AIP-C01 Question #70: Real Exam Question with Answer & Explanation

Question

A company is creating a generative AI (GenAI) application that uses Amazon Bedrock foundation models (FMs). The application must use Microsoft Entra ID to authenticate. All FM API calls must stay on private network paths. Access to the application must be limited by department to specific model families. The company also needs a comprehensive audit trail of model interactions. Which solution will meet these requirements?

Options

• AConfigure SAML federation between Microsoft Entra ID and AWS Identity and Access
• BCreate an identity provider (IdP) connection in IAM to authenticate by using Microsoft Entra ID.
• CCreate a SAML identity provider (IdP) in IAM to authenticate by using Microsoft Entra ID. Use IAM
• DConfigure OpenID Connect (OIDC) federation between Microsoft Entra ID and IAM. Use attribute-

Explanation

Option A is the correct solution because it satisfies authentication, private connectivity, fine- grained authorization, and auditing using AWS-recommended patterns. SAML federation between Microsoft Entra ID and IAM is a mature, well-supported integration that enables centralized enterprise authentication. Department-specific IAM roles allow precise control over which Bedrock ModelId values each department can invoke, enforcing access by model Using AWS PrivateLink interface VPC endpoints for Amazon Bedrock runtime services ensures that all inference traffic stays on private AWS network paths, with no public internet exposure. NAT gateways and public endpoints, as used in other options, violate this requirement. AWS CloudTrail provides authoritative audit logs of all Bedrock API calls, which is required for compliance. Amazon Bedrock model invocation logging complements CloudTrail by capturing detailed prompt and response metadata for deeper auditing and investigation.

No community discussion yet for this question.