Practice AIF-C01 Security, Compliance, and Governance for AI Solutions questions with full explanations on every answer.
Start practicing
Security, Compliance, and Governance for AI Solutions — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company uses Amazon SageMaker to train sensitive ML models. Which AWS service should they use to encrypt the training data and model artifacts at rest?
2A data scientist needs to allow a foundation model in Amazon Bedrock to access a specific S3 bucket containing reference documents. The bucket is in a different AWS account. What is the MOST secure way to grant access?
3A company uses Bedrock Guardrails to filter harmful content in a generative AI application. They need to prevent the model from discussing proprietary internal projects. Which Guardrail component should be configured?
4A financial services firm needs to ensure that all calls to Amazon Bedrock APIs are logged for audit purposes. Which AWS service should they enable to capture API calls?
5A company wants to detect sensitive data such as PII in their training datasets stored in S3 before using them for model training. Which AWS service should they use?
6A company uses SageMaker Clarify to detect bias in a deployed model. The monitoring must run automatically on a schedule. Which SageMaker feature should they use?
7An organization uses AWS Lake Formation to govern a data lake used for SageMaker training. They need to enforce row-level security so that different teams only see data relevant to their projects. Which Lake Formation feature should they use?
8A company wants to use Amazon Bedrock to generate responses grounded in their proprietary knowledge base. They need to minimize hallucinations and ensure responses are based on the provided documents. Which feature should they enable?
9A data scientist needs to restrict access to a SageMaker notebook instance to only the corporate network. Which configuration should they use?
10A company needs to ensure that model inference endpoints in SageMaker are only accessible from a private subnet in their VPC, and no traffic goes over the public internet. Which network configuration should they use?
11A company using Amazon Bedrock needs to redact personally identifiable information (PII) from user inputs before sending them to the foundation model. Which Bedrock Guardrails component should be configured?
12A company wants to use a third-party foundation model in Bedrock and is concerned about the provider's data handling policies. Which action should they take to ensure their data is not used for model training by the provider?
13A company needs to govern the lifecycle of ML models, including versioning, monitoring for drift, and decommissioning outdated models. Which TWO services should they use? (Choose 2)
14A company wants to enforce strict data residency for training data used in SageMaker. The data must never leave a specific AWS Region. Which THREE actions should they take? (Choose 3)
15A company wants to log all model invocation requests in Amazon Bedrock for audit and troubleshooting. Which TWO destinations can they configure for invocation logging? (Choose 2)
16A data scientist wants to restrict which IAM roles can invoke a specific Amazon Bedrock base model. Which AWS feature should they use?
17A healthcare company uses Amazon SageMaker to train a model on patient data. To meet HIPAA compliance, they must ensure training data is encrypted at rest and in transit. Additionally, the training job should not have internet access. Which combination of actions should the company take?
18A financial services firm uses Amazon Bedrock to generate investment summaries. They need to prevent the model from generating content containing personally identifiable information (PII) such as social security numbers. Which feature should they configure in Bedrock Guardrails?
19A company uses Amazon SageMaker Clarify to monitor a deployed model for bias. After running an analysis, they find that the model's predictions have a disparate impact on a protected group. What is the MOST appropriate next step?
20A data governance team wants to enforce fine-grained access control on data in an Amazon S3 data lake used by multiple business units for AI training. Which AWS service should they use to define and manage data permissions at the table and column level?
21A security engineer is configuring logging for Amazon Bedrock model invocations. They need to capture both the input and output of all API calls for compliance audits. Which set of steps should they take?
22A company wants to automatically discover sensitive data such as credit card numbers in their Amazon S3 training datasets before using them for model training. Which AWS service should they use?
23A company is deploying an AI-powered document summarization system using Amazon Bedrock. They must ensure that the model only uses information from provided source documents and does not generate unsupported claims. Which Bedrock Guardrails feature should they enable?
24A data scientist is using Amazon SageMaker to train a model with data that resides in an S3 bucket owned by another AWS account. The training job fails with access denied errors. The data scientist has already been granted cross-account read access to the S3 bucket via a bucket policy. What additional configuration is required?
25An organization wants to control which topics their AI chatbot can discuss. For example, they want to block all conversations about investment advice. Which Amazon Bedrock Guardrails feature should they configure?
26A machine learning team uses Amazon SageMaker to train and deploy models. They need to ensure that only approved base models from the AWS Marketplace are used. Which feature should they use to enforce this policy?
27A company uses Amazon Bedrock with a third-party foundation model. They are concerned about the third-party provider accessing their data. What should they review to understand data handling practices?
28A company is deploying an AI model on Amazon SageMaker and needs to monitor for model drift over time. Which TWO actions should they take? (Choose TWO)
29A financial institution is using Amazon Bedrock for a customer-facing application. They must ensure compliance with data residency requirements: model inputs and outputs must not leave a specific AWS Region. Which THREE steps should they take? (Choose THREE)
30A company wants to use AWS Lake Formation to govern access to data used for AI training. They need to ensure that only approved columns of sensitive tables are visible to data scientists. Which THREE steps should they implement? (Choose THREE)
31A data scientist needs to restrict access to a specific Amazon SageMaker notebook instance so that only a designated IAM role can invoke the CreatePresignedNotebookInstanceUrl API. Which IAM policy element should be used to achieve this?
32A company is using Amazon Bedrock to generate text summaries of customer emails. The compliance team requires that any email containing a Social Security Number (SSN) must be blocked from being sent to the model for summarization. Which Bedrock Guardrail configuration should be used?
33A machine learning team is training a model using Amazon SageMaker with data stored in an S3 bucket. The security policy requires that all data be encrypted at rest and in transit, and that the training job cannot access the internet. Which combination of settings should the team use?
34A financial services company uses Amazon Bedrock to generate investment advice. They have configured a guardrail to deny any harmful content. However, a user prompt 'Tell me how to commit fraud' was not blocked. What is the most likely cause?
35A company needs to audit all API calls made to Amazon Bedrock, including model invocations and guardrail evaluations. Which AWS service should they enable to capture these API calls for compliance?
36A healthcare startup is using Amazon SageMaker to train a model on patient data. They need to ensure that the training data does not contain any personally identifiable information (PII) before being used. Which AWS service can automatically detect and report PII in the data stored in S3?
37A company is deploying a real-time inference endpoint using Amazon SageMaker. The security team requires that all data sent to the endpoint be encrypted in transit and that the endpoint is only accessible from within the company's VPC. Which configuration should be used?
38An organization uses AWS Lake Formation to govern access to data used for machine learning in Amazon SageMaker. They want to ensure that a particular IAM role used by SageMaker can only query a subset of columns in a table containing sensitive customer data. Which Lake Formation permission should be granted to the role?
39A data scientist wants to use a third-party foundation model from Amazon Bedrock for a generative AI application. The compliance officer needs to understand how the third-party model provider handles data privacy. Where can the data scientist find this information?
40A company has deployed a machine learning model using Amazon SageMaker and wants to monitor the model for bias over time. Which SageMaker feature should they use to detect bias in the model's predictions after deployment?
41A company uses Amazon Bedrock with a custom model that was trained on data subject to GDPR. The company needs to ensure that inference logs containing user prompts and model responses are stored in a specific AWS Region for data residency compliance. How should they configure Bedrock model invocation logging?
42A machine learning team needs to share a SageMaker notebook with a colleague from a different AWS account. The colleague should be able to open and run the notebook but not delete it. Which combination of actions should the team take?
43A company is deploying a generative AI application using Amazon Bedrock and needs to ensure that the model's responses do not include any sensitive information. Which TWO Bedrock Guardrail configurations should be used together to meet this requirement? (Select TWO.)
44A company is using Amazon SageMaker to manage the lifecycle of their machine learning models. They need to implement a governance framework that includes model versioning, monitoring for drift, and decommissioning of outdated models. Which THREE AWS services or features should they use together to meet these requirements? (Select THREE.)
45A company wants to encrypt training data stored in Amazon S3 and model artifacts in Amazon SageMaker using customer-managed keys. Which TWO AWS services or features should they use? (Select TWO.)
46A company uses Amazon Bedrock to access foundation models. The security team wants to ensure that only specific IAM roles can invoke a particular model. Which configuration should they use?
47A data scientist is training a model using Amazon SageMaker and needs to ensure the training data is encrypted at rest and in transit. The data is stored in S3. Which combination of steps meets this requirement?
48A company uses Amazon Bedrock to generate content and wants to prevent the model from producing harmful or biased responses. Which AWS service should they configure to enforce content safety policies?
49A financial services company uses Amazon SageMaker to train models with sensitive customer data. They must ensure that no data leaves a specific AWS Region due to data residency regulations. The training data is in S3. Which architecture meets this requirement while minimizing data transfer?
50A company uses Amazon Bedrock and needs to log all model invocations for audit purposes. The logs must be stored in a central S3 bucket and also sent to CloudWatch Logs for real-time monitoring. Which configuration should they use?
51A machine learning engineer wants to detect if sensitive data, such as personally identifiable information (PII), exists in a training dataset stored in S3 before training a model. Which AWS service should they use?
52A data science team is deploying a model using Amazon SageMaker. They need to monitor the model for bias after it is deployed. Which AWS service or feature should they use?
53A company uses AWS Lake Formation to manage data lakes for analytics. They want to ensure that only authorized users can access specific columns in a table containing sensitive data used for ML training. Which Lake Formation feature should they use?
54A company wants to use a third-party foundation model from Amazon Bedrock but is concerned about data privacy because the model provider might store prompts and responses. How should they address this concern?
55A company has trained a model using Amazon SageMaker and stored the model artifacts in S3 with SSE-KMS encryption. The development team wants to grant cross-account access to the model artifacts so a partner can deploy the model in their own account. Which steps are required?
56A company uses Amazon Bedrock Guardrails to filter harmful content. They want to ensure that the model does not generate responses containing specific keywords related to their internal project names. Which Guardrails component should they configure?
57A company has deployed a model on Amazon SageMaker and enabled Model Monitor. They notice that the model's prediction accuracy has declined over time. Which type of drift is this, and what should they do?
58A company uses Amazon Bedrock and wants to ensure that the model outputs are grounded in a set of provided documents to reduce hallucinations. Which TWO actions should they take? (Select TWO.)
59A company is implementing an AI governance framework for their machine learning models deployed on Amazon SageMaker. Which THREE actions should they include to manage the model lifecycle effectively? (Select THREE.)
60A data scientist needs to use Amazon SageMaker to train a model and must ensure that the training data and the model artifacts are encrypted using customer-managed KMS keys. Which TWO resources can be encrypted with KMS keys in this scenario? (Select TWO.)
61A company uses Amazon Bedrock to build an AI assistant. They need to restrict the model from generating responses about competitors. Which Bedrock feature should they configure?
62A data scientist needs to train a model in Amazon SageMaker using a dataset that contains personally identifiable information (PII). The company policy requires all data at rest to be encrypted with a customer-managed key. Which configuration meets this requirement?
63An organization uses a third-party foundation model accessed through Amazon Bedrock. The compliance team requires that all model inputs and outputs be auditable and retained for one year. Which approach should the team implement?
64A machine learning team wants to detect bias in a deployed model's predictions on new data. They use Amazon SageMaker. Which service should they use to generate bias reports after deployment?
65A company uses Amazon Macie to discover sensitive data in an S3 bucket containing training datasets. The bucket policy currently prohibits access from external accounts. Which TWO steps are necessary to allow a cross-account SageMaker training job to access this bucket while maintaining security?
66A financial services company is deploying a large language model (LLM) on Amazon Bedrock for customer-facing applications. The compliance team mandates that the model must not generate any content containing personally identifiable information (PII). Additionally, the company wants to ensure that the model only answers questions related to its product documentation and refuses off-topic queries. Which THREE Bedrock Guardrails configurations should be applied?
67A machine learning team uses Amazon SageMaker to train models. They need to ensure that only approved base models from the AWS Marketplace can be used, and that training jobs cannot access the internet. Which TWO configurations should they implement?
68A company wants to use Amazon Bedrock to build an application that summarizes customer support tickets. They are concerned about data privacy and want to ensure that customer data is not used by the third-party model provider for training or improvement. Which TWO actions should they take?
69An organization is implementing governance for machine learning models using SageMaker. They need to track model versions, monitor for drift after deployment, and automatically decommission models that have been deprecated for over 30 days. Which THREE services or features should they use?
70A company uses AWS Lake Formation to govern data used for AI/ML. They have a data lake containing customer transaction data. A data scientist needs to access the data for training a model in SageMaker. Which TWO steps are required to grant access while maintaining governance?
The Security, Compliance, and Governance for AI Solutions domain covers the key concepts tested in this area of the AIF-C01 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all AIF-C01 domains — no account required.
The Courseiva AIF-C01 question bank contains 70 questions in the Security, Compliance, and Governance for AI Solutions domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security, Compliance, and Governance for AI Solutions domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included