AWSImplementation and Integration

Bedrock Agents & Action Groups — AWS GenAI Dev Practice Question

A representative AWS Generative AI Developer (AWS GenAI Dev) exam question on Bedrock Agents & Action Groups. Work through it below, then read why each option is right or wrong.

Short answer

The correct answer is A. Create a single Bedrock Agent with three action groups. Configure the transfer and balance action groups' Lambda functions to call Amazon Cognito for identity verification before processing, while the report generation action group skips verification..

A single Bedrock Agent with separate action groups provides clean separation of concerns. Each action group has its own Lambda function and OpenAPI schema, allowing the developer to implement identity verification in the transaction-related Lambda functions while keeping the report generation Lambda simple. This is the least operational overhead approach that properly enforces security at the execution layer.

The Question

A financial services company is building an AI assistant using Amazon Bedrock Agents that can check account balances, transfer funds between accounts, and generate monthly spending reports. The assistant must verify the user's identity before performing any financial transaction but should allow spending report generation without additional verification. The developer needs to implement this with the least operational overhead. Which architecture should the developer implement?

ACreate a single Bedrock Agent with three action groups. Configure the transfer and balance action groups' Lambda functions to call Amazon Cognito for identity verification before processing, while the report generation action group skips verification.Correct
BCreate three separate Bedrock Agents — one for each capability — and use a supervisor agent with multi-agent collaboration to route requests, configuring identity verification in the supervisor's instructions.
CCreate a single Bedrock Agent with one action group containing all three operations. Implement identity verification logic in the agent's system prompt using XML tags to define when verification is required.
DCreate a Bedrock Flow with condition nodes that check whether the user request requires identity verification, routing to different Lambda functions accordingly before calling the Bedrock Agent.

Why A is correct

A single Bedrock Agent with separate action groups provides clean separation of concerns. Each action group has its own Lambda function and OpenAPI schema, allowing the developer to implement identity verification in the transaction-related Lambda functions while keeping the report generation Lambda simple. This is the least operational overhead approach that properly enforces security at the execution layer.

Why the other options are wrong

Option B: Create three separate Bedrock Agents — one for each capability — and use a supervisor agent with multi-agent collaboration to route requests, configuring identity verification in the supervisor's instructions.

Three separate agents with multi-agent collaboration is over-engineered for this use case. It adds significant operational overhead (managing multiple agents, IAM roles, and the supervisor configuration) when a single agent with multiple action groups achieves the same result.

Option C: Create a single Bedrock Agent with one action group containing all three operations. Implement identity verification logic in the agent's system prompt using XML tags to define when verification is required.

Relying on the system prompt to enforce identity verification is a security anti-pattern. LLM instructions can be bypassed through prompt injection. Security checks must be enforced at the code/infrastructure layer (Lambda functions), not in the prompt.

Option D: Create a Bedrock Flow with condition nodes that check whether the user request requires identity verification, routing to different Lambda functions accordingly before calling the Bedrock Agent.

Bedrock Flows adds unnecessary complexity. The agent itself can determine which action group to invoke based on the user's request. Adding a Flow as a pre-processing layer creates redundant routing logic and increases latency.

Key idea: Bedrock Agents & Action Groups

Why A is correct: A single Bedrock Agent with separate action groups provides clean separation of concerns. Each action group has its own Lambda function and OpenAPI schema, allowing the developer to implement identity verification in the transaction-related Lambda functions while keeping the report generation Lambda simple. This is the least operational overhead approach that properly enforces security at the execution layer. Why B is wrong: Three separate agents with multi-agent collaboration is over-engineered for this use case. It adds significant operational overhead (managing multiple agents, IAM roles, and the supervisor configuration) when a single agent with multiple action groups achieves the same result. Why C is wrong: Relying on the system prompt to enforce identity verification is a security anti-pattern. LLM instructions can be bypassed through prompt injection. Security checks must be enforced at the code/infrastructure layer (Lambda functions), not in the prompt. Why D is wrong: Bedrock Flows adds unnecessary complexity. The agent itself can determine which action group to invoke based on the user's request. Adding a Flow as a pre-processing layer creates redundant routing logic and increases latency. On the AWS GenAI Dev exam, questions in the "Implementation and Integration" domain test whether you can map a scenario's constraints to the right choice. Read the requirement carefully, eliminate options that violate any single constraint, and pick the one that satisfies all of them with the least operational overhead.

Ready to see how you'd score?

Take the free practice quiz and find out which AWS Generative AI Developer - Professional domains you need to focus on. No signup required.

Practice 5 similar questions

Same cert, same or adjacent domain. Use these after reviewing the explanation.

Related AWS Generative AI Developer - Professional Practice Questions