AIP-C01 Question #69: Real Exam Question with Answer & Explanation

Question

Company configures a landing zone in AWS Control Tower. The company handles sensitive data that must remain within the European Union. The company must use only the eu-central-1 Region. The company uses Service Control Policies (SCPs) to enforce data residency policies. GenAI developers at the company are assigned IAM roles that have full permissions for Amazon Bedrock. The company must ensure that GenAI developers can use the Amazon Nova Pro model through Amazon Bedrock only by using cross-Region inference (CRI) and only in eu-central-1. The company enables model access for the GenAI developer IAM roles in Amazon Bedrock. However, when a GenAI developer attempts to invoke the model through the Amazon Bedrock Chat/Text playground, the GenAI developer receives the following error: User arn:aws:sts:123456789012:assumed-role/AssumedDevRole/DevUserName Action: bedrock:InvokeModelWithResponseStream On resource(s): arn:aws:bedrock:eu-west-3::foundation- model/amazon.nova-pro-v1:0 Context: a service control policy explicitly denies the action The company needs a solution to resolve the error. The solution must retain the company's existing governance controls and must provide precise access control. The solution must comply with the company's existing data residency policies. Which combination of solutions will meet these requirements? (Select TWO.)

Options

• AAdd an AdministratorAccess policy to the GenAI developer IAM role
• BExtend the existing SCPs to enable CRI for the eu.amazon.nova-pro-v1:0 inference profile
• CEnable Amazon Bedrock model access for Amazon Nova Pro in the eu-west-3 Region
• DValidate that the GenAI developer IAM roles have permissions to invoke Amazon Nova Pro
• EExtend the existing SCP to enable CRI for the eu-* inference profile