← Back to CertificationsDomain 5 · 14% of exam
Security, Compliance, and Governance for AI Solutions
Applying classic AWS security thinking — IAM, encryption, audit logs — to AI workloads, plus AI-specific patterns like the Scoping Matrix and the shared responsibility model for generative AI.
Task statements: 5.1, 5.2Estimated questions: ~7 of 50 scored
Updated May 21, 2026
The Big Picture
This domain is about applying classic AWS security thinking — IAM, encryption, audit logs — to AI workloads, plus AI-specific patterns like the Scoping Matrix and the shared responsibility model for generative AI. If you have an old AWS CCP, much of this is recall. The new pieces are the GenAI-specific bits.
Three buckets to study
- Securing AI systems — encryption, IAM, network isolation, monitoring
- Shared responsibility for AI — what AWS does vs. what you do
- Governance and compliance — auditing, the Scoping Matrix, frameworks
Task 5.1 — Methods to Secure AI Systems
▶5.1.1 IAM, KMS, and the basics (don't lose easy points)
| Service | What it does | AI-specific use |
|---|---|---|
| AWS IAM | Identity and access management — who can do what | Control who can call Bedrock InvokeModel, who can fine-tune, etc. |
| AWS KMS | Managed encryption keys | Encrypt training data in S3, model artifacts, Bedrock customizations |
| AWS Secrets Manager | Store and rotate secrets / credentials | API keys for external tools used by agents |
| Amazon Macie | Discovers and classifies sensitive data (PII) in S3 | Find PII in data lakes used for training |
| Amazon Inspector | Vulnerability scanning for EC2 / Lambda / containers | Scan ML training environments |
| AWS PrivateLink | Private connectivity to AWS services without internet | Reach Bedrock / SageMaker over private network |
| AWS WAF / Shield | Web app firewall / DDoS protection | Protect public AI endpoints |
| VPC + Security Groups | Network isolation | Run SageMaker endpoints in private VPC |
IAM principle of least privilege — always the right answer
When a question asks "what's the most secure way to grant access" — the answer is almost always fine-grained IAM policies / least privilege, not "give admin." This is the single most reliable trap-question heuristic on AWS exams.
KMS vs. Secrets Manager
KMS stores encryption keys. Secrets Manager stores secrets(API keys, DB passwords) and rotates them. They're different. Don't pick KMS to store an API key.
Macie is S3-only PII discovery
Macie crawls S3, identifies PII, alerts you. It does not scan EC2 file systems or RDS. If a question asks about finding PII in S3 datasets — Macie. If a question asks about redacting PII from FM responses in real time — Bedrock Guardrails (sensitive information filter).
▶5.1.2 Encryption everywhere
- Encryption at rest — data sitting in storage (S3, EBS, RDS) encrypted with KMS
- Encryption in transit — TLS for all API calls and data movement
- Encryption in use — Nitro Enclaves for sensitive computation (rarely tested at AIF-C01 depth)
AWS Bedrock data protection
By default, your prompts and completions on Bedrock are not used to train AWS or third-party FMsand are not shared with model providers. Data stays within your AWS account. This is the textbook "why AWS for GenAI" answer.
▶5.1.3 Network and access controls for AI
- VPC endpoints / PrivateLink — keep Bedrock and SageMaker traffic off the internet
- SageMaker Studio in VPC mode — no public internet access from notebooks
- Bedrock-specific IAM actions —
bedrock:InvokeModel,bedrock:CreateAgent, etc. — scope by model ARN - Resource policies — restrict who can use a Knowledge Base or Guardrail
- Service Control Policies (SCPs) — org-wide restrictions in AWS Organizations (e.g., disallow Bedrock outside specific regions)
▶5.1.4 Securing FM and agent workflows specifically (v1.1 expansion)
- Bedrock Guardrails — input/output filtering, denied topics, PII redaction
- AgentCore Identity — per-agent identity and credential management for tool calls
- AgentCore Policy — define what an agent is allowed to do
- Audit trail — CloudTrail logs every Bedrock and SageMaker API call
- Output filtering — Guardrails before returning to user
- Data leakage prevention — never put secrets in prompts; isolate untrusted inputs from instructions
Prompt injection mitigations — testable
Right answers: Bedrock Guardrails, separating instructions from user data, validating retrieved RAG content, scoping agent permissions tightly, output validation. Wrong answers: "tell the model to ignore overrides" (doesn't reliably work), "use a longer prompt" (irrelevant).
▶5.1.5 Hallucination detection and grounding (v1.1)
- RAG with citations — model must cite which document supports its claim
- Bedrock Guardrails contextual grounding check — flags responses not grounded in source material
- Confidence scoring — measure how confident the model is
- Human-in-the-loop validation (A2I) for high-stakes outputs
- LLM-as-a-judge evaluation of factual accuracy
"Detect and mitigate hallucinations" question pattern
Top answers: Bedrock Guardrails contextual grounding, RAG with verified sources, A2Ifor human review, output validation. Wrong: "increase model size" or "lower temperature alone."
Task 5.2 — Governance and Compliance for AI Solutions
▶5.2.1 The Generative AI Security Scoping Matrix (memorize the 5 scopes)
This is AWS's framework for thinking about who's responsible for what in a GenAI deployment. Direct exam question material.
| Scope | What it is | Example | Your responsibility |
|---|---|---|---|
| Scope 1 — Consumer App | Using a public consumer AI service | ChatGPT.com, Bard | Limited control. Mostly: don't put company data in. |
| Scope 2 — Enterprise App | Using a third-party enterprise AI app under contract | An enterprise SaaS that uses LLMs | Vendor due diligence, data agreements |
| Scope 3 — Pre-trained Models | Using pre-trained FMs via API | Bedrock InvokeModel, OpenAI API direct | Prompt design, data going in/out, IAM, guardrails |
| Scope 4 — Fine-tuned Models | You fine-tune an FM on your data | Bedrock custom model, fine-tuned Llama | All of Scope 3 + securing your training data + model artifact |
| Scope 5 — Self-trained Models | You pre-train an FM from scratch | Custom LLM trained on AWS | Maximum responsibility — data, training, hosting, evaluation, governance |
Pattern: as scope number increases, your responsibility increases
Scope 1 = least control, least responsibility. Scope 5 = full control, full responsibility. The AWS shared responsibility model for AI maps onto these scopes.
"Bedrock + your data, no fine-tuning" = Scope 3
Plain Bedrock API use (with or without RAG) is Scope 3. As soon as you fine-tune, it's Scope 4. As soon as you pre-train your own, it's Scope 5. Even RAG with sensitive private data → still Scope 3 because the model itself is unchanged.
▶5.2.2 Shared responsibility model for AI/ML
| AWS responsibility (security of the cloud) | Customer responsibility (security in the cloud) |
|---|---|
| Physical infrastructure | Your data and content |
| Hardware (GPUs, servers) | IAM users, roles, policies |
| Networking foundation | Network configuration (VPC, security groups) |
| Managed service availability | Encryption choices and key management |
| Provider model security (for Bedrock-hosted models) | Prompt design, guardrails, output filtering |
| Service patching for managed services | App-level monitoring and incident response |
Heuristic
AWS handles infrastructure and the model service itself. Youhandle: your data, who can access it, how it's encrypted, what prompts/guardrails are used, and what the AI does in your application.
▶5.2.3 Audit, governance, and compliance services
| Service | What it does | AI-specific use |
|---|---|---|
| AWS CloudTrail | Logs all AWS API calls | Audit trail for Bedrock InvokeModel, model fine-tunes, etc. |
| Amazon CloudWatch | Logs and metrics | Monitor latency, errors, token usage |
| AWS Config | Tracks resource configuration changes | Detect unintended changes to ML infra |
| AWS Audit Manager | Continuous compliance assessment against frameworks | Map AI workload to compliance frameworks |
| AWS Artifact | Self-service compliance reports (SOC, ISO, PCI) | Provide compliance evidence to auditors |
| AWS Trusted Advisor | Checks for best practices in cost, security, performance | Spot risky configs in your account |
| AWS Well-Architected Tool (with ML Lens) | Review workload against AWS best practices | ML Lens specifically covers ML workloads |
CloudTrail vs. CloudWatch (always confused)
CloudTrail = "who did what API call." Audit log of actions.
CloudWatch= "metrics and logs from running applications." Operational telemetry.
Both produce logs, but they answer different questions.
CloudWatch= "metrics and logs from running applications." Operational telemetry.
Both produce logs, but they answer different questions.
▶5.2.4 Data governance for AI
- Data classification — tag data by sensitivity (public, internal, confidential, restricted)
- Data lineage — track where training data came from and how it was transformed
- Data retention — how long do you keep training data? Logs?
- Right to deletion — GDPR-style requests; harder for trained models (you may need retraining)
- Data minimization — only collect / use the data you need
- Data residency — where data physically lives; controlled by AWS region choice
▶5.2.5 Compliance frameworks relevant to AI
- GDPR (EU) — privacy, right to deletion, data subject rights
- HIPAA (US healthcare) — PHI protection
- SOC 1/2/3 — service organization controls
- ISO 27001 / 27017 / 27018 / 42001 — info security and AI management standards
- PCI DSS — payment card data
- NIST AI Risk Management Framework — US standard for AI risk
- EU AI Act — risk-tiered AI regulation in the EU
You don't need to memorize every framework's clauses
The exam tests recognition: which framework applies to which scenario. PHI → HIPAA. EU citizens → GDPR. Card data → PCI. AI risk management → NIST AI RMF or ISO 42001.
▶5.2.6 Well-Architected Machine Learning Lens (high yield)
AWS's framework for designing ML workloads correctly. Six pillars (the Well-Architected ones, applied to ML):
- Operational excellence
- Security
- Reliability
- Performance efficiency
- Cost optimization
- Sustainability
When the question mentions "best practices for designing an ML workload on AWS"
Answer: AWS Well-Architected Framework with the ML Lens. Reviewed using the Well-Architected Tool.
Cross-cutting: Quick Service Mapping
| You want to… | Use… |
|---|---|
| Control who can call Bedrock InvokeModel | IAM |
| Encrypt training data in S3 | KMS |
| Find PII in your S3 data lake | Macie |
| Redact PII from model responses | Bedrock Guardrails (sensitive info filter) |
| Audit who called Bedrock APIs | CloudTrail |
| Monitor token usage / latency | CloudWatch |
| Reach Bedrock from a private VPC | PrivateLink / VPC endpoints |
| Store an API key for an agent's tool | Secrets Manager |
| Continuous compliance monitoring | Audit Manager / AWS Config |
| Get SOC 2 / ISO compliance reports | AWS Artifact |
| Assess workload against best practices | Well-Architected Tool (ML Lens) |
| Decide your responsibility level for a GenAI app | GenAI Security Scoping Matrix |
Self-Quiz
Question 1
A team is using Bedrock to power a customer-facing chatbot, calling pre-trained foundation models without fine-tuning. According to the Generative AI Security Scoping Matrix, this is which scope?
- A. Scope 1 — Consumer App
- B. Scope 2 — Enterprise App
- C. Scope 3 — Pre-trained Models
- D. Scope 5 — Self-trained Models
Question 2
A compliance officer needs evidence of every Bedrock InvokeModel call made by a service team in the last 30 days. Which AWS service should they consult?
- A. Amazon CloudWatch
- B. AWS CloudTrail
- C. AWS Config
- D. AWS Trusted Advisor
Question 3
A data team needs to discover and classify personally identifiable information (PII) sitting in S3 buckets used to train ML models. Which service is purpose-built for this?
- A. Amazon Macie
- B. AWS KMS
- C. Amazon Inspector
- D. Bedrock Guardrails
Question 4
Which combination correctly aligns with the AWS shared responsibility model for AI?
- A. AWS secures customer data; customer secures hardware
- B. AWS secures the underlying infrastructure and managed services; customer secures their data, IAM, and prompt/guardrail design
- C. AWS handles all model bias issues
- D. Customer is responsible for the underlying GPU hardware
Question 5
An agent built on Bedrock needs to call an external API. Where should the API credentials be stored?
- A. Hard-coded in the agent's prompt
- B. AWS Secrets Manager, retrieved by the agent at runtime
- C. Plain text in S3
- D. CloudWatch Logs
Question 6
A bank wants to ensure the FM-powered service it builds aligns with industry best practices for ML workloads on AWS. Which framework should they apply?
- A. AWS Trusted Advisor only
- B. AWS Well-Architected Framework with the Machine Learning Lens
- C. Amazon Macie
- D. AWS CloudTrail
Question 7
A team fine-tunes a foundation model on Bedrock using their proprietary product manuals. According to the Scoping Matrix, this is now which scope?
- A. Scope 2
- B. Scope 3
- C. Scope 4 — Fine-tuned Models
- D. Scope 5 — Self-trained Models