Refer to the exhibit. A developer deploys this CloudFormation stack but the agent fails to query the knowledge base. What is a likely cause?
The agent's IAM role must have bedrock:InvokeKnowledgeBase permission.
Why this answer
The correct answer is B because the agent role must have an IAM policy that grants the `bedrock:Retrieve` and `bedrock:RetrieveAndGenerate` permissions on the knowledge base. Without these permissions, the agent cannot invoke the knowledge base, even if the KnowledgeBaseId is correctly passed and the embedding model is available.
Exam trap
AWS often tests the distinction between resource creation permissions and runtime invocation permissions, trapping candidates who assume that a successful stack deployment implies all runtime permissions are correctly configured.
How to eliminate wrong answers
Option A is wrong because if the KnowledgeBaseId were not passed correctly, the stack would likely fail during creation or the agent would receive a different error (e.g., resource not found), not a generic failure to query. Option C is wrong because if the embedding model were not available in the region, the CloudFormation stack itself would fail during creation of the knowledge base, not during a subsequent query. Option D is wrong because the OpenSearch collection type for a knowledge base must be `VECTORSEARCH` to store and query vector embeddings; `SEARCH` is used for full-text search and does not support the vector similarity search required by the knowledge base.