AWSAI Safety, Security, and Governance

Guardrails & Responsible AI — AWS GenAI Dev Practice Question

A representative AWS Generative AI Developer (AWS GenAI Dev) exam question on Guardrails & Responsible AI. Work through it below, then read why each option is right or wrong.

Short answer

The correct answer is A. Enable CloudWatch logging on the guardrail and configure a sensitive information filter with regex patterns for medical record numbers, since SSN detection is built-in as a PII type.

Bedrock Guardrails' sensitive information filters support built-in PII types (including SSN) and custom regex patterns for organization-specific identifiers like medical record numbers. The denied topics policy handles blocking medical diagnoses and self-harm discussions. Content filters handle harmful content categories. Enabling CloudWatch logging on the guardrail captures all intervention events for compliance auditing. This configuration addresses all four requirements natively.

The Question

A healthcare company is deploying a patient-facing GenAI application using Amazon Bedrock. The application must: (1) never provide medical diagnoses, (2) redact any patient PII (Social Security numbers, medical record numbers) from both inputs and outputs, (3) block discussions about self-harm, and (4) log all guardrail interventions for compliance auditing. The developer has configured Bedrock Guardrails with content filters, denied topics, and sensitive information filters. Which additional configuration is required to meet ALL compliance requirements?

AEnable CloudWatch logging on the guardrail and configure a sensitive information filter with regex patterns for medical record numbers, since SSN detection is built-in as a PII typeCorrect
BCreate a custom Lambda function that post-processes all Bedrock responses to scan for PII using Amazon Comprehend Medical, and log results to CloudWatch
CConfigure the guardrail's word filter with a deny list containing medical diagnosis terms, and enable Amazon Bedrock model invocation logging to capture guardrail traces
DEnable the guardrail's automated reasoning policy to validate that responses do not contain diagnostic language, and use AWS CloudTrail for compliance logging

Why A is correct

Bedrock Guardrails' sensitive information filters support built-in PII types (including SSN) and custom regex patterns for organization-specific identifiers like medical record numbers. The denied topics policy handles blocking medical diagnoses and self-harm discussions. Content filters handle harmful content categories. Enabling CloudWatch logging on the guardrail captures all intervention events for compliance auditing. This configuration addresses all four requirements natively.

Why the other options are wrong

Option B: Create a custom Lambda function that post-processes all Bedrock responses to scan for PII using Amazon Comprehend Medical, and log results to CloudWatch

Using a separate Lambda function with Comprehend Medical adds unnecessary complexity and latency. Bedrock Guardrails natively handles PII detection and redaction. This approach also creates a gap where unredacted PII could be logged before the Lambda processes it.

Option C: Configure the guardrail's word filter with a deny list containing medical diagnosis terms, and enable Amazon Bedrock model invocation logging to capture guardrail traces

A word filter deny list is too brittle for blocking medical diagnoses — it would require maintaining an exhaustive list of medical terms and could be bypassed with synonyms. The denied topics policy (already configured per the question) uses semantic understanding to block diagnosis-related content. Model invocation logging captures model inputs/outputs but doesn't specifically log guardrail intervention events with the same granularity.

Option D: Enable the guardrail's automated reasoning policy to validate that responses do not contain diagnostic language, and use AWS CloudTrail for compliance logging

Automated reasoning policies in Bedrock Guardrails are designed for factual accuracy validation against source material, not for content restriction. CloudTrail logs API calls but doesn't capture the granular details of individual guardrail interventions within a conversation.

Key idea: Guardrails & Responsible AI

Why A is correct: Bedrock Guardrails' sensitive information filters support built-in PII types (including SSN) and custom regex patterns for organization-specific identifiers like medical record numbers. The denied topics policy handles blocking medical diagnoses and self-harm discussions. Content filters handle harmful content categories. Enabling CloudWatch logging on the guardrail captures all intervention events for compliance auditing. This configuration addresses all four requirements natively. Why B is wrong: Using a separate Lambda function with Comprehend Medical adds unnecessary complexity and latency. Bedrock Guardrails natively handles PII detection and redaction. This approach also creates a gap where unredacted PII could be logged before the Lambda processes it. Why C is wrong: A word filter deny list is too brittle for blocking medical diagnoses — it would require maintaining an exhaustive list of medical terms and could be bypassed with synonyms. The denied topics policy (already configured per the question) uses semantic understanding to block diagnosis-related content. Model invocation logging captures model inputs/outputs but doesn't specifically log guardrail intervention events with the same granularity. Why D is wrong: Automated reasoning policies in Bedrock Guardrails are designed for factual accuracy validation against source material, not for content restriction. CloudTrail logs API calls but doesn't capture the granular details of individual guardrail interventions within a conversation. On the AWS GenAI Dev exam, questions in the "AI Safety, Security, and Governance" domain test whether you can map a scenario's constraints to the right choice. Read the requirement carefully, eliminate options that violate any single constraint, and pick the one that satisfies all of them with the least operational overhead.

Ready to see how you'd score?

Take the free practice quiz and find out which AWS Generative AI Developer - Professional domains you need to focus on. No signup required.

Practice 5 similar questions

Same cert, same or adjacent domain. Use these after reviewing the explanation.

Related AWS Generative AI Developer - Professional Practice Questions