Step 5 — Security & Exam Prep
You’ve covered the concepts. Now let’s cover the two things that actually decide whether you pass: locking down generative AI workloads the way AWS expects, and knowing exactly how the exam itself is put together so nothing on test day catches you off guard.
Data Privacy: What Happens to Your Prompt
A question worth asking before you send anything to a foundation model: where does this data go, and who else can see it? For Bedrock specifically, AWS’s stated model is that your prompts and the model’s responses are not used to train the underlying foundation models, and your content isn’t shared with the model provider beyond what’s needed to process your request. That distinction — your data isn’t training material for someone else’s future model — is exactly the kind of detail the exam likes to test, because it’s the difference between a compliance-safe design and one that leaks proprietary information into a third party’s future training set.
Practically, this means a few habits matter regardless of which foundation model you’re calling:
- Never place secrets, credentials, or unredacted PII directly into a prompt if you can avoid it — treat prompts the way you’d treat a log line that might be retained
- Use Guardrails for Bedrock to catch and redact PII automatically rather than relying purely on discipline
- Understand what data residency and retention commitments apply to the specific service and region you’re using, since compliance requirements (healthcare, finance, government) often dictate where data can legally sit
IAM for Bedrock: Least Privilege Still Applies
Generative AI doesn’t get a pass on IAM fundamentals — if anything, it raises the stakes, because a single overly broad permission can let a compromised application invoke expensive models, exfiltrate data through a Knowledge Base, or execute an unintended action through an Agent.
IAM Policy for a Bedrock-Backed Application┌─────────────────────────────────────────────────────┐│ Action: bedrock:InvokeModel ││ Resource: specific model ARN only ││ (not "*" across every model) ││ ││ Action: bedrock:Retrieve ││ Resource: specific Knowledge Base ARN only ││ ││ Condition: restrict by VPC endpoint, source IP, ││ or request tag as appropriate │└─────────────────────────────────────────────────────┘A few specifics worth locking in:
- Scope
InvokeModelpermissions to the specific model(s) an application actually needs, not a blanket allow across every model Bedrock offers - If you’re using Bedrock Agents, remember the agent’s action groups call other AWS services (Lambda functions, APIs) on your behalf — each of those needs its own least-privilege role, since an overly permissive agent can take unintended real-world actions, not just return bad text
- Use VPC endpoints (interface endpoints) to keep Bedrock traffic off the public internet where your compliance posture requires it
- Encrypt data at rest (S3 buckets backing a Knowledge Base, for example) using KMS, and encrypt data in transit using TLS — Bedrock and related services support this by default, but you’re still responsible for how you configure the surrounding resources under the shared responsibility model
Compliance Considerations Layered on Top
AI-specific compliance isn’t a separate universe from general AWS compliance — it’s the same shared responsibility thinking, applied to a new kind of workload. A few things the exam expects you to connect:
- AWS maintains compliance certifications and attestations across many of its services, including generative AI services, but your application’s compliance posture still depends on how you configure and use them
- Regulated industries (healthcare under HIPAA, financial services under various regulators) need to evaluate generative AI use cases against the same existing compliance obligations they already have — a chatbot summarizing patient records doesn’t get a free pass just because it’s “AI”
- Data classification still matters: know what data is sensitive before it ever reaches a prompt, a fine-tuning dataset, or a Knowledge Base ingestion pipeline
The AIF-C01 Exam Itself: Domains and Weighting
AWS structures the AI Practitioner exam around four content domains, and the weighting tells you where to spend your study hours. Treat this table as your study-time budget, not just trivia:
| Domain | Approximate Weight | What It Covers |
|---|---|---|
| Fundamentals of AI and ML | ~20% | Core concepts from Step 1 — AI/ML/DL relationships, learning paradigms, ML lifecycle |
| Fundamentals of Generative AI | ~24% | Foundation models, prompting, tokens, embeddings — Step 2 territory |
| Applications of Foundation Models | ~28% | Bedrock, Agents, Knowledge Bases, Amazon Q, choosing the right AI service — Step 3 territory |
| Guidelines for Responsible AI | ~14% | Fairness, bias, explainability, Clarify, Guardrails — Step 4 territory |
| Security, Compliance, and Governance for AI | ~14% | IAM, encryption, compliance, governance — this step |
Notice that “Applications of Foundation Models” carries the heaviest weight — nearly three in ten questions touch that territory. If your study time is uneven, that’s the domain to over-invest in, particularly the distinctions between Bedrock, Amazon Q, and the pre-built AI services covered in Step 3.
A Realistic Study Plan
Week 1 ─── Steps 1–2: fundamentals + generative AI concepts (read, then explain each concept out loud without notes)
Week 2 ─── Step 3: Bedrock deep dive (build one small Bedrock + Knowledge Base example if you can — hands-on time cements the RAG flow better than reading about it)
Week 3 ─── Steps 4–5: responsible AI, security, governance (this is where most candidates under-prepare — don't skip it)
Week 4 ─── Practice exams + targeted review (retake missed-domain questions, don't just re-read notes)Four weeks is a reasonable pace for someone with general tech background but limited hands-on ML experience. If you already work with SageMaker or Bedrock day to day, you can likely compress this significantly.
Common Traps at the Foundational Level
This is a foundational exam, which means the traps are rarely about obscure trivia — they’re about mixing up adjacent concepts under time pressure. Watch for these specifically:
- Confusing fine-tuning with RAG — Both improve relevance, but only fine-tuning changes model weights. If a question says “keep answers current as documents change daily,” that’s RAG, not fine-tuning, because retraining daily is impractical.
- Confusing Amazon Q with Bedrock — Q is a ready-made assistant experience; Bedrock is the platform for building custom generative applications. A question asking “which service lets developers get AI-powered code suggestions with minimal setup” is pointing at Amazon Q, not “build it yourself on Bedrock.”
- Reaching for Bedrock when a pre-built AI service already solves it — If the task is squarely “extract text from a form” or “detect faces in an image,” that’s Textract or Rekognition. Don’t overcomplicate a simple, well-solved problem.
- Treating statistical bias and fairness bias as the same word with the same meaning — Read context carefully; the exam will place both meanings in the same domain.
- Assuming a bigger context window eliminates the need for RAG — Large context windows help, but grounding in verified, current data is still the point of retrieval-augmented generation, especially for private or frequently changing information.
- Ignoring least-privilege IAM in Bedrock Agent scenarios — Agents that call external actions (refunds, order changes) need scoped-down roles, not broad access, and the exam will test recognizing that risk.
- Skipping the responsible AI and security domains because they “feel less technical” — Combined, they’re roughly as heavily weighted as the fundamentals domain. Under-studying them is a common reason otherwise well-prepared candidates miss the passing score.
Exam Focus: What Questions Test From This Step
- Bedrock’s data privacy stance: customer prompts and outputs are not used to train underlying foundation models
- Applying least-privilege IAM to Bedrock model invocation, Knowledge Base retrieval, and Agent action groups specifically
- Encryption at rest and in transit as a shared responsibility, not something to assume is automatically compliant
- Recognizing that AI workloads inherit existing regulatory obligations (HIPAA, financial regulations) rather than existing outside them
- Knowing the four AIF-C01 domains and their approximate weighting, especially that Applications of Foundation Models carries the most questions
- Avoiding the classic traps: fine-tuning vs. RAG, Amazon Q vs. Bedrock, pre-built AI service vs. custom-built solution, statistical bias vs. fairness bias