AWS Certified Generative AI – Professional (AIP-C01) — Question 28

Company configures a landing zone in AWS Control Tower. The company handles sensitive data that must remain within the European Union. The company must use only the eu-central-1 Region. The company uses SCPs to enforce data residency policies. GenAI developers at the company are assigned IAM roles that have full permissions for Amazon Bedrock.
The company must ensure that GenAI developers can use the Amazon Nova Pro model through Amazon Bedrock only by using cross-Region inference (CRI) and only in eu-central-1. The company enables model access for the GenAI developer IAM roles in Amazon Bedrock. However, when a GenAI developer attempts to invoke the model through the Amazon Bedrock Chat/Text playground, the GenAI developer receives the following error.
User: arn:aws:sts::123456789012:assumed-role/AssumedDevRole/DevUserName
Action: bedrock:InvokeModelWithResponseStream
On resource(s): arn:aws:bedrock:eu-west-3::foundation-model/amazon.nova-pro-v1:0
Context: a service control policy explicitly denies the action
The company needs a solution to resolve the error. The solution must retain the company's existing governance controls and must provide precise access control. The solution must comply with the company's existing data residency policies.
Which combination of solutions will meet these requirements? (Choose two.)

Answer options

Correct answer: B, D

Explanation

The correct answers, B and D, are necessary to adjust the SCPs to allow cross-Region inference and ensure that permissions are granted for invoking the model in all applicable EU regions. Option A does not align with the need to maintain governance controls, and option C would not comply with the data residency requirement of using only eu-central-1. Option E is too broad and does not specifically address the model access in the required context.