AWS Certified AI Practitioner AIF-C01 (AIF-C01) — Questions 226300

500 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQhard

A healthcare organization is using Amazon Bedrock to analyze medical images and generate radiology reports. They need to comply with HIPAA regulations and ensure patient data is not used for model training. Which configuration should they use?

A.Fine-tune the model using a custom dataset and deploy as a custom model
B.Use a provisioned throughput model with data isolation
C.Use the on-demand model through Amazon Bedrock
D.Use a third-party model hosted outside of AWS
AnswerB

Provisioned throughput ensures data is not used for training and meets compliance requirements.

Why this answer

Option B is correct because Provisioned Throughput with data isolation in Amazon Bedrock ensures that the customer's inference data (including patient medical images and reports) is not used for any model training or service improvement, and it provides a dedicated, isolated environment that meets HIPAA compliance requirements. This configuration guarantees that patient data remains within the customer's AWS account and is not shared with other customers or used to improve the base model.

Exam trap

The trap here is that candidates often assume fine-tuning (Option A) is the only way to customize models for healthcare, but they overlook that HIPAA prohibits using PHI for training, making Provisioned Throughput with data isolation the correct choice for compliant inference.

How to eliminate wrong answers

Option A is wrong because fine-tuning a model with a custom dataset would use patient data to train the model, which violates HIPAA requirements that patient data must not be used for model training. Option C is wrong because the on-demand model through Amazon Bedrock does not provide data isolation; inference data may be used for service improvement and model training, which is not HIPAA-compliant for protected health information. Option D is wrong because using a third-party model hosted outside of AWS would require the healthcare organization to manage HIPAA compliance independently, and it does not leverage AWS's HIPAA-eligible services or the data isolation guarantees provided by Bedrock's Provisioned Throughput.

227
MCQeasy

A company wants to use a foundation model to classify customer feedback into positive, neutral, negative. They have a small labeled dataset. What approach yields best results?

A.Use a pre-built sentiment analysis API
B.Fine-tune a foundation model on their dataset
C.Fine-tune a foundation model on their dataset
D.Use zero-shot classification
AnswerC

Fine-tuning with a small labeled dataset adapts the model effectively.

Why this answer

Option C is correct because fine-tuning a foundation model on a small labeled dataset allows the model to adapt its pre-trained knowledge specifically to the company's sentiment classification task, achieving higher accuracy than zero-shot or generic API approaches. Fine-tuning adjusts the model's weights using the labeled examples, making it sensitive to domain-specific language and nuance in customer feedback, which is critical for a three-class sentiment task.

Exam trap

AWS often tests the misconception that zero-shot classification is always sufficient for small datasets, but the trap here is that fine-tuning with even a small labeled dataset yields better results because it adapts the model to the specific task, whereas zero-shot lacks task-specific learning.

How to eliminate wrong answers

Option A is wrong because a pre-built sentiment analysis API is typically trained on general data and may not capture domain-specific language or the exact three-class (positive, neutral, negative) granularity required, leading to lower accuracy on the company's specific feedback. Option B is wrong because it is identical to option C and is marked as incorrect in the question; the correct answer is explicitly labeled as C. Option D is wrong because zero-shot classification relies on the model's pre-existing knowledge without any task-specific adaptation, which often results in poor performance on nuanced sentiment classification, especially with a small labeled dataset that could be used for fine-tuning.

228
MCQhard

A company uses Amazon SageMaker to train a model on customer transaction data. The data is stored in an S3 bucket encrypted with SSE-KMS. The data scientists are using a SageMaker notebook instance to preprocess the data. The security team notices that the notebook instance can access the KMS key directly through the SageMaker console, even when the data scientists do not have explicit KMS permissions. What is the MOST likely reason for this behavior?

A.The KMS key policy allows the SageMaker service to decrypt using the key, and the console displays this permission globally.
B.The S3 bucket has a bucket policy that grants s3:GetObject access using the SageMaker service principal, bypassing KMS permissions.
C.The SageMaker execution role attached to the notebook instance has permission to use the KMS key for the S3 bucket, and the SageMaker console uses that role to perform decryption operations on behalf of the user.
D.The SageMaker notebook instance is using an IAM role that has the AWS managed policy AmazonSageMakerFullAccess, which includes kms:Decrypt for all keys.
AnswerC

The SageMaker execution role is assumed by the notebook instance and has KMS permissions. The console uses the role to show decryption status.

Why this answer

Option C is correct because the SageMaker notebook instance uses an execution IAM role that is assumed when performing operations. If that execution role has permissions to use the KMS key (e.g., kms:Decrypt, kms:GenerateDataKey) for the S3 bucket, the SageMaker console can leverage that role to decrypt data on behalf of the user, even if the user's own IAM identity lacks explicit KMS permissions. The console acts as a proxy, using the notebook's execution role to access the key.

Exam trap

The trap here is that candidates often assume the user's own IAM permissions are the only factor, but AWS services like SageMaker can proxy requests using the execution role attached to the resource, effectively decoupling the user's identity from the data access permissions.

How to eliminate wrong answers

Option A is wrong because the KMS key policy granting the SageMaker service principal decryption permissions would allow the service to use the key, but the console does not display permissions globally; it reflects the effective permissions of the assumed role. Option B is wrong because an S3 bucket policy granting s3:GetObject to the SageMaker service principal does not bypass KMS permissions; accessing SSE-KMS encrypted objects still requires kms:Decrypt or kms:GenerateDataKey permissions on the KMS key. Option D is wrong because the AWS managed policy AmazonSageMakerFullAccess does not include kms:Decrypt for all keys; it only includes limited KMS actions (e.g., kms:ListKeys) and does not grant decrypt on arbitrary customer-managed KMS keys.

229
MCQmedium

A company is using Amazon Comprehend to extract entities from customer support tickets. The compliance team requires that the text sent to Comprehend be encrypted in transit and that Comprehend does not store any data beyond the processing time. How should the company configure the API call?

A.Encrypt the text using AWS KMS before sending it to Comprehend
B.Use the AWS SDK with server-side encryption enabled for the API call
C.Create a VPC endpoint for Comprehend and send requests over the private network
D.Use the HTTPS endpoint for the DetectEntities API and rely on Comprehend's stateless design
AnswerD

HTTPS provides encryption in transit; Comprehend does not store data after processing.

Why this answer

Option D is correct because Amazon Comprehend's DetectEntities API is inherently stateless—it does not store any text or results beyond the processing time required to generate the response. By using the HTTPS endpoint, the company ensures encryption in transit via TLS, satisfying the compliance requirement without additional configuration. Comprehend does not persist data from synchronous API calls, so no data is retained after the response is returned.

Exam trap

The trap here is that candidates confuse encryption in transit with encryption at rest or data retention controls, leading them to overcomplicate the solution with KMS, SSE, or VPC endpoints when the simple use of HTTPS and the stateless nature of the API already meet the requirements.

How to eliminate wrong answers

Option A is wrong because encrypting the text with AWS KMS before sending it would render the data unreadable to Comprehend, as the service requires plaintext input to perform entity extraction; KMS encryption is for data at rest, not for protecting data in transit. Option B is wrong because server-side encryption (SSE) is a feature for data at rest in services like S3, not for API calls to Comprehend; the AWS SDK does not have a 'server-side encryption' setting for API requests, and encryption in transit is handled by TLS, not SSE. Option C is wrong because a VPC endpoint for Comprehend enables private connectivity over the AWS network but does not inherently encrypt data in transit; encryption still requires TLS, and the VPC endpoint does not affect Comprehend's data retention behavior.

230
MCQeasy

A startup is building a recommendation engine for their e-commerce platform. They need a fully managed service that can generate personalized product recommendations based on user behavior. Which AWS service should they use?

A.Amazon Personalize
B.Amazon Rekognition
C.Amazon Forecast
D.Amazon Comprehend
AnswerA

Personalize is designed specifically for personalization and recommendations.

Why this answer

Amazon Personalize is a fully managed machine learning service specifically designed to generate real-time personalized product recommendations by processing user behavior data (e.g., clicks, purchases, views) and item metadata. It uses the same technology that powers Amazon.com's recommendation engine, making it the correct choice for this e-commerce use case.

Exam trap

Cisco often tests the distinction between AWS AI services by presenting a use case that sounds like 'forecasting' or 'analysis' but actually requires personalization, leading candidates to confuse Amazon Forecast (time-series) with Amazon Personalize (recommendations).

How to eliminate wrong answers

Option B (Amazon Rekognition) is wrong because it is a computer vision service for image and video analysis (e.g., object detection, facial recognition), not for generating product recommendations. Option C (Amazon Forecast) is wrong because it is a time-series forecasting service for predicting future metrics (e.g., demand, sales), not for personalized recommendations based on user behavior. Option D (Amazon Comprehend) is wrong because it is a natural language processing (NLP) service for extracting insights from text (e.g., sentiment, entities), not for recommendation generation.

231
MCQeasy

Refer to the exhibit. This is an Amazon Bedrock invocation request for Claude. What is the purpose of the "stop_sequences" parameter?

A.It tells the model to stop generating when it encounters that sequence
B.It specifies a character sequence for the model to include in its response
C.It limits the number of tokens in the response
D.It controls the randomness of the response
AnswerA

Stop sequences cause the model to halt generation at that point.

Why this answer

Option C is correct. Stop sequences tell the model to stop generating when a specified sequence is encountered, preventing the model from generating additional turns. Option A (alternative response) is incorrect.

Option B (maximum tokens is already set). Option D (control randomness is temperature).

232
Multi-Selecteasy

A company is using Amazon Bedrock to generate code snippets. They want to ensure the generated code is secure. Which TWO practices should they implement?

Select 2 answers
A.Increase the max token limit to generate longer code.
B.Use guardrails to block insecure code patterns.
C.Set the temperature to 0 for deterministic output.
D.Review and test all generated code before deployment.
E.Use a larger model for better accuracy.
AnswersB, D

Guardrails can filter out harmful content.

Why this answer

Option B is correct because Amazon Bedrock Guardrails allow you to define policies that filter or block generated content containing insecure code patterns, such as SQL injection or hardcoded credentials, before the output is returned. This provides a proactive security layer that prevents insecure code from reaching the user, directly addressing the requirement to ensure generated code is secure.

Exam trap

Cisco often tests the misconception that model parameters like temperature or token limits can substitute for explicit security controls, when in fact only guardrails and human review directly address code security.

233
MCQhard

A data scientist needs to preprocess categorical data with high cardinality (e.g., zip code with 50,000 unique values). Which technique is most appropriate?

A.Target encoding
B.Label encoding
C.Ordinal encoding
D.One-hot encoding
AnswerA

Target encoding replaces categories with the mean of the target variable, handling high cardinality effectively.

Why this answer

Option A is correct because target encoding uses the target variable to encode categories, reducing dimensionality while capturing predictive power. One-hot encoding (B) creates too many features. Label encoding (C) implies ordinal relationship which is unsuitable.

Ordinal encoding (D) also implies order.

234
Multi-Selecteasy

Which TWO services can be used to preprocess data for machine learning in AWS? (Choose two.)

Select 2 answers
A.AWS Glue
B.Amazon Athena
C.Amazon SageMaker Data Wrangler
D.Amazon Redshift
E.AWS Lambda
AnswersA, C

Glue provides ETL capabilities suitable for preprocessing.

Why this answer

AWS Glue is a fully managed ETL service that can be used to preprocess data for machine learning by cleaning, transforming, and enriching raw data before feeding it into ML models. It provides built-in transforms and can handle both structured and semi-structured data, making it suitable for preparing large datasets for training.

Exam trap

Cisco often tests the distinction between data querying services (like Athena) and data preprocessing services, leading candidates to mistakenly choose Athena because it can 'process' data via SQL, but it lacks the ML-specific transformation capabilities required for preprocessing.

235
MCQhard

A company is training a deep learning model on Amazon SageMaker using a custom Docker container. The training job fails with the error 'CannotStartContainerError: API error (500): failed to create shim task'. The team verifies that the container image is compatible with the selected instance type. What is the most likely cause of this error?

A.The instance type does not have enough memory for the container
B.The training data is stored in the wrong S3 bucket
C.The container image does not have the correct entry point
D.The GPU drivers are outdated
AnswerA

Insufficient memory is a common cause of container startup failures.

Why this answer

The error 'CannotStartContainerError: API error (500): failed to create shim task' typically occurs when the Docker container cannot be initialized due to resource constraints, most commonly insufficient memory on the selected instance type. Even if the container image is compatible with the instance, the container's memory request may exceed the available memory, causing the container runtime (containerd) to fail when creating the shim task. This is a known issue in SageMaker when the training job's resource requirements are not aligned with the instance's capacity.

Exam trap

The trap here is that candidates may attribute the error to image compatibility or entry point issues, but Cisco tests the understanding that container runtime errors like 'failed to create shim task' are almost always resource-related (memory or disk), not configuration or driver issues.

How to eliminate wrong answers

Option B is wrong because the training data being in the wrong S3 bucket would cause a data access error (e.g., 'NoSuchBucket' or 'AccessDenied'), not a container runtime error like 'CannotStartContainerError'. Option C is wrong because an incorrect entry point would result in a 'ContainerEntrypointError' or a process exit code error, not a shim task creation failure, which is a lower-level container runtime issue. Option D is wrong because outdated GPU drivers would cause a CUDA or GPU-related error (e.g., 'CUDA_ERROR_NO_DEVICE' or 'Driver/library mismatch'), not a generic container shim task failure, and SageMaker manages driver compatibility for supported instance types.

236
MCQhard

A data scientist is fine-tuning a large language model on Amazon SageMaker for a text summarization task. The training loss decreases steadily but the validation loss starts increasing after a few epochs. What should the scientist do to address this issue?

A.Reduce the batch size
B.Increase the learning rate
C.Increase the number of training epochs
D.Use early stopping based on validation loss
AnswerD

Early stopping prevents overfitting by halting training when validation loss stops improving.

Why this answer

The validation loss increasing while training loss decreases is a classic sign of overfitting. Early stopping based on validation loss halts training when the validation loss stops improving, preventing overfitting and saving computational resources. This is a standard technique in SageMaker's built-in training algorithms and custom training scripts.

Exam trap

Cisco often tests the distinction between overfitting and underfitting; the trap here is that candidates may mistakenly think increasing epochs (Option C) always improves performance, ignoring the validation loss divergence that signals overfitting.

How to eliminate wrong answers

Option A is wrong because reducing batch size introduces more noise into gradient estimates, which can actually worsen generalization and does not directly address overfitting. Option B is wrong because increasing the learning rate can cause the optimizer to overshoot minima, leading to divergence or unstable training, not reduced overfitting. Option C is wrong because increasing the number of training epochs would exacerbate overfitting, as the model would continue to memorize the training data beyond the point where validation loss degrades.

237
MCQmedium

A company is using Amazon Rekognition to detect objects in images. They need to detect custom objects that are specific to their domain. What should they do?

A.Use Amazon Rekognition's built-in labels
B.Use Amazon SageMaker Object Detection algorithm
C.Use Amazon Rekognition Custom Labels
D.Use Amazon Comprehend
AnswerC

Custom Labels enables training a custom model with labeled images.

Why this answer

Amazon Rekognition Custom Labels allows you to train a custom model using your own labeled images to detect domain-specific objects that are not covered by Rekognition's built-in labels. This is the correct service for custom object detection without needing to build a model from scratch.

Exam trap

The trap here is that candidates may confuse Amazon Rekognition Custom Labels with SageMaker Object Detection, not realizing that Custom Labels is a managed service specifically designed for custom image analysis without requiring ML expertise.

How to eliminate wrong answers

Option A is wrong because built-in labels are pre-trained on general categories and cannot detect custom domain-specific objects. Option B is wrong because Amazon SageMaker Object Detection algorithm requires you to build, train, and deploy a custom model from scratch, which is more complex and not the recommended approach when Rekognition Custom Labels can handle the task with less effort. Option D is wrong because Amazon Comprehend is a natural language processing (NLP) service for text analysis, not for image object detection.

238
MCQeasy

A developer invokes an Amazon Bedrock model and receives the above response. What does the 'stopReason' field indicate?

A.The model encountered an error.
B.The model reached a defined stop sequence.
C.The model hit the maximum token limit.
D.The model stopped due to a safety filter.
AnswerB

'stop_sequence' indicates the model encountered a user-defined stop sequence.

Why this answer

The 'stopReason' field in an Amazon Bedrock response indicates why the model stopped generating tokens. When set to 'stop', it means the model encountered a defined stop sequence (such as a special token like <|endoftext|> or a user-specified string) and halted generation normally. This is the expected behavior for a successful, complete response.

Exam trap

The trap here is that candidates confuse 'stop' (normal completion via stop sequence) with 'length' (token limit reached), as both end generation but have different implications for response completeness and cost.

How to eliminate wrong answers

Option A is wrong because a model error would typically result in an HTTP error code or a different field like 'error' or 'failure', not a 'stopReason' of 'stop'. Option C is wrong because hitting the maximum token limit would produce a 'stopReason' of 'length', not 'stop'. Option D is wrong because a safety filter intervention would produce a 'stopReason' of 'content_filtered' or similar, not 'stop'.

239
MCQhard

A developer attached this IAM policy to a role used by an application that invokes Claude v2 in us-east-1. The application receives an access denied error. What is the MOST likely cause?

A.The Allow statement does not include a condition on the region
B.The Deny statement is blocking requests because the condition does not match the resource ARN's region
C.The Deny statement uses StringNotEquals instead of StringEquals
D.The resource ARN in the Allow statement is incorrect
AnswerB

The Deny condition checks aws:RequestedRegion, which may differ from the region in the resource ARN if requests are made to a different region.

Why this answer

The Deny statement uses a `StringNotEquals` condition on `aws:RequestedRegion` set to `us-east-1`. This means the Deny applies to any request where the requested region is NOT `us-east-1`. Since the resource ARN in the Deny statement is `arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-v2`, the condition does not match the resource's region (the resource ARN itself is in us-east-1), but the Deny is triggered when the request is made to a different region, blocking the call.

The application is likely invoking the model from a region other than us-east-1, causing the Deny to take effect.

Exam trap

Cisco often tests the subtle interaction between Allow and Deny statements with condition operators, where candidates mistakenly think the Deny is blocking because of a region mismatch on the resource ARN itself, rather than understanding that the Deny's condition evaluates the request's region, not the resource's region.

How to eliminate wrong answers

Option A is wrong because the Allow statement does not need a region condition; the Allow grants access to the specific resource ARN, and the Deny is the one causing the issue. Option C is wrong because using `StringNotEquals` is correct for this pattern—it denies requests that are NOT in the specified region; `StringEquals` would deny only requests in us-east-1, which is not the intended behavior. Option D is wrong because the resource ARN in the Allow statement (`arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-v2`) is correct for Claude v2 in us-east-1; the error is not due to an incorrect ARN but due to the Deny statement's condition logic.

240
MCQhard

A company is building a generative AI application to personalize email marketing campaigns. They use Amazon Bedrock with Anthropic Claude 3 Sonnet. The system takes customer data (name, purchase history) from an Amazon DynamoDB table and generates a personalized email body. During testing, the team notices that some emails contain factually incorrect information, such as recommending products the customer never purchased. The DynamoDB table is queried correctly and the correct data is passed to the model. The prompts include the customer data as context. The team has already tried adjusting the temperature and top-p parameters, but the issue persists. They need to improve the factual accuracy of the generated emails without significantly increasing latency or cost. The application is currently deployed on a single AWS Lambda function that invokes Bedrock. The DynamoDB table is small (few thousand records). Which course of action should the team take?

A.Use a structured prompt that explicitly instructs the model to base its response only on the provided customer data, and request a JSON object as output with the email body as a field.
B.Switch to a larger model like Claude 3 Opus to improve accuracy.
C.Reduce the temperature to 0 to make the model fully deterministic.
D.Fine-tune the model on a dataset of correct email examples paired with customer data.
AnswerA

This makes the model strictly follow the context and reduces hallucinations.

Why this answer

Option B is correct because the issue is that the model is ignoring the provided context despite it being passed. Anthropic Claude supports prompt caching for repeated context, but the core problem is that the model is not using the context reliably. Using a deterministic response format with JSON mode and adding explicit instructions to base responses only on provided data can significantly improve accuracy.

Option A is wrong because fine-tuning would be overkill for a small dataset and may cause overfitting, plus it increases cost and latency. Option C is wrong because reducing temperature further may make outputs too repetitive but does not guarantee factual correctness. Option D is wrong because using a larger model would increase cost and latency without necessarily solving the context adherence issue.

241
MCQeasy

A developer receives the above response from invoking a Bedrock model. Which field indicates that the model completed its response normally?

A.output
B.stop_reason
C.text
D.role
AnswerB

stop_reason 'end_turn' signals normal conversation end.

Why this answer

The `stop_reason` field in the Bedrock response indicates why the model stopped generating text. A value of `"stop"` or `"end_turn"` (depending on the model) signals that the model completed its response normally, as opposed to hitting a token limit, content filter, or other interruption.

Exam trap

The trap here is that candidates confuse the `output` container or the `text` field with the completion indicator, overlooking the dedicated `stop_reason` field that explicitly signals normal termination.

How to eliminate wrong answers

Option A is wrong because `output` is a container object that holds the generated content, not a field that indicates the completion status. Option C is wrong because `text` is a field within the output that contains the actual generated string, but it does not convey why generation stopped. Option D is wrong because `role` indicates the conversational role (e.g., user or assistant) in a multi-turn context, not the model's completion state.

242
MCQeasy

A company uses Amazon Bedrock to build a conversational AI. They want to enforce role-based access to the model. Which AWS service should they use?

A.AWS Config
B.AWS Identity and Access Management (IAM)
C.AWS CloudTrail
D.AWS Organizations
AnswerB

IAM policies can control which users or roles can invoke specific Bedrock models.

Why this answer

AWS Identity and Access Management (IAM) is the correct service because it enables fine-grained, role-based access control (RBAC) to Amazon Bedrock models. You can define IAM policies that specify which principals (users, groups, or roles) are allowed to invoke specific foundation models, ensuring that only authorized roles can interact with the conversational AI.

Exam trap

The trap here is that candidates often confuse AWS Config (which audits configurations) or CloudTrail (which logs actions) with IAM, mistakenly thinking that logging or compliance tools can enforce access control, when in fact only IAM provides the authorization layer for Bedrock model invocation.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating and auditing resource configurations against compliance rules, not for enforcing role-based access to Bedrock models. Option C is wrong because AWS CloudTrail records API activity for auditing and governance, but it does not control or enforce access permissions. Option D is wrong because AWS Organizations manages multi-account governance and policy inheritance across accounts, but it does not provide the granular, per-model role-based access control needed for Bedrock.

243
MCQeasy

A company needs to store large amounts of unstructured training data (images, videos) in a cost-effective manner while ensuring low-latency retrieval for training jobs running on Amazon SageMaker. Which storage solution should be used?

A.Amazon EFS
B.Amazon S3
C.Amazon RDS
D.Amazon EBS
AnswerB

S3 is the best fit for storing unstructured data with low-latency access via S3 endpoints.

Why this answer

Amazon S3 is the correct choice because it is designed for cost-effective, scalable storage of unstructured data (images, videos) and integrates natively with Amazon SageMaker for low-latency data retrieval during training jobs. S3 provides high throughput and can be accessed directly from SageMaker training instances without the need for file system mounting, making it ideal for large-scale ML workloads.

Exam trap

The trap here is that candidates often confuse the need for low-latency retrieval with the need for a mounted file system (EFS or EBS), not realizing that S3's direct integration with SageMaker provides both low latency and high throughput for training workloads without the cost and complexity of file storage.

How to eliminate wrong answers

Option A is wrong because Amazon EFS is a file system that provides shared access for EC2 instances but is not optimized for the high-throughput, cost-effective storage of large unstructured datasets like images and videos; it also incurs higher costs per GB compared to S3 and can introduce latency overhead when used with SageMaker. Option C is wrong because Amazon RDS is a relational database service designed for structured data with SQL queries, not for storing unstructured training data such as images and videos, and it would be prohibitively expensive and inefficient for large-scale blob storage. Option D is wrong because Amazon EBS provides block-level storage volumes attached to a single EC2 instance, which is not suitable for sharing large datasets across multiple SageMaker training jobs and lacks the cost efficiency and scalability of object storage for unstructured data.

244
MCQmedium

Refer to the exhibit. A data scientist attaches the above IAM policy to a SageMaker notebook instance role. The notebook is in the same AWS account as the S3 bucket. When trying to read a file from 's3://my-bucket/training/data.csv', the data scientist gets an Access Denied error. What is the most likely cause?

A.The file name contains spaces
B.The policy does not grant 's3:ListBucket' permission
C.The S3 bucket is in a different Region
D.The policy allows 's3:PutObject' which is not needed
AnswerB

ListBucket is needed to access objects in a bucket.

Why this answer

The error occurs because the IAM policy attached to the SageMaker notebook instance role does not include the 's3:ListBucket' permission. When reading a specific object from S3, the SDK first performs a ListObjects (ListBucket) operation to resolve the object key, especially when using high-level APIs like boto3's `read()` or `get_object`. Without this permission, the request is denied even if 's3:GetObject' is allowed.

Exam trap

Cisco often tests the subtle distinction that reading a specific object requires both 's3:GetObject' and 's3:ListBucket' permissions because the SDK performs a bucket listing operation before accessing the object.

How to eliminate wrong answers

Option A is wrong because spaces in file names are valid in S3 and would not cause an Access Denied error; they would be URL-encoded automatically. Option C is wrong because the S3 bucket is in the same AWS account as the notebook, and cross-Region access does not cause Access Denied errors—it works normally with proper permissions. Option D is wrong because having an unnecessary permission like 's3:PutObject' does not cause an Access Denied error; it simply grants more access than needed.

245
MCQhard

A media company uses a generative AI model to automatically create image captions for user-uploaded photos. During quality assurance, testers discover that the model sometimes generates captions that include stereotypes based on gender and race, even when the photos do not contain people. For example, a photo of a kitchen produces captions like 'woman cooking,' and a photo of a sports car generates 'man driving.' The company wants to launch the feature soon but recognizes the reputational risk. They have a limited budget and need to implement a solution that reduces harmful stereotypes without overly restricting the captions' creativity. The team has access to the model's training data, which is a large public dataset of image-caption pairs. Which approach should the team prioritize?

A.Replace the generative model with a simpler classification model that only describes objects
B.Use a different pre-trained generative model that is larger and more accurate
C.Filter the training data to remove or downweight pairs with stereotypes, then fine-tune the model
D.Add a post-processing filter that checks captions for known stereotype patterns and blocks them
AnswerC

Cleaning training data and fine-tuning directly reduces learned stereotypes.

Why this answer

To reduce stereotypical associations, the most effective approach is to filter and rebalance the training data by removing or downweighting caption pairs that contain stereotypes, and then fine-tune the model. This directly addresses the data source of bias. Adding a post-hoc filter may catch some stereotypes but could also remove valid captions.

Using a different model without data changes may not help. Limiting to object-only descriptions reduces creativity and may not meet product goals.

246
Multi-Selecthard

Which THREE considerations are important when implementing responsible AI for a production NLP system? (Choose three.)

Select 3 answers
A.Obtain FDA approval for the model
B.Continuously monitor model outputs for bias and drift
C.Apply encryption at rest for all training code
D.Publish model cards detailing intended use, performance, and limitations
E.Include bias detection in the CI/CD pipeline for every model update
AnswersB, D, E

Production models require ongoing monitoring to ensure fairness over time.

Why this answer

Options A, B, and D are correct. In production, continuous monitoring is vital (A), bias evaluation should be part of the MLOps pipeline (B), and model cards document model details (D). Option C is about code security, not responsible AI.

Option E is specific to medical devices, not generally required.

247
MCQhard

A company uses Amazon Bedrock to generate content. They need to guarantee that the model does not produce toxic or biased outputs and that any violations are logged for review. Which service should they integrate with Bedrock?

A.Amazon Comprehend
B.AWS WAF
C.AWS CloudTrail
D.Amazon Bedrock Guardrails
AnswerD

Guardrails provides content filters and toxicity detection.

Why this answer

Amazon Bedrock Guardrails is the correct service because it is specifically designed to enforce content policies, filter toxic or biased outputs, and log violations for review within Bedrock workflows. It provides configurable thresholds for harmful categories (e.g., hate, insults, sexual content) and integrates directly with Bedrock models to intercept and redact or block undesired responses, with all violations recorded in Amazon CloudWatch Logs.

Exam trap

The trap here is that candidates may confuse AWS CloudTrail (which logs API calls) with content-level logging, or assume Amazon Comprehend can be used for real-time content filtering, when in fact Bedrock Guardrails is the only integrated service that both enforces content policies and logs violations directly within the Bedrock invocation flow.

How to eliminate wrong answers

Option A is wrong because Amazon Comprehend is a natural language processing (NLP) service for extracting insights (e.g., sentiment, entities) from text, but it does not provide real-time content filtering or enforcement of safety policies within Bedrock model outputs; it operates as a separate analysis tool, not an integrated guardrail. Option B is wrong because AWS WAF is a web application firewall that protects HTTP/HTTPS endpoints from common web exploits (e.g., SQL injection, cross-site scripting), not a service for monitoring or filtering AI-generated content for toxicity or bias. Option C is wrong because AWS CloudTrail records API activity for auditing (e.g., who called Bedrock APIs), but it does not inspect or log the content of model outputs for toxic or biased violations; it captures metadata, not the payload of responses.

248
MCQeasy

After deploying a model, a company notices that the distribution of the input features has shifted compared to the training data. Which feature of Amazon SageMaker Model Monitor can alert them to this change?

A.Model quality monitoring
B.Bias drift monitoring
C.Feature importance drift
D.Data quality monitoring
AnswerD

Data quality monitors for drift in input features (baseline vs. live).

Why this answer

Option C is correct because SageMaker Model Monitor's Data Quality monitoring tracks distributions of input features and can alert on drift. Bias drift (A) is specific to demographic groups. Model quality (B) tracks prediction accuracy.

Feature importance drift (D) is not a standard monitoring type.

249
MCQeasy

A company wants to use Amazon SageMaker to train a model on sensitive healthcare data. What is the MOST secure way to ensure that the training data is encrypted at rest and in transit, and that only authorized users can access the model artifacts?

A.Enable server-side encryption with AWS KMS managed keys for the S3 buckets, SageMaker notebook instances, and training jobs, and use IAM roles to limit access.
B.Disable encryption for faster training, and rely on IAM policies to restrict access.
C.Use client-side encryption for all data, and store encryption keys in AWS Secrets Manager.
D.Use an AWS CloudHSM to store encryption keys and configure SageMaker to use it.
AnswerA

SageMaker supports KMS encryption for all resources, and IAM roles enforce least privilege. This meets the security requirements.

Why this answer

Option A is correct because it provides end-to-end encryption for sensitive healthcare data by enabling server-side encryption with AWS KMS managed keys for S3 buckets (data at rest), SageMaker notebook instances (data at rest and in transit via TLS), and training jobs (data at rest on ephemeral storage and in transit between services). IAM roles enforce least-privilege access to model artifacts, ensuring only authorized users can read or write them. This combination meets compliance requirements like HIPAA by encrypting data at rest (AES-256) and in transit (TLS 1.2+), while IAM policies control access.

Exam trap

AWS often tests the misconception that client-side encryption (Option C) or hardware security modules (Option D) are inherently more secure, but the exam expects you to know that SageMaker's native integration with AWS KMS provides the simplest and most secure end-to-end encryption for training jobs, data, and model artifacts without custom code or unsupported integrations.

How to eliminate wrong answers

Option B is wrong because disabling encryption violates security best practices and compliance mandates (e.g., HIPAA) for sensitive healthcare data, and IAM policies alone cannot protect data at rest or in transit from physical or network-level exposure. Option C is wrong because client-side encryption requires managing encryption keys outside AWS (even if stored in Secrets Manager), which adds complexity and risk of key exposure, and SageMaker does not natively support client-side encryption for training jobs or model artifacts without custom code. Option D is wrong because AWS CloudHSM provides hardware-based key storage but SageMaker does not directly integrate with CloudHSM for encryption of training data or model artifacts; SageMaker uses AWS KMS for encryption, and CloudHSM would require custom integration via KMS custom key store, which is not the most straightforward or recommended approach for this scenario.

250
MCQhard

A company fine-tunes a foundation model on SageMaker JumpStart for sentiment analysis. After deployment, the model shows bias toward positive sentiment. Which action should be taken to mitigate bias?

A.Use a different foundation model
B.Add more positive examples to training data
C.Increase training epochs
D.Perform RLHF (Reinforcement Learning from Human Feedback) to align outputs
AnswerD

RLHF uses human feedback to reduce undesirable biases.

Why this answer

RLHF (Reinforcement Learning from Human Feedback) is the correct approach because it directly addresses the misalignment between the model's outputs and desired human values. By collecting human feedback on model outputs and using it to train a reward model, RLHF fine-tunes the foundation model to reduce biased behavior, such as the over-prediction of positive sentiment, without simply reweighting the training data.

Exam trap

AWS often tests the misconception that bias is solely a data quantity issue, leading candidates to incorrectly choose adding more examples (Option B) instead of recognizing that alignment techniques like RLHF are required to correct model behavior after training.

How to eliminate wrong answers

Option A is wrong because simply switching to a different foundation model does not guarantee the removal of bias; the new model may have its own biases or the same underlying training data issues. Option B is wrong because adding more positive examples would exacerbate the existing bias toward positive sentiment, not mitigate it. Option C is wrong because increasing training epochs does not correct bias; it risks overfitting the model to the existing biased distribution, making the bias worse.

251
MCQhard

A company is deploying a generative AI model on Amazon Bedrock. The model is accessed by an application running on Amazon ECS Fargate. The security team requires that all data sent to and from the Bedrock model be encrypted in transit, and that the ECS task does not have internet access. The ECS tasks are launched in a private VPC subnet with a VPC endpoint for Bedrock configured. However, when the application attempts to invoke the Bedrock model, the call fails with a timeout error. The VPC endpoint policy is set to allow all actions from all principals. What is the most likely cause of the failure?

A.The ECS tasks are not configured to use a NAT gateway to reach the Bedrock endpoint
B.The VPC endpoint policy does not grant the ECS task IAM role permission to invoke Bedrock
C.The ECS task IAM role does not have the bedrock:InvokeModel permission
D.The security group associated with the VPC endpoint does not allow inbound HTTPS traffic from the ECS tasks
AnswerD

The security group must allow inbound HTTPS from the ECS tasks' security group; otherwise, traffic is blocked.

Why this answer

The timeout error indicates a network connectivity issue, not an authentication or authorization problem. Since the ECS tasks are in a private subnet without internet access and a VPC endpoint for Bedrock is configured, the most likely cause is that the security group associated with the VPC endpoint does not allow inbound HTTPS (port 443) traffic from the ECS tasks. Without this inbound rule, the TCP handshake fails, resulting in a timeout.

Exam trap

AWS often tests the distinction between network-level failures (timeouts) and authorization failures (access denied), and the trap here is that candidates confuse VPC endpoint policy with security group rules, assuming a permissive policy is sufficient for connectivity.

How to eliminate wrong answers

Option A is wrong because a NAT gateway is used for internet access, but the VPC endpoint allows private connectivity to Bedrock without internet; a NAT gateway is not required and would actually violate the requirement that the ECS task has no internet access. Option B is wrong because the VPC endpoint policy is set to allow all actions from all principals, so it does not restrict the ECS task IAM role; the issue is a network timeout, not a policy denial. Option C is wrong because the IAM role lacking bedrock:InvokeModel would cause an access denied error (HTTP 403), not a timeout; the timeout indicates the request never reached Bedrock.

252
Multi-Selectmedium

A company needs to secure data used for training machine learning models in Amazon SageMaker. Which TWO actions should be taken to protect data at rest and in transit? (Choose TWO.)

Select 2 answers
A.Use AWS Certificate Manager (ACM) to generate certificates for all SageMaker endpoints
B.Enable default encryption on S3 buckets using AWS KMS
C.Disable root access on SageMaker notebook instances
D.Use SageMaker with VPC endpoints and enforce HTTPS for API calls
E.Use SageMaker Model Registry to track model versions
AnswersB, D

This encrypts data at rest in S3.

Why this answer

Option B is correct because enabling default encryption on S3 buckets using AWS KMS ensures that all objects stored in the bucket are encrypted at rest. This is a fundamental security practice for protecting training data in SageMaker, as SageMaker reads data from S3. Using AWS KMS allows you to manage and audit encryption keys, providing fine-grained control over data protection.

Exam trap

AWS often tests the distinction between data protection mechanisms (encryption) and other security controls (access management, model governance), leading candidates to confuse disabling root access or using Model Registry with data encryption requirements.

253
MCQhard

A company is using Amazon SageMaker to train a model. The training data is stored in an S3 bucket that is encrypted with an AWS KMS customer managed key (CMK). The training job fails with an error indicating that the SageMaker execution role does not have permission to decrypt the data. The administrator has verified that the execution role has the kms:Decrypt permission. What additional permission might be missing?

A.kms:CreateGrant
B.kms:ReEncrypt
C.kms:DescribeKey
D.kms:GenerateDataKey
AnswerA

Allows SageMaker to create a grant on the KMS key for its internal service principal.

Why this answer

When SageMaker accesses encrypted S3 data, it must create a grant on the KMS key to allow the SageMaker service principal to decrypt the data on behalf of the execution role. Even if the execution role has kms:Decrypt, SageMaker itself needs permission to call kms:CreateGrant to set up this delegated access. Without kms:CreateGrant, the service cannot establish the necessary cryptographic context for the training job.

Exam trap

The trap here is that candidates assume kms:Decrypt alone is sufficient, overlooking that SageMaker requires kms:CreateGrant to delegate decryption permissions to the SageMaker service principal for cross-account or service-integrated access.

How to eliminate wrong answers

Option B is wrong because kms:ReEncrypt is used to re-encrypt data under a new key, which is not required for reading training data; the job only needs decryption. Option C is wrong because kms:DescribeKey provides metadata about the key but does not enable the service to decrypt data; it is not a prerequisite for SageMaker's S3 access. Option D is wrong because kms:GenerateDataKey is used to create new data keys for encryption, not for decrypting existing data; the training job needs to decrypt, not generate keys.

254
MCQeasy

A company wants to build a system that automatically categorizes customer support tickets into predefined categories (e.g., billing, technical, account). The team has a large dataset of historical tickets with their category labels. Which type of machine learning problem is this?

A.Regression
B.Binary classification
C.Multi-class classification
D.Clustering
AnswerC

The problem involves predicting one of several discrete categories using labeled training data.

Why this answer

This is a multi-class classification problem because the model must assign each support ticket to one of three or more predefined categories (e.g., billing, technical, account). The dataset provides labeled historical tickets, making it a supervised learning task, and the output is a discrete class label from a set of more than two categories, which distinguishes it from binary classification.

Exam trap

Cisco often tests the distinction between binary and multi-class classification by presenting a scenario with multiple categories but implying a simple yes/no decision, leading candidates to mistakenly choose binary classification when the number of classes exceeds two.

How to eliminate wrong answers

Option A is wrong because regression predicts continuous numerical values (e.g., ticket resolution time), not discrete categories. Option B is wrong because binary classification only handles two classes (e.g., spam vs. not spam), whereas this problem involves three or more categories. Option D is wrong because clustering is an unsupervised learning technique that groups data without using predefined labels, while this problem uses labeled historical data for supervised learning.

255
MCQhard

Which parameter controls the randomness of generated text in a foundation model?

A.top_p
B.stop sequences
C.max_tokens
D.temperature
AnswerD

Temperature directly affects randomness.

Why this answer

Temperature is the correct parameter because it directly controls the randomness of token sampling in a foundation model. A lower temperature (e.g., 0.1) makes the model more deterministic by concentrating probability mass on the most likely tokens, while a higher temperature (e.g., 1.5) flattens the probability distribution, increasing the likelihood of less probable tokens and thus generating more diverse or creative outputs.

Exam trap

AWS often tests the distinction between temperature (which reshapes the probability distribution) and top_p (which truncates the token set), leading candidates to confuse 'randomness control' with 'diversity via cumulative probability threshold'.

How to eliminate wrong answers

Option A is wrong because top_p (nucleus sampling) controls the cumulative probability threshold for token selection, not the randomness of the distribution itself; it dynamically chooses a set of tokens whose cumulative probability exceeds p, which is a different mechanism for diversity. Option B is wrong because stop sequences define specific strings that halt text generation (e.g., '\n\n' or a period), and they have no effect on the randomness or sampling behavior of the model. Option C is wrong because max_tokens sets a hard limit on the number of tokens generated in the output, controlling length rather than the stochasticity of token selection.

256
MCQeasy

An organization uses Amazon Macie to discover sensitive data in S3. The compliance team needs to receive notifications when Macie finds PII. Which AWS service should they use to send notifications?

A.AWS Lambda
B.Amazon CloudWatch
C.Amazon Simple Notification Service (SNS)
D.Amazon Simple Email Service (SES)
AnswerC

SNS is used for notifications triggered by Macie findings.

Why this answer

Amazon Macie publishes findings to Amazon EventBridge, which can trigger a target such as an SNS topic. SNS then pushes notifications (e.g., email, SMS, HTTP) to subscribers. This decoupled architecture allows the compliance team to receive real-time alerts when PII is detected, without needing to poll or manage compute resources.

Exam trap

The trap here is that candidates often confuse the service that generates the event (Macie) with the service that delivers the notification, or they assume Lambda is required for all event-driven workflows, when in fact SNS can directly receive events from EventBridge without any compute layer.

How to eliminate wrong answers

Option A is wrong because AWS Lambda is a compute service that can process events but does not itself send notifications; it would need to invoke SNS or another service to deliver messages. Option B is wrong because Amazon CloudWatch is for monitoring metrics, logs, and alarms, not for sending human-readable notifications directly to end users; it can trigger SNS but is not the notification delivery service. Option D is wrong because Amazon Simple Email Service (SES) is designed for sending transactional and marketing emails, not for event-driven notifications from Macie; SES requires explicit API calls and is not a native target for Macie findings via EventBridge.

257
MCQeasy

A startup uses Amazon Bedrock with a provisioned throughput to generate product images. They now have unpredictable traffic and want to reduce costs. What should they do?

A.Switch to batch inference using Amazon Bedrock.
B.Keep the provisioned throughput but reduce the number of units.
C.Use a different model or service like Amazon SageMaker with spot instances.
D.Switch to on-demand mode in Amazon Bedrock.
AnswerD

On-demand mode is serverless and cost-effective for variable traffic.

Why this answer

On-demand mode in Amazon Bedrock allows you to pay per inference request without committing to a provisioned throughput, making it ideal for unpredictable traffic patterns. This eliminates the cost of idle capacity while still providing access to the same foundation models. Option D directly addresses the need to reduce costs when traffic is variable.

Exam trap

The trap here is that candidates may assume provisioned throughput is always more cost-effective for any workload, overlooking that on-demand mode is specifically designed to eliminate idle costs for unpredictable traffic patterns.

How to eliminate wrong answers

Option A is wrong because batch inference is designed for processing large volumes of data asynchronously, not for handling unpredictable real-time traffic, and it still requires provisioning resources that may incur costs even when idle. Option B is wrong because reducing the number of provisioned throughput units still leaves you with committed capacity that must be paid for regardless of usage, which does not solve the cost issue for unpredictable traffic. Option C is wrong because switching to a different model or service like Amazon SageMaker with spot instances introduces additional complexity and does not leverage the native on-demand pricing model of Bedrock, which is specifically designed for variable workloads.

258
MCQeasy

A developer is calling the Amazon Bedrock InvokeModel API to generate text with the AI21 Labs Jurassic-2 Mid model. The API call includes a maxTokens parameter, but the request fails with the error shown in the exhibit. What is the most likely cause of this error?

A.The API request is missing a required parameter such as 'prompt'.
B.The AWS region does not support the AI21 Labs model.
C.The value of 'maxTokens' exceeds the model's maximum limit.
D.The parameter name is incorrect; the model expects 'maxTokens' with a capital T.
AnswerD

Jurassic-2 Mid uses 'maxTokens' (capital T) as the parameter name for controlling output length.

Why this answer

The AI21 Labs Jurassic-2 Mid model expects the parameter name 'maxTokens' with a capital 'T' (camelCase). The error occurs because the API request used a different casing (e.g., 'maxtokens' or 'max_tokens'), which the model's schema does not recognize. Amazon Bedrock's InvokeModel API passes parameters directly to the model, so parameter names must match the model's exact specification.

Exam trap

Cisco often tests the nuance that model-specific parameter names must match exactly, including case sensitivity, and candidates mistakenly assume all Bedrock models use the same parameter naming convention.

How to eliminate wrong answers

Option A is wrong because the 'prompt' parameter is required for text generation models, and the error message in the exhibit does not indicate a missing required parameter; it points to an unrecognized parameter name. Option B is wrong because AWS region support for AI21 Labs models is independent of parameter naming errors; a region mismatch would produce a different error (e.g., 'Model not found' or 'AccessDeniedException'). Option C is wrong because exceeding the model's maximum token limit would result in a validation error about the value, not about the parameter name itself.

259
MCQhard

Refer to the exhibit. An IAM policy is attached to a role used by an Amazon SageMaker notebook instance. The notebook instance attempts to upload a model artifact to the S3 bucket 'my-bucket' without specifying server-side encryption. What will happen?

A.The upload succeeds because S3 automatically encrypts objects at rest
B.The upload fails because the policy does not allow PutObject without encryption
C.The upload succeeds because the bucket has default encryption enabled
D.The upload fails with an access denied error
AnswerD

The condition requires the encryption header to be present and set to AES256; without it, the action is denied.

Why this answer

Option D is correct because the IAM policy attached to the SageMaker role includes a condition that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header with a value of 'AES256'. Since the notebook instance attempts to upload without specifying server-side encryption, the condition is not met, and the request is denied with an access denied error. S3 default bucket encryption does not override explicit IAM policy conditions that require encryption headers in the request.

Exam trap

The trap here is that candidates assume S3's default encryption or automatic server-side encryption satisfies the policy condition, but Cisco tests the distinction between bucket-level encryption settings and request-level IAM conditions that require explicit encryption headers.

How to eliminate wrong answers

Option A is wrong because while S3 does automatically encrypt objects at rest via server-side encryption (SSE-S3) by default, the IAM policy explicitly requires the request to include the x-amz-server-side-encryption header; automatic encryption does not satisfy this condition. Option B is wrong because the policy does not deny PutObject without encryption in general; it denies it only when the condition for the encryption header is not met, and the error is access denied, not a failure due to missing encryption. Option C is wrong because bucket default encryption applies server-side encryption at the bucket level, but it does not add the required encryption header to the request; the IAM policy condition evaluates the request headers, not the bucket's default behavior.

260
MCQeasy

A company uses Amazon Bedrock to build a chatbot. The chatbot needs to answer questions based on internal company documents. Which AWS service should be integrated with Bedrock to enable Retrieval Augmented Generation (RAG) without managing infrastructure?

A.Amazon OpenSearch Service
B.Amazon DynamoDB
C.Amazon RDS
D.Amazon Kendra
AnswerD

Kendra provides managed search with connectors to documents, ideal for RAG.

Why this answer

Amazon Kendra is a fully managed intelligent search service that can be directly integrated with Amazon Bedrock to implement Retrieval Augmented Generation (RAG) without any infrastructure management. It indexes internal company documents and retrieves relevant passages, which are then passed to the foundation model as context to generate accurate, grounded answers.

Exam trap

AWS often tests the distinction between managed services that require infrastructure management (like OpenSearch Service) and fully managed services (like Kendra) that abstract away all infrastructure concerns, making candidates incorrectly choose OpenSearch for its search capabilities.

How to eliminate wrong answers

Option A is wrong because Amazon OpenSearch Service requires you to manage clusters, configure indexing, and handle scaling — it is not a serverless, zero-infrastructure option. Option B is wrong because Amazon DynamoDB is a NoSQL key-value and document database designed for transactional workloads, not for semantic search or document retrieval needed in RAG. Option C is wrong because Amazon RDS is a relational database service that requires provisioning and managing database instances, and it lacks native semantic search capabilities for document retrieval.

261
MCQhard

A healthcare company is using Amazon SageMaker to deploy a model that makes predictions on patient data. They need to ensure that the model's predictions are explainable to comply with regulations. Which approach should they take?

A.Use SageMaker Model Monitor to track predictions
B.Use SageMaker Experiments to log model parameters
C.Use SageMaker Clarify to generate feature importance and explanations
D.Use SageMaker Debugger to analyze training gradients
AnswerC

Clarify provides model explainability, including SHAP and partial dependence plots.

Why this answer

SageMaker Clarify is specifically designed to provide model explainability, including feature importance and SHAP-based explanations, which are essential for regulatory compliance in healthcare. It helps stakeholders understand why a model made a particular prediction, addressing transparency requirements.

Exam trap

Cisco often tests the distinction between monitoring (Model Monitor), tracking (Experiments), debugging (Debugger), and explainability (Clarify), so the trap here is confusing operational monitoring with the need for interpretable explanations required by compliance frameworks.

How to eliminate wrong answers

Option A is wrong because SageMaker Model Monitor is used for detecting data drift and model quality degradation over time, not for generating per-prediction explanations. Option B is wrong because SageMaker Experiments tracks and organizes model training runs and parameters, but does not produce explainability reports for individual predictions. Option D is wrong because SageMaker Debugger monitors training metrics and gradients to debug training issues, not to explain model predictions post-deployment.

262
MCQmedium

A marketing agency wants to analyze customer feedback from social media posts to gauge sentiment. They have no labeled data and limited ML expertise. The team needs a managed service that provides pre-trained models for sentiment analysis without requiring them to train or manage infrastructure. They also need to process text in multiple languages. Which AWS service should they use?

A.Use Amazon Comprehend with its default sentiment analysis model
B.Use Amazon SageMaker to train a custom sentiment analysis model
C.Use AWS Glue to build a custom NLP pipeline
D.Use Amazon Rekognition for text analysis
AnswerA

Comprehend provides pre-trained models that work out of the box for sentiment analysis.

Why this answer

Amazon Comprehend is a fully managed natural language processing (NLP) service that provides pre-trained models for sentiment analysis, key phrase extraction, and language detection. It requires no labeled data, no model training, and no infrastructure management, making it ideal for teams with limited ML expertise. Comprehend natively supports multiple languages, including Spanish, French, German, and many others, directly addressing the requirement to process text in multiple languages.

Exam trap

The trap here is that candidates may confuse Amazon Rekognition (image/video analysis) with text analysis services, or assume that any AWS ML service (like SageMaker or Glue) can handle NLP tasks without recognizing the specific managed service designed for unstructured text.

How to eliminate wrong answers

Option B is wrong because Amazon SageMaker is a platform for building, training, and deploying custom ML models, which requires labeled data, ML expertise, and infrastructure management—contradicting the requirements for a pre-trained, managed service with no training. Option C is wrong because AWS Glue is a serverless data integration and ETL service, not an NLP service; it cannot perform sentiment analysis or provide pre-trained models. Option D is wrong because Amazon Rekognition is a computer vision service for analyzing images and videos, not for text analysis or sentiment detection.

263
MCQeasy

A developer is creating a generative AI application using Amazon Bedrock and needs to ensure that responses do not include toxic or harmful content. Which feature should be enabled?

A.Amazon CloudWatch Logs for prompt logging.
B.Amazon Virtual Private Cloud (VPC) for network isolation.
C.Amazon Bedrock Guardrails.
D.AWS Identity and Access Management (IAM) policies.
AnswerC

Guardrails enforce content policies, filter toxic content, and block denied topics.

Why this answer

Amazon Bedrock Guardrails is the correct feature because it is specifically designed to enforce content policies, filter toxic or harmful content, and block undesirable topics in generative AI responses. It provides configurable thresholds for hate, insults, sexual content, violence, and other harmful categories, ensuring compliance with safety requirements without modifying the underlying model.

Exam trap

The trap here is that candidates often confuse monitoring/logging services (CloudWatch) or security controls (VPC, IAM) with content safety features, not realizing that Bedrock Guardrails is the only option that directly filters toxic or harmful content at the application layer.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs for prompt logging captures and stores logs for monitoring and debugging, but it does not actively filter or block toxic content in responses. Option B is wrong because Amazon Virtual Private Cloud (VPC) provides network isolation and security at the infrastructure layer, but it has no mechanism to inspect or control the semantic content of AI-generated responses. Option D is wrong because AWS Identity and Access Management (IAM) policies control authentication and authorization for API calls, but they cannot enforce content safety rules or filter harmful language in model outputs.

264
MCQhard

A company uses Amazon SageMaker JumpStart to deploy a foundation model. They want to fine-tune the model on their own dataset. Which SageMaker capability should they use?

A.SageMaker Managed Spot Training
B.SageMaker Studio Classic
C.SageMaker Canvas
D.SageMaker Autopilot
AnswerB

Studio Classic provides Jupyter notebooks to write custom code for fine-tuning foundation models.

Why this answer

SageMaker Studio Classic provides an integrated development environment for building, training, and fine-tuning models using notebooks. Autopilot automates model building; Canvas is for no-code ML; Managed Spot Training reduces cost but is not the primary tool for fine-tuning.

265
MCQeasy

A company is using Amazon SageMaker to train a model. They want to automatically stop training if the model performance stops improving on a validation dataset. Which SageMaker feature should they enable?

A.Early stopping in hyperparameter tuning
B.SageMaker Experiments
C.SageMaker Debugger
D.SageMaker Model Monitor
AnswerA

Early stopping terminates poorly performing training jobs based on validation metrics.

Why this answer

Option A is correct because Amazon SageMaker's hyperparameter tuning jobs support an 'early stopping' feature that automatically halts training when the model's performance on the validation dataset ceases to improve. This is enabled by setting the `EarlyStoppingType` parameter to `Auto` or `Off` in the tuning job configuration, which uses algorithms like median stopping or Bayesian optimization to detect convergence and prevent wasted compute.

Exam trap

Cisco often tests the distinction between monitoring (Debugger) and automated stopping (early stopping in hyperparameter tuning), so candidates mistakenly choose Debugger because it 'monitors' performance, but it lacks the built-in auto-stop capability that hyperparameter tuning provides.

How to eliminate wrong answers

Option B is wrong because SageMaker Experiments is a feature for organizing, tracking, and comparing ML runs (e.g., trials and components), not for automatically stopping training based on validation performance. Option C is wrong because SageMaker Debugger monitors training metrics and system resources in real time, but it does not automatically stop training; it can only emit alerts or trigger actions via rules, but stopping requires custom logic or integration with other services. Option D is wrong because SageMaker Model Monitor is designed for detecting data drift and quality issues in deployed models, not for controlling the training lifecycle or stopping training jobs.

266
MCQhard

Refer to the exhibit. A data scientist is trying to run a SageMaker training job that uses training data from an S3 bucket encrypted with the specified KMS key. The training job fails with an access denied error. The IAM role shown is attached to the training job. What is the missing permission?

A.s3:ListBucket
B.kms:GenerateDataKey
C.kms:CreateGrant
D.s3:GetBucketLocation
AnswerC

Required for SageMaker to delegate decrypt permissions to its service roles.

Why this answer

When a SageMaker training job accesses encrypted S3 data, it must be granted permission to use the KMS key for decryption. The `kms:CreateGrant` permission allows SageMaker to create a grant on the KMS key, which is required for the service to decrypt the data on behalf of the user. Without this permission, the training job fails with an access denied error even if other KMS actions are allowed.

Exam trap

Cisco often tests the misconception that `kms:Decrypt` alone is sufficient for SageMaker to access encrypted S3 data, but the service requires `kms:CreateGrant` to create a delegation grant for its internal principal.

How to eliminate wrong answers

Option A is wrong because `s3:ListBucket` is used to list objects in a bucket, not to read or decrypt objects; the error is related to KMS decryption, not listing. Option B is wrong because `kms:GenerateDataKey` is used to create a new data key for encryption, not to decrypt existing data; SageMaker needs `kms:Decrypt` and `kms:CreateGrant` for decryption. Option D is wrong because `s3:GetBucketLocation` is used to retrieve the bucket's region, which is unrelated to KMS decryption permissions.

267
Multi-Selectmedium

Which TWO actions are most aligned with responsible AI practices when deploying a model that makes decisions affecting individuals? (Choose 2)

Select 2 answers
A.Collect as much data as possible without quality checks
B.Continuously monitor the model for fairness metrics
C.Ensure the development team is homogeneous to avoid conflicts
D.Use the most complex model available for maximum accuracy
E.Provide meaningful explanations for model decisions
AnswersB, E

Monitoring ensures ongoing fairness.

Why this answer

Options A and C are correct. Option A: Providing explanations supports transparency. Option C: Regular monitoring detects bias drift.

Option B is wrong because teams should include diverse perspectives. Option D is wrong because using the most complex model may harm explainability. Option E is wrong because more data alone does not ensure fairness.

268
MCQmedium

An e-commerce company uses a recommendation system built with Amazon Personalize. They want to explain to customers why certain products are recommended. Which AWS service can provide model explanations?

A.AWS Config
B.AWS CloudTrail
C.Amazon Detective
D.Amazon SageMaker Clarify
AnswerD

Clarify provides explainability for ML models.

Why this answer

Option D is correct: SageMaker Clarify can provide feature attribution for recommendations. Option A is wrong: AWS Config tracks resources. Option B is wrong: CloudTrail audits API calls.

Option C is wrong: Amazon Detective investigates security findings.

269
MCQmedium

A company wants to ensure accountability for its machine learning models by tracking all changes to the model and its training data. Which AWS feature should they use?

A.Amazon CloudWatch
B.Amazon SageMaker Experiments
C.AWS CloudTrail
D.AWS CodeCommit
AnswerC

CloudTrail logs all API calls for governance and accountability.

Why this answer

Option B is correct because AWS CloudTrail records API calls for auditing and accountability. SageMaker experiments (A) track training parameters but not all data changes. CodeCommit (C) is for source code, not model changes.

CloudWatch (D) monitors metrics but does not track changes comprehensively.

270
MCQhard

A large enterprise has multiple teams deploying ML models on AWS. To ensure governance and accountability, they need to enforce that all models pass a fairness review before production deployment. Which SageMaker feature should they use to implement this approval workflow?

A.SageMaker Studio
B.SageMaker Experiments
C.SageMaker Model Monitor
D.SageMaker Model Registry
AnswerD

Model Registry supports versioning, metadata, and approval statuses for governance.

Why this answer

SageMaker Model Registry manages model versions and supports approval statuses (e.g., Approved, Rejected). This integrates with CI/CD pipelines to enforce review gates. Experiments, Model Monitor, and Studio do not provide such workflow capabilities.

271
Multi-Selectmedium

Which THREE are SageMaker built-in algorithms suitable for regression tasks?

Select 3 answers
A.Linear Learner
B.K-Means
C.PCA
D.DeepAR
E.XGBoost
AnswersA, D, E

Linear Learner supports regression.

Why this answer

Linear Learner is a SageMaker built-in algorithm that supports both regression and classification tasks. For regression, it models the target variable as a linear combination of input features, optimizing for metrics like mean squared error. It is suitable for regression because it directly outputs continuous values.

Exam trap

Cisco often tests the distinction between supervised and unsupervised algorithms, and the trap here is that candidates may confuse dimensionality reduction (PCA) or clustering (K-Means) with regression tasks, assuming any algorithm that processes numeric data can perform regression.

272
MCQeasy

A data scientist wants to host a pre-trained model on Amazon SageMaker for real-time inference with minimal latency. Which approach should they use?

A.Run inference using AWS Lambda with the model packaged as a container
B.Use SageMaker batch transform
C.Create a SageMaker asynchronous inference endpoint
D.Deploy the model on a SageMaker real-time endpoint
AnswerD

Real-time endpoints are designed for low-latency, synchronous inference.

Why this answer

Option D is correct because SageMaker real-time endpoints are designed for low-latency, synchronous inference. They keep the model loaded and ready to respond to individual requests, making them ideal for real-time applications where minimal latency is critical.

Exam trap

Cisco often tests the distinction between synchronous (real-time) and asynchronous inference patterns, and the trap here is that candidates may confuse 'asynchronous inference' with 'real-time' because both can handle requests, but only real-time endpoints guarantee minimal latency for individual predictions.

How to eliminate wrong answers

Option A is wrong because AWS Lambda has a maximum execution timeout of 15 minutes and limited memory (up to 10 GB), making it unsuitable for hosting large pre-trained models that require persistent, low-latency inference. Option B is wrong because SageMaker batch transform is an asynchronous, offline process for processing large datasets in batches, not for real-time inference with minimal latency. Option C is wrong because SageMaker asynchronous inference endpoints are designed for requests with large payloads and longer processing times, where immediate response is not required; they introduce queuing and processing delays that are incompatible with minimal latency requirements.

273
Multi-Selecthard

A data engineer is using Amazon SageMaker Data Wrangler to prepare tabular data for ML. Which THREE data transformations are natively supported? (Choose three.)

Select 3 answers
A.One-hot encoding for categorical features
B.Audio feature extraction
C.Text vectorization using TF-IDF
D.Custom Python code via Pandas or Spark
E.Image resizing and normalization
AnswersA, C, D

One-hot encoding is a built-in transform in Data Wrangler.

Why this answer

Option A is correct because Amazon SageMaker Data Wrangler includes built-in support for one-hot encoding as a native transformation for categorical features. This transformation automatically creates binary columns for each category, which is essential for preparing tabular data for machine learning models that require numerical input.

Exam trap

AWS often tests the distinction between natively supported transformations in SageMaker Data Wrangler versus those requiring external services or custom scripts, leading candidates to mistakenly select audio or image processing options that are not part of Data Wrangler's built-in capabilities.

274
Multi-Selectmedium

Which AWS services can be used to build, train, and deploy custom machine learning models? (Choose two.)

Select 2 answers
A.Amazon Polly
B.Amazon Lex
C.AWS Deep Learning AMIs
D.Amazon Rekognition
E.Amazon SageMaker
AnswersC, E

Deep Learning AMIs provide a customizable environment for building and training models.

Why this answer

AWS Deep Learning AMIs (C) are pre-configured Amazon Machine Images that include popular deep learning frameworks (TensorFlow, PyTorch, MXNet) and GPU drivers, allowing you to build, train, and deploy custom ML models on EC2 instances. Amazon SageMaker (E) is a fully managed service that provides end-to-end capabilities for building, training, and deploying custom ML models at scale, with built-in algorithms, automatic model tuning, and one-click deployment.

Exam trap

The trap here is that candidates confuse pre-built AI services (Polly, Lex, Rekognition) with platforms that allow custom model development, leading them to select services that only consume pre-trained models rather than build and train custom ones.

275
MCQeasy

A media company uses Amazon Transcribe for automatic speech recognition. They discover the model has higher error rates for non-native English speakers. Which Responsible AI principle are they failing to uphold?

A.Fairness
B.Explainability
C.Robustness
D.Privacy
AnswerA

Fairness addresses disparate impact.

Why this answer

Option C is correct: Fairness requires equitable performance across groups. Option A is wrong: Explainability is about transparency. Option B is wrong: Privacy is about data protection.

Option D is wrong: Robustness is about reliability under varied conditions.

276
MCQmedium

A company is using Amazon Bedrock to generate marketing copy. They want to evaluate the quality of the generated text. Which metric is MOST suitable for assessing the relevance and coherence of the content?

A.Accuracy
B.ROUGE-N
C.Perplexity
D.BLEU score
AnswerB

ROUGE-N compares n-gram overlap, suitable for summarization and copy.

Why this answer

ROUGE-N (Recall-Oriented Understudy for Gisting Evaluation) measures the overlap of n-grams between generated text and reference text, making it suitable for assessing relevance and coherence in content generation tasks like marketing copy. It evaluates how well the generated text captures key phrases and maintains logical flow, which aligns with the need to assess content quality beyond simple factual accuracy.

Exam trap

AWS often tests the distinction between metrics designed for translation (BLEU) versus summarization/generation (ROUGE), leading candidates to mistakenly choose BLEU for coherence evaluation when ROUGE is the correct choice for recall-based content assessment.

How to eliminate wrong answers

Option A is wrong because Accuracy is a classification metric (e.g., correct predictions/total predictions) and does not measure text relevance or coherence; it is irrelevant for generative text evaluation. Option C is wrong because Perplexity measures how well a language model predicts a sequence (lower is better for fluency) but does not directly assess relevance or coherence against a reference; it is a model-internal metric, not a quality metric for generated content. Option D is wrong because BLEU score (Bilingual Evaluation Understudy) is primarily designed for machine translation, focusing on precision of n-gram matches, and is less sensitive to recall and coherence in single-language text generation tasks like marketing copy.

277
Multi-Selecthard

Which TWO practices help ensure responsible AI when deploying generative AI applications? (Select TWO.)

Select 2 answers
A.Deploy the model without any content filters to maximize creativity
B.Increase model size to improve accuracy at the expense of interpretability
C.Use only synthetic data for training to avoid privacy issues
D.Implement guardrails to filter harmful or inappropriate content
E.Monitor the model's outputs for bias and drift over time
AnswersD, E

Guardrails like Amazon Bedrock Guardrails help enforce content policies and prevent harmful outputs.

Why this answer

Implementing guardrails (e.g., content filtering) and monitoring for bias are key responsible AI practices. Using diverse training data is important but not a deployment practice. Publicly deploying without safeguards is irresponsible.

278
MCQhard

A company uses Amazon Bedrock to generate code. They want to ensure the code follows security best practices and does not contain vulnerabilities. Which approach is most effective?

A.Implement a post-processing step using AWS WAF.
B.Use Amazon CodeGuru Security to review generated code.
C.Train a custom model on the company’s secure code.
D.Use a foundation model trained only on secure code.
AnswerB

CodeGuru Security automatically scans code for vulnerabilities and provides actionable recommendations.

Why this answer

Amazon CodeGuru Security reviews code for security vulnerabilities and provides recommendations. Using a model trained on secure code may not be sufficient; WAF is for web traffic; training a custom model requires significant effort and may not catch all issues.

279
Multi-Selecthard

A team is using Amazon Comprehend to analyze customer feedback for sentiment. They want to detect and mitigate potential bias against certain demographic groups. Which TWO approaches should they consider? (Choose TWO.)

Select 2 answers
A.Use AWS WAF to filter out biased comments.
B.Use AWS CloudTrail to audit API calls.
C.Use Amazon Rekognition to verify images.
D.Use SageMaker Clarify to compute bias metrics on the training data.
E.Use Comprehend custom classification with balanced training data across groups.
AnswersD, E

Clarify supports NLP bias detection and can analyze text datasets.

Why this answer

SageMaker Clarify can compute bias metrics on text data, and training with balanced data reduces bias. WAF is for web security, Rekognition is for image/video, CloudTrail is for auditing API calls – none are relevant to bias in NLP models.

280
Multi-Selectmedium

Which TWO actions are best practices when deploying foundation models on Amazon SageMaker for production? (Choose TWO.)

Select 2 answers
A.Manually warm up endpoints by sending dummy requests before traffic spikes.
B.Create a separate endpoint for each model to isolate traffic.
C.Use multi-model endpoints (MMEs) to serve multiple models on a single instance.
D.Implement inference pipelines to handle preprocessing and postprocessing steps separately.
E.Deploy models directly to production without load testing to avoid delays.
AnswersC, D

MMEs optimize resource utilization and reduce costs for multiple models.

Why this answer

Option C is correct because Amazon SageMaker Multi-Model Endpoints (MMEs) allow you to host multiple models on a single instance, which reduces hosting costs by sharing resources across models while still providing low-latency inference. This is a best practice for production deployments where you need to serve many models efficiently without provisioning separate endpoints for each.

Exam trap

AWS often tests the misconception that manual endpoint warm-up is necessary for production traffic spikes, but SageMaker's auto-scaling and built-in health checks handle this automatically, making option A a common distractor.

281
MCQmedium

Refer to the exhibit. A user invokes Claude v2 using the AWS CLI. The response is truncated. What is the most likely cause?

A.The AWS CLI is missing the --endpoint-url parameter.
B.The max_tokens_to_sample is too low.
C.The model does not support this use case.
D.The prompt includes a stop sequence 'Assistant:'.
AnswerD

Claude uses 'Assistant:' as a stop sequence, causing it to stop generating after its response.

Why this answer

Option D is correct because the prompt includes the stop sequence 'Assistant:', which causes the model to halt generation as soon as it encounters that token sequence. In Claude v2, stop sequences are used to control the output length and structure; when the model generates the exact stop sequence, it truncates the response at that point, even if more content could have been produced.

Exam trap

Cisco often tests the distinction between token limits and stop sequences, where candidates mistakenly attribute truncation to max_tokens_to_sample when the actual cause is a configured stop sequence in the prompt or API parameters.

How to eliminate wrong answers

Option A is wrong because the --endpoint-url parameter is used to specify a custom endpoint for the AWS CLI, but its absence does not cause response truncation; it would instead result in a connection error or default endpoint usage. Option B is wrong because max_tokens_to_sample controls the maximum number of tokens the model can generate, but if it were too low, the response would be cut off at that token limit, not at a specific stop sequence; the question states the response is truncated, not that it reached a token limit. Option C is wrong because Claude v2 supports a wide range of use cases including text generation, and the model's capability is not the cause of truncation; truncation is explicitly controlled by stop sequences or token limits.

282
MCQeasy

A company uses Amazon Bedrock to generate product descriptions. They notice that the output sometimes contains incorrect information. What should they do to improve accuracy?

A.Increase the temperature parameter.
B.Implement Retrieval-Augmented Generation (RAG).
C.Use a larger foundation model.
D.Use AWS WAF to filter outputs.
AnswerB

RAG retrieves relevant information from a knowledge base to augment the prompt, improving factual accuracy.

Why this answer

Option B is correct because Retrieval-Augmented Generation (RAG) enhances the accuracy of foundation model outputs by grounding the generation in authoritative, up-to-date external knowledge sources. Instead of relying solely on the model's parametric memory, RAG retrieves relevant documents or data from a vector database (e.g., Amazon OpenSearch Serverless) and injects them into the prompt context, reducing hallucinations and incorrect information in product descriptions.

Exam trap

AWS often tests the misconception that simply using a larger or more powerful model (Option C) is the universal fix for accuracy issues, when in fact the root cause of hallucinations is often a lack of grounded, retrievable context that RAG specifically addresses.

How to eliminate wrong answers

Option A is wrong because increasing the temperature parameter makes the model's output more random and creative, which would likely increase, not decrease, the frequency of incorrect information. Option C is wrong because using a larger foundation model does not inherently fix factual accuracy; larger models can still hallucinate or produce outdated information without access to current or domain-specific data. Option D is wrong because AWS WAF is a web application firewall that filters HTTP traffic for security threats (e.g., SQL injection, XSS) and has no mechanism to validate or correct the factual accuracy of generated text.

283
MCQmedium

A data scientist runs the above AWS CLI command and receives the error. What is the most likely cause?

A.The IAM role does not have permissions.
B.The model is being updated.
C.The model is being deprecated.
D.The model is not supported in the current AWS region.
AnswerD

Foundation models are region-specific; the chosen model may not be available in the region used.

Why this answer

The ModelNotReadyException typically indicates the model is not available in the current region. The model may not be supported or is still being deployed. The error does not suggest deprecation, updating, or permissions issues.

284
MCQmedium

Refer to the exhibit. A company sets up a knowledge base for a customer support chatbot using Amazon Bedrock. Users report that the chatbot misses relevant details from long documents. Which change to the data source configuration would most likely improve retrieval?

A.Increase the chunk size in FIXED_SIZE chunking
B.Change chunking strategy to SEMANTIC
C.Add more documents to the S3 bucket
D.Change the embedding model to a larger one
AnswerB

Semantic chunking groups related content, preserving context and improving retrieval accuracy.

Why this answer

The chunking strategy is set to FIXED_SIZE, which may split documents into chunks that are too small or lose context. Switching to SEMANTIC chunking improves retrieval by grouping paragraphs with similar meaning.

285
MCQeasy

A company wants to build a generative AI application that can summarize customer support tickets. They need to ensure the model stays up-to-date with the latest product documentation without retraining. Which AWS service would best support this requirement?

A.Amazon Bedrock with Retrieval Augmented Generation (RAG)
B.Amazon Comprehend
C.Amazon Rekognition
D.Amazon SageMaker Ground Truth
AnswerA

Amazon Bedrock supports RAG, which enables the model to retrieve current information from a knowledge base, keeping summaries up-to-date without retraining.

Why this answer

Option D is correct because Amazon Bedrock with RAG allows the model to retrieve and incorporate up-to-date information from external sources without retraining. Option A (Amazon Comprehend) is for NLP but not generative summarization with live updates. Option B (Amazon Rekognition) is for image/video analysis.

Option C (Amazon SageMaker Ground Truth) is for data labeling.

286
MCQeasy

A company uses Amazon Bedrock to power a generative chatbot for employee onboarding. Recently, some employees reported that the chatbot occasionally provides responses that contain biased or offensive language. The company has a strict policy for respectful communication. They want to implement a solution quickly without retraining the model. Which action should they take?

A.Add a human reviewer to approve every response.
B.Use a different foundational model known for unbiased outputs.
C.Enable Amazon Bedrock's built-in content moderation filters.
D.Fine-tune the model on a dataset of polite conversations.
AnswerC

Guardrails can be activated immediately to filter harmful content.

Why this answer

Option B is correct because Amazon Bedrock's built-in content moderation filters (Guardrails) can be applied immediately to filter biased or offensive content without retraining. Option A (fine-tuning) is time-consuming and requires a dataset. Option C (switch model) may not be quick and still could produce biased outputs.

Option D (human reviewer) is slow and not scalable.

287
MCQeasy

A developer wants to experiment with a foundation model for code generation without writing any code. Which AWS service provides a playground for models like CodeWhisperer?

A.Amazon CodeGuru
B.AWS Lambda
C.Amazon SageMaker Studio
D.Amazon Bedrock Playground
AnswerD

Bedrock provides a no-code playground to test models like Claude or CodeWhisperer.

Why this answer

Amazon Bedrock Playground is the correct answer because it provides a web-based interface for experimenting with foundation models (FMs) from providers like AI21 Labs, Anthropic, Cohere, Meta, Stability AI, and Amazon itself, including the CodeWhisperer model for code generation. This allows the developer to test prompts, adjust parameters, and see model responses without writing any code, directly fulfilling the requirement of a no-code playground.

Exam trap

The trap here is that candidates may confuse Amazon SageMaker Studio (a full ML development environment) with a no-code playground, overlooking that Bedrock Playground is specifically designed for zero-code experimentation with foundation models like CodeWhisperer.

How to eliminate wrong answers

Option A is wrong because Amazon CodeGuru is a service for automated code reviews and application profiling, not a playground for experimenting with foundation models or code generation. Option B is wrong because AWS Lambda is a serverless compute service for running code in response to events, not a no-code environment for testing foundation models. Option C is wrong because Amazon SageMaker Studio is an integrated development environment (IDE) for building, training, and deploying machine learning models, which typically requires writing code (e.g., Python notebooks) and is not a simple playground for foundation model experimentation without coding.

288
MCQmedium

A government agency is deploying an AI system to detect fraudulent benefit claims. The system uses a neural network trained on historical claims data, which includes a disproportionate number of false positives from a particular ethnic group due to historical over-policing. The agency must ensure the system does not perpetuate discrimination. They have a rigorous testing procedure but limited budget. The project lead wants to balance fairness with detection performance. Which combination of steps should they prioritize?

A.Remove the race feature from the model and rely on performance metrics alone
B.Replace the neural network with a logistic regression model retrained on the same data
C.Rebalance the training data to have equal representation across groups and evaluate using a fairness metric like equal opportunity
D.Use a post-hoc explainability tool to identify biased predictions and manually override them
AnswerC

Rebalancing data and using fairness metrics directly mitigate bias and measure progress.

Why this answer

The most effective approach is to rebalance the training data to be more representative and to use a fairness metric, such as equal opportunity, during evaluation. This directly addresses the data bias and quantifies fairness. Excluding race features may still leave proxies.

Using a simpler model may not eliminate bias if data is biased. Post-hoc explanations help understand bias but do not fix it.

289
MCQhard

A company is deploying a generative AI model that produces text summaries of legal documents. To comply with responsible AI guidelines, which of the following is the most critical to ensure transparency?

A.Informing users that the summaries are generated by AI
B.Ensuring the model does not reflect biases from training data
C.Achieving high performance on summary quality metrics
D.Guaranteeing the summaries are factually accurate
AnswerA

Disclosing AI-generated content is a key transparency requirement.

Why this answer

Transparency requires that users know when they are interacting with AI. Disclosing that the summaries are AI-generated is fundamental. Accuracy, bias mitigation, and performance are important but do not directly address transparency about AI use.

290
Multi-Selectmedium

Which TWO techniques are commonly used to prevent overfitting in machine learning models? (Select TWO.)

Select 2 answers
A.Add more irrelevant features
B.Use cross-validation
C.Increase model complexity
D.Reduce the amount of training data
E.Use regularization
AnswersB, E

Cross-validation helps assess model generalization and can indicate overfitting.

Why this answer

Cross-validation helps prevent overfitting by partitioning the training data into multiple folds, training the model on different subsets, and validating on held-out portions. This provides a more robust estimate of model performance on unseen data and reduces the risk of memorizing noise in a single train-test split.

Exam trap

AWS often tests the misconception that adding more data or features always helps model performance, when in fact irrelevant features or reducing training data can worsen overfitting, and candidates may incorrectly associate 'more complexity' with better generalization.

291
MCQmedium

A financial services firm fine-tuned a generative AI model on Amazon SageMaker to summarize quarterly reports. The summaries often miss key financial metrics such as revenue and profit margins. The fine-tuning dataset contained full reports with summaries that included these metrics. The model appears to understand the reports but omits critical numbers. Which course of action would most likely improve the summaries?

A.Re-fine-tune using a carefully crafted dataset that includes explicit instructions to include key metrics and provides examples of correct summaries
B.Increase the maximum number of tokens in the summary
C.Switch to a different pre-trained model like Claude instead of the current one
D.Implement a post-processing Lambda function that extracts metrics from the original report and appends them to the summary
AnswerA

Better alignment through example prompts and targets teaches the model to focus on essential numbers.

Why this answer

The fine-tuning dataset likely lacks explicit instruction in the prompts to include specific metrics. Re-fine-tuning with examples that emphasize extracting and reporting numbers, or using a format that forces structured output, would help. Increasing length may include more text but not guarantee key metrics.

Changing model or post-processing won't fix the underlying training deficiency.

292
MCQhard

An ML engineer wants to store training data in a format optimized for linear data scanning and columnar access in SageMaker. Which format is most appropriate?

A.JSON
B.Image (JPEG/PNG)
C.Parquet
D.CSV
AnswerC

Parquet is columnar and optimized for analytical queries.

Why this answer

Parquet is a columnar storage format optimized for both linear data scanning and columnar access, making it ideal for training data in SageMaker. It reduces I/O by storing data by columns rather than rows, enabling efficient retrieval of specific features during model training.

Exam trap

AWS often tests the misconception that CSV is the most efficient format for training data, but Parquet's columnar storage and compression provide superior performance for linear scanning and columnar access in distributed ML pipelines.

How to eliminate wrong answers

Option A is wrong because JSON is a row-oriented text format that requires full parsing for columnar access, leading to high I/O overhead and slower linear scans. Option B is wrong because image formats like JPEG/PNG are binary and designed for visual data, not structured tabular data, and lack columnar access capabilities. Option D is wrong because CSV is a row-oriented text format that, while simple, requires scanning entire rows to access specific columns and lacks compression and schema optimization.

293
MCQhard

A company uses Amazon SageMaker to host a model for fraud detection. The model must be re-evaluated for bias on a monthly basis. Which SageMaker feature can be used to detect bias in a trained model?

A.SageMaker Debugger
B.SageMaker Model Monitor
C.SageMaker Clarify
D.SageMaker Autopilot
AnswerC

Clarify provides bias detection and explainability.

Why this answer

SageMaker Clarify is the correct choice because it is specifically designed to detect bias in machine learning models and data. It provides built-in capabilities to evaluate bias metrics (e.g., difference in positive proportions, disparate impact) both before training (pre-training bias) and after training (post-training bias), making it suitable for the monthly re-evaluation requirement.

Exam trap

The trap here is that candidates confuse SageMaker Model Monitor (which monitors data drift) with bias detection, but Model Monitor does not evaluate model fairness or bias metrics.

How to eliminate wrong answers

Option A is wrong because SageMaker Debugger is used for monitoring training jobs in real time to detect issues like vanishing gradients or overfitting, not for bias detection. Option B is wrong because SageMaker Model Monitor focuses on detecting data drift and quality issues in deployed endpoints, not on evaluating model bias. Option D is wrong because SageMaker Autopilot automates the process of building, training, and tuning models, but it does not include built-in bias detection capabilities.

294
Multi-Selectmedium

A company is building a generative AI application to generate product descriptions from customer reviews. They want to use Amazon Bedrock to access a foundation model. Which TWO actions should the company take to ensure responsible AI practices?

Select 2 answers
A.Use a single foundation model without any customization to avoid bias.
B.Implement human review of all generated descriptions before publication.
C.Monitor and log model inputs and outputs for auditing.
D.Regularly evaluate model performance and fine-tune with diverse data.
E.Disable content filtering to allow maximum creativity.
AnswersB, C

Human review provides oversight to catch harmful or biased outputs.

Why this answer

Options A and C are correct. Implementing human review (A) ensures oversight and catches harmful outputs. Monitoring and logging (C) enables auditing and detection of misuse.

Option B is incorrect because using a single model does not automatically avoid bias; customization may be needed. Option D is incorrect because disabling content filtering increases risk of generating inappropriate content. Option E is plausible but not a requirement specific to responsible AI; evaluation is part of ongoing improvement but not the immediate action.

295
MCQmedium

A team is using Amazon SageMaker to deploy a real-time inference endpoint. The endpoint must be accessible only from a specific IP range and must automatically scale based on request volume. Which configuration meets these requirements?

A.Deploy the endpoint in a public subnet with a security group allowing the IP range.
B.Configure the endpoint with a VPC and attach a security group that allows inbound traffic from the IP range, and enable automatic scaling for the endpoint.
C.Deploy the endpoint with a VPC and use a Network Load Balancer with target group health checks.
D.Deploy the endpoint with an AWS WAF ACL to filter by IP and enable auto scaling for the endpoint.
AnswerB

VPC security group restricts by IP and automatic scaling handles demand.

Why this answer

Option B is correct because Amazon SageMaker endpoints can be deployed within a VPC, allowing you to attach a security group that restricts inbound traffic to a specific IP range. Additionally, SageMaker supports automatic scaling for real-time endpoints using Application Auto Scaling, which adjusts the number of instances based on request volume metrics like InvocationsPerInstance.

Exam trap

The trap here is that candidates often confuse network-level access control (security groups in a VPC) with application-layer filtering (AWS WAF) or assume that a public subnet with a security group is sufficient, not realizing that SageMaker endpoints in a public subnet are still internet-facing and cannot be restricted to a specific IP range without a VPC.

How to eliminate wrong answers

Option A is wrong because deploying the endpoint in a public subnet exposes it to the internet, and a security group alone cannot restrict access to a specific IP range if the endpoint is publicly accessible; SageMaker endpoints in public subnets are not supported for IP-based restriction without a VPC. Option C is wrong because while a Network Load Balancer (NLB) can provide health checks and distribute traffic, SageMaker endpoints do not require an NLB for IP-based access control or scaling; the VPC and security group configuration already handles access control, and NLB is not a standard component for SageMaker endpoint deployment. Option D is wrong because AWS WAF is a web application firewall that operates at the application layer (HTTP/HTTPS) and is typically associated with API Gateway or CloudFront, not directly with SageMaker endpoints; SageMaker endpoints do not natively integrate with AWS WAF for IP filtering, and using WAF would not replace the need for VPC-based network controls.

296
MCQmedium

Refer to the exhibit. A developer has attached this IAM policy to their user. When trying to invoke the Anthropic Claude v2 model using the Bedrock runtime, they receive an AccessDeniedException. Which change to the policy would resolve the issue?

A.Add the bedrock:InvokeModelWithResponseStream action
B.Change the Action to bedrock:ListFoundationModels
C.Change the Resource to arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-v2
D.Remove the Resource element and set Effect to Deny
AnswerC

Correct. This ARN matches the Claude v2 model, allowing invocation.

Why this answer

The policy grants access only to the Titan model resource. To invoke Claude v2, the resource must match the Claude model ARN. Adding other actions or removing the resource condition would not grant the correct access; listing models does not allow invocation.

297
MCQhard

A healthcare company wants to use generative AI to automatically generate patient summary reports from electronic health records (EHRs). The solution must be HIPAA compliant and data must not leave AWS. They plan to use Amazon Bedrock with a foundation model. The EHR data is stored in Amazon S3 and contains protected health information (PHI). Which approach best meets compliance requirements?

A.Use Amazon Bedrock with a HIPAA-eligible account, enable encryption with KMS, and de-identify PHI in the prompt
B.Use a publicly available foundation model API outside AWS for better accuracy
C.Use Amazon Comprehend Medical for entity extraction and then feed results into a model on Amazon Bedrock without de-identification
D.Use Amazon SageMaker with a public model from the internet without encryption
AnswerA

Bedrock is HIPAA-eligible when used with AWS Organizations and BAA; de-identification and KMS encryption protect PHI.

Why this answer

Amazon Bedrock operates within a HIPAA-eligible environment when configured appropriately, and using AWS KMS for encryption and not storing PHI in prompts (using de-identification) can maintain compliance. Using public models or non-HIPAA services would violate requirements. SageMaker with encryption can also be HIPAA-eligible, but Bedrock with proper settings is simpler.

298
MCQmedium

A machine learning engineer notices that a SageMaker training job failed due to insufficient permissions to access a KMS-encrypted S3 bucket. The training job's IAM role has S3 access permissions. What should be done to resolve the issue?

A.Create a new KMS key and re-encrypt the data
B.Assign the SageMakerFullAccess policy to the role
C.Add a kms:Decrypt permission to the IAM role for the specific KMS key used to encrypt the S3 bucket
D.Change the S3 bucket's default encryption to S3-managed keys (SSE-S3)
AnswerC

The role needs decryption permissions to access the encrypted data.

Why this answer

The training job failed because the IAM role lacks permission to decrypt the KMS key used for S3 server-side encryption. Even with S3 access permissions, SageMaker cannot read encrypted objects without the kms:Decrypt action on the specific KMS key. Adding kms:Decrypt to the role's policy for that key resolves the issue.

Exam trap

The trap here is that candidates assume S3 permissions alone are sufficient, overlooking that KMS-encrypted objects require explicit kms:Decrypt permissions on the IAM role, not just S3 bucket policies or managed policies like SageMakerFullAccess.

How to eliminate wrong answers

Option A is wrong because creating a new KMS key and re-encrypting the data is unnecessary and disruptive; the existing key can be used if the IAM role is granted the proper decrypt permission. Option B is wrong because SageMakerFullAccess is an AWS managed policy that does not include KMS permissions for customer-managed keys; it only grants basic SageMaker and S3 access, so it would not resolve the KMS decryption failure. Option D is wrong because changing the bucket's default encryption to SSE-S3 removes KMS encryption, which may violate security or compliance requirements, and is an overreaction when a simple IAM permission update can fix the issue.

299
MCQmedium

A company is using Amazon Bedrock to generate code snippets. They notice the model occasionally generates code that fails to compile. What is the most effective way to improve code quality without retraining?

A.Reduce the temperature parameter to 0 for deterministic output.
B.Increase the max token limit to allow the model to complete the code fully.
C.Fine-tune the model on a dataset of correct code snippets.
D.Use few-shot prompt engineering with correct code examples and formatting instructions.
AnswerD

Examples help the model understand the expected output and reduce errors.

Why this answer

Option B is correct because prompt engineering with examples and constraints can guide the model to produce more accurate code. Option A is wrong because reducing temperature increases determinism but doesn't guarantee correctness. Option C is wrong because fine-tuning is expensive and may overfit.

Option D is wrong because increasing max tokens may lead to more errors.

300
MCQeasy

A developer wants to test different prompt variations for a chatbot without making repeated API calls. Which Amazon Bedrock feature can help compare model responses?

A.Model evaluation on Amazon SageMaker
B.Amazon Bedrock Playground
C.AWS Security Token Service (STS)
D.Amazon CloudWatch Logs
AnswerB

The playground allows developers to test and compare prompts interactively.

Why this answer

Option D is correct because Amazon Bedrock Playground provides an interactive interface to experiment with prompts and compare outputs side by side. Option A (CloudWatch Logs) is for monitoring. Option B (Model evaluation on SageMaker) is for offline evaluation.

Option C (AWS STS) is for security tokens.

Page 3

Page 4 of 7

Page 5

All pages