AIF-C01 · topic practice

Security, Compliance and Governance for AI Solutions practice questions

Practise AWS Certified AI Practitioner AIF-C01 Security, Compliance and Governance for AI Solutions practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security, Compliance and Governance for AI Solutions

What the exam tests

What to know about Security, Compliance and Governance for AI Solutions

Security, Compliance and Governance for AI Solutions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security, Compliance and Governance for AI Solutions exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security, Compliance and Governance for AI Solutions questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare company is deploying a machine learning model on Amazon SageMaker to analyze patient records. The model requires access to a DynamoDB table containing patient data. Which combination of AWS services and features should the company use to restrict access to only the necessary resources?

A company uses Amazon Rekognition to analyze images stored in an S3 bucket. The security team requires that all image analysis be logged to AWS CloudTrail for auditing. What is the minimum configuration needed to meet this requirement?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company is building a predictive model using Amazon SageMaker. The model training data contains personally identifiable information (PII). The company must ensure that the data is encrypted at rest and in transit, and that access to the data is logged. Which combination of AWS services meets these requirements?

A data scientist needs to grant an IAM user access to a specific Amazon SageMaker notebook instance. The user should only be able to start and stop the notebook instance, but not delete it. Which IAM policy statement should be used?

A company is using Amazon Comprehend to extract entities from customer support tickets. The compliance team requires that the text sent to Comprehend be encrypted in transit and that Comprehend does not store any data beyond the processing time. How should the company configure the API call?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Amazon SageMaker to host a real-time inference endpoint. The model was trained on sensitive data, and the company wants to ensure that the data sent to the endpoint is encrypted in transit. Additionally, the company wants to restrict access to the endpoint to only traffic originating from a specific VPC. Which configuration meets these requirements?

A company is using Amazon Textract to extract text from scanned documents stored in an S3 bucket. The security team requires that all access to the documents be logged and that the documents be encrypted at rest using a customer-managed key. What should the company do to meet these requirements?

A company is using Amazon SageMaker to train machine learning models. The security team wants to ensure that the training data is encrypted at rest and that the SageMaker notebook instances cannot access the internet. Which TWO actions should the company take? (Choose TWO.)

A company is deploying an Amazon Lex chatbot that processes customer credit card information. The company must ensure that the chatbot does not log sensitive data and that the data is encrypted in transit. Which THREE actions should the company take? (Choose THREE.)

A company is using Amazon Rekognition to detect objects in images stored in an S3 bucket. The company needs to ensure that the Rekognition service has permission to read images from the S3 bucket. Which TWO methods can achieve this? (Choose TWO.)

Refer to the exhibit. An IAM policy is attached to a role used by an Amazon SageMaker notebook instance. The notebook instance attempts to upload a model artifact to the S3 bucket 'my-bucket' without specifying server-side encryption. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}

Refer to the exhibit. A company has the S3 bucket policy shown above. The company uses Amazon Rekognition to analyze images in the 'my-images' bucket. An IAM role used by a Lambda function calls Rekognition. Why might Rekognition be unable to read images from the bucket?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "rekognition.amazonaws.com"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-images/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "123456789012"
        }
      }
    }
  ]
}
Question 13hardmultiple choice
Review the full subnetting walkthrough →

A company is deploying a generative AI model on Amazon Bedrock. The model is accessed by an application running on Amazon ECS Fargate. The security team requires that all data sent to and from the Bedrock model be encrypted in transit, and that the ECS task does not have internet access. The ECS tasks are launched in a private VPC subnet with a VPC endpoint for Bedrock configured. However, when the application attempts to invoke the Bedrock model, the call fails with a timeout error. The VPC endpoint policy is set to allow all actions from all principals. What is the most likely cause of the failure?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company is using Amazon SageMaker to train and deploy a model that predicts patient readmission risk. The model uses sensitive protected health information (PHI). The company must ensure that data is encrypted at rest and in transit, and that access to the model endpoint is restricted to authorized applications only. The security team has configured AWS KMS customer managed keys for encryption, and IAM roles for SageMaker execution. However, during a security audit, it was discovered that the model endpoint is accessible from the internet and that the data used for training was stored in an S3 bucket with default encryption enabled. The compliance team requires that all PHI data be encrypted with a key that is rotated annually, and that no public access is allowed to the endpoint or training data. Which combination of actions should the ML engineer take to remediate these issues?

A company is using Amazon Bedrock to generate responses for customer support. They want to ensure that the model does not expose personally identifiable information (PII) in its outputs. Which AWS feature can be configured to automatically redact PII from model responses?

A machine learning team needs to share a trained model with multiple teams across different AWS accounts. The model artifacts are stored in an S3 bucket in the central account. What is the most secure way to grant cross-account read access to the model artifacts?

A company is using Amazon SageMaker to train a model. The training data is stored in an S3 bucket that is encrypted with an AWS KMS customer managed key (CMK). The training job fails with an error indicating that the SageMaker execution role does not have permission to decrypt the data. The administrator has verified that the execution role has the kms:Decrypt permission. What additional permission might be missing?

A company wants to monitor for malicious activity in their machine learning pipelines, such as unauthorized access to training data or model artifacts. Which AWS service can provide automated threat detection and continuous monitoring?

A data scientist is using Amazon SageMaker Studio. The company policy requires that all data used in SageMaker Studio notebooks be encrypted at rest and in transit. Which configuration should be enabled to meet this requirement?

An organization uses Amazon Bedrock to generate content. They have implemented guardrails to block toxic content. However, some users are able to bypass the guardrails by encoding their prompts. What step should be taken to improve security?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security, Compliance and Governance for AI Solutions sessions

Start a Security, Compliance and Governance for AI Solutions only practice session

Every question in these sessions is drawn from the Security, Compliance and Governance for AI Solutions domain — nothing else.

Related practice questions

Related AIF-C01 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AIF-C01 exam test about Security, Compliance and Governance for AI Solutions?
Security, Compliance and Governance for AI Solutions questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security, Compliance and Governance for AI Solutions questions in a focused session?
Yes — the session launcher on this page draws every question from the Security, Compliance and Governance for AI Solutions domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AIF-C01 topics?
Use the topic links above to move to related areas, or go back to the AIF-C01 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AIF-C01 exam covers. They are not copied from any real exam or dump site.