AWSSecurity, Compliance, and Governance

Bedrock & Guardrails — AWS GenAI Dev Practice Question

A representative AWS Generative AI Developer (AWS GenAI Dev) exam question on Bedrock & Guardrails. Work through it below, then read why each option is right or wrong.

Short answer

The correct answer is A. Configure a Bedrock Guardrail with image content filters, setting HATE, VIOLENCE, and SEXUAL categories to HIGH filter strength, and apply the guardrail to the Bedrock API calls so images are evaluated before model invocation.

Bedrock Guardrails natively support image content filtering as part of the content filter policy. Developers can configure filter strengths (NONE, LOW, MEDIUM, HIGH) for categories including HATE, INSULTS, SEXUAL, VIOLENCE, and MISCONDUCT specifically for image inputs. When applied to an API call, the guardrail evaluates uploaded images against these filters before the foundation model processes the request. Images that violate the configured thresholds are blocked with a standardized response, and no model invocation occurs. This is a fully managed, no-custom-ML solution that meets all requirements.

The Question

A social media analytics company is building a multimodal application on Amazon Bedrock that lets users upload images along with text prompts for brand sentiment analysis. The application uses Claude 3.5 Sonnet's vision capabilities. The compliance team requires that all user-uploaded images be screened for hate symbols, violent content, and sexually explicit material before the model processes them. Blocked images must return a standardized denial message without any model invocation. The solution must work without deploying custom ML models. How should the developer implement this requirement?

AConfigure a Bedrock Guardrail with image content filters, setting HATE, VIOLENCE, and SEXUAL categories to HIGH filter strength, and apply the guardrail to the Bedrock API calls so images are evaluated before model invocationCorrect
BUse Amazon Rekognition DetectModerationLabels API to pre-screen images before sending them to Bedrock, and reject images that match unsafe categories in application code
CConfigure a Bedrock Guardrail with a denied topics policy that describes hate symbols, violence, and sexually explicit content in natural language, which will analyze both text and image inputs
DEnable AWS WAF on the API Gateway in front of the Bedrock endpoint with custom rules that inspect image payloads for prohibited content using byte-pattern matching

Why A is correct

Bedrock Guardrails natively support image content filtering as part of the content filter policy. Developers can configure filter strengths (NONE, LOW, MEDIUM, HIGH) for categories including HATE, INSULTS, SEXUAL, VIOLENCE, and MISCONDUCT specifically for image inputs. When applied to an API call, the guardrail evaluates uploaded images against these filters before the foundation model processes the request. Images that violate the configured thresholds are blocked with a standardized response, and no model invocation occurs. This is a fully managed, no-custom-ML solution that meets all requirements.

Why the other options are wrong

Option B: Use Amazon Rekognition DetectModerationLabels API to pre-screen images before sending them to Bedrock, and reject images that match unsafe categories in application code

While Rekognition's DetectModerationLabels can identify unsafe image content, this approach requires deploying custom integration code, managing a separate AWS service, handling Rekognition-specific IAM permissions, and coordinating the pre-screening pipeline in application logic. The question specifies working without custom ML models and Bedrock Guardrails provides this capability natively, making Rekognition an unnecessary architectural addition.

Option C: Configure a Bedrock Guardrail with a denied topics policy that describes hate symbols, violence, and sexually explicit content in natural language, which will analyze both text and image inputs

Denied topics policies in Bedrock Guardrails are designed for text-based topic filtering using natural language descriptions. They do not perform visual content analysis on images. A denied topic policy describing "hate symbols" would filter text discussions about hate symbols, not detect hate symbols within uploaded images. Image content moderation requires the image content filter configuration, not denied topics.

Option D: Enable AWS WAF on the API Gateway in front of the Bedrock endpoint with custom rules that inspect image payloads for prohibited content using byte-pattern matching

AWS WAF operates at the HTTP request level and inspects request headers, query strings, and body content for web exploits and IP-based rules. WAF cannot perform image content analysis or identify hate symbols, violence, or explicit material within image payloads. Byte-pattern matching is designed for detecting SQL injection and cross-site scripting, not visual content moderation.

Key idea: Bedrock & Guardrails

Why A is correct: Bedrock Guardrails natively support image content filtering as part of the content filter policy. Developers can configure filter strengths (NONE, LOW, MEDIUM, HIGH) for categories including HATE, INSULTS, SEXUAL, VIOLENCE, and MISCONDUCT specifically for image inputs. When applied to an API call, the guardrail evaluates uploaded images against these filters before the foundation model processes the request. Images that violate the configured thresholds are blocked with a standardized response, and no model invocation occurs. This is a fully managed, no-custom-ML solution that meets all requirements. Why B is wrong: While Rekognition's DetectModerationLabels can identify unsafe image content, this approach requires deploying custom integration code, managing a separate AWS service, handling Rekognition-specific IAM permissions, and coordinating the pre-screening pipeline in application logic. The question specifies working without custom ML models and Bedrock Guardrails provides this capability natively, making Rekognition an unnecessary architectural addition. Why C is wrong: Denied topics policies in Bedrock Guardrails are designed for text-based topic filtering using natural language descriptions. They do not perform visual content analysis on images. A denied topic policy describing "hate symbols" would filter text discussions about hate symbols, not detect hate symbols within uploaded images. Image content moderation requires the image content filter configuration, not denied topics. Why D is wrong: AWS WAF operates at the HTTP request level and inspects request headers, query strings, and body content for web exploits and IP-based rules. WAF cannot perform image content analysis or identify hate symbols, violence, or explicit material within image payloads. Byte-pattern matching is designed for detecting SQL injection and cross-site scripting, not visual content moderation. On the AWS GenAI Dev exam, questions in the "Security, Compliance, and Governance" domain test whether you can map a scenario's constraints to the right choice. Read the requirement carefully, eliminate options that violate any single constraint, and pick the one that satisfies all of them with the least operational overhead.

Ready to see how you'd score?

Take the free practice quiz and find out which AWS Generative AI Developer - Professional domains you need to focus on. No signup required.

Practice 5 similar questions

Same cert, same or adjacent domain. Use these after reviewing the explanation.

Related AWS Generative AI Developer - Professional Practice Questions