For an AI application that uses Bedrock, a company wants to control in fine-grained detail which users and applications can access it. Which AWS feature is the MOST appropriate?
Select the AWS feature that controls access to an AI system.
AWS IAM roles and policies
This is correct. AWS IAM is a mechanism that uses roles and policies to define who can do what to which resources. Following the principle of least privilege, it can control access to services such as Bedrock in fine-grained detail.
Amazon Macie
Amazon Macie is a data security service that detects and classifies sensitive data (such as personal information) in S3.
Its purpose is discovering sensitive data, not controlling access permissions themselves, so it is incorrect.
AWS KMS
AWS KMS is a service that creates and manages encryption keys for data.
It is in the same security domain, but what it protects is the contents of data (encryption); defining 'who can access' permissions is IAM's role, so it is incorrect.
Amazon GuardDuty
Amazon GuardDuty is a managed threat detection service that continuously analyzes CloudTrail, VPC Flow Logs, DNS logs, and more with machine learning and threat intelligence to automatically detect threats to accounts and workloads. For example, it detects suspicious API calls, access from unexpected regions, and use of possibly compromised credentials, and notifies you as findings with severity.
It only detects threats and alerts you, and is not a feature that defines and controls access in advance, so it is incorrect (defining access permissions is IAM's role).
Controlling 'who can do what to which resources' is IAM (roles and policies), the foundation of the principle of least privilege. Within the same security domain, Macie detects sensitive data, KMS manages encryption keys, and GuardDuty detects threats, with divided roles; only IAM can define access permissions themselves.