Compliance, and Governance for AI Solutions
Drill 20 practice questions focused entirely on Security, Compliance, and Governance for AI Solutions for the AWS AIF-C01 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A financial services company is deploying a generative AI application on AWS and must provide its external auditors with formal documentation proving that the AWS services it uses meet SOC 2 and ISO 27001 compliance standards. Which AWS service should the team use to obtain these official third-party compliance reports and audit artifacts?
A financial services company uses Amazon Bedrock foundation models for a customer-facing assistant. To satisfy an internal audit requirement, the compliance team needs to capture the full prompts submitted to the model and the complete model responses so they can be reviewed later for inappropriate content and retained in a company data store. Which approach BEST meets this requirement?
A financial services company uses Amazon Bedrock for a customer-facing assistant. To meet regulatory requirements, the compliance team must maintain a tamper-evident record of who invoked which foundation model, when, and from which account, so auditors can review this activity months later. Which AWS service should the team use to capture this audit trail of API activity?
A financial services company runs a fraud-detection model on a real-time SageMaker endpoint. The security team needs to be alerted automatically when the endpoint experiences an unusual spike in invocation errors or latency, which could indicate a denial-of-service attempt or a malfunctioning model. They want a native AWS solution that requires no custom polling code. Which approach best meets this requirement?
A financial services company has a central ML platform team in one AWS account that trains and approves models, and several business-unit teams in separate AWS accounts that deploy those models. Compliance requires that only approved model versions be deployable, that model metadata and approval status be centrally tracked, and that teams cannot deploy unapproved models. Which approach best meets these governance requirements?
A European financial services company must comply with regulations requiring that all customer data and model inference processing remain within the EU. The compliance team asks how they should configure their Amazon Bedrock usage to meet this data residency requirement. What is the most appropriate action?
A consumer-facing company operates in a region where privacy regulations grant customers the 'right to be forgotten.' A customer has formally requested that all of their personal data be deleted, including any data used to train the company's machine learning models. The compliance team asks the ML team how to best respond to this request for data used in model training. What is the most appropriate action?
A healthcare company sends patient data to a SageMaker real-time inference endpoint for diagnosis predictions. A compliance auditor requires that the patient data be protected while it travels over the network between the client application and the endpoint. Which measure directly addresses this requirement?
A healthcare company stores patient datasets in an Amazon S3 bucket that will be used to train an Amazon SageMaker model. Compliance auditors require that the training data be encrypted at rest using keys the company can manage, rotate, and audit. Which approach meets this requirement with the least operational overhead?
A financial services company runs a generative AI application on Amazon Bedrock. The security team requires that a specific application role be allowed to invoke only one approved foundation model, and be explicitly prevented from calling any other model or from creating fine-tuning jobs. Which approach best enforces this requirement?
A healthcare company runs an on-premises data processing application that needs to call Amazon SageMaker inference endpoints in AWS. The security team requires that no long-term AWS access keys be stored on the on-premises servers, and that all access use temporary credentials tied to the servers' existing X.509 certificates issued by the company's private certificate authority. Which approach best meets these requirements?
A financial services company is preparing a large dataset stored in Amazon S3 to fine-tune a foundation model. Before training begins, the compliance team requires automated discovery of any personally identifiable information (PII), such as credit card numbers and Social Security numbers, that may exist in the raw data so it can be reviewed and redacted. Which AWS service best meets this requirement?
A healthcare company stores sensitive patient records in an Amazon S3 bucket that will be used as a training dataset for a SageMaker model. The security team requires that only a specific SageMaker execution role can read the training data, and all access attempts must be logged for compliance audits. Which combination of controls BEST meets these requirements?
A data science team at an insurance company builds many ML models that all rely on the same customer risk attributes (age band, claim history score, region code). Auditors require the company to prove which exact feature values were used to train each model version and to guarantee that training and real-time inference use identical feature definitions. Which AWS service best addresses both the reuse and the lineage/consistency requirements?
A financial services company must comply with an internal governance policy that requires documented records of each ML model's intended use, training datasets, evaluation results, and approval status. Auditors need a centralized, standardized place to review this information for every model before it is promoted to production. Which AWS capability best satisfies this requirement?
A financial services company deployed a credit-risk ML model to a SageMaker real-time endpoint six months ago. Compliance auditors now require automated, ongoing detection of when the statistical properties of the live inference data diverge from the data the model was trained on, so the team can be alerted and retrain before predictions degrade. Which AWS capability best meets this governance requirement?
A financial services company must ensure that every machine learning model is formally reviewed and approved by a compliance officer before it can be deployed to production. They need a way to catalog model versions, track their approval status, and prevent unapproved versions from being promoted. Which AWS capability best supports this governance requirement?
A financial services company runs multiple machine learning teams on Amazon SageMaker. The security team requires that each team's data scientists can only launch training jobs and access specific S3 buckets tied to their project, without granting broad access to all SageMaker resources or unrelated data. A compliance auditor also needs to verify exactly what each role is permitted to do. Which approach best meets these requirements?
A healthcare company trains an ML model in Amazon SageMaker using sensitive patient data stored in Amazon S3. The security team requires that the training containers have no ability to make outbound calls to the public internet, ensuring the training code cannot exfiltrate data to external endpoints. Which SageMaker configuration best meets this requirement?
A data science team is building an application that calls a third-party foundation model API from within an AWS Lambda function. The API requires a secret key for authentication. The team currently hardcodes the key in the Lambda environment variables, but the security team flagged this as a risk and requires automatic rotation and encrypted storage of the credential. Which AWS service should the team use to address this requirement?
More AIF-C01 practice
Keep going with the other AWS Certified AI Practitioner domains, or take a full timed mock exam.
← Back to AIF-C01 overview