AWS · AIF-C01

Multi-Account Governance — AWS AI Practitioner (AIF-C01)

9%of exam questions (11 of 125)

SCPs Set the Ceiling—They Don't Grant Anything

Scenarios describing org-wide policy enforcement use language like "prevent any account from disabling logging" or "restrict all workloads to approved regions." Candidates reach for IAM because permissions are familiar. Service Control Policies through AWS Organizations apply guardrails at the organizational unit level—they cap what IAM can grant, but grant nothing themselves. Control Tower layers account provisioning and detective guardrails on top of Organizations. "Organization-wide enforcement" signals SCPs; "standardized account vending" signals Control Tower.

What This Pattern Tests

The exam describes a multi-account environment and tests governance controls. AWS Organizations groups accounts into OUs. SCPs on OUs set maximum permission boundaries — they deny, never grant. CloudTrail organization trails aggregate audit logs. AWS Config aggregator collects compliance data across accounts. RAM (Resource Access Manager) shares resources across accounts without duplication. The trap is using SCPs to grant permissions (they only restrict) or creating cross-account IAM users instead of cross-account roles (roles use temporary credentials).

Decision Axis

Governance scope determines the tool: organization-wide restriction = SCP, account-specific permission = IAM, cross-account sharing = RAM/roles, compliance visibility = Config aggregator.

Associated Traps

Service Confusion (11)Kinesis Data Streams vs. Kinesis Data Firehose — one word apart, completely different delivery models.

More Top Traps on This Exam

Shared Responsibility Confusion · 20%You patched the OS on RDS — except AWS does that. You skipped patching on EC2 — except that is your job.Pricing Misconception · 11%Reserved Instances at 40% savings — except the workload runs 29% of the time, so you lose money.

Decision Rules

When training data consists of labeled prompt-completion pairs and the goal is task or style alignment, instruction tuning is the correct fine-tuning method; continued pre-training requires an unlabeled corpus and mismatches the data format, while routing the job through SageMaker custom training over-scopes the infrastructure footprint for a managed fine-tuning task.

Amazon BedrockAmazon SageMaker AI

When the requirement is to produce audit-ready, framework-mapped compliance evidence for external regulators, AWS Audit Manager is the correct choice; AWS Config addresses configuration drift monitoring but does not produce structured attestation reports tied to a regulatory framework.

AWS Audit ManagerAWS Config

Whether AWS Audit Manager or AWS Config is the correct service when the requirement is to continuously collect framework-mapped evidence and produce regulator-facing audit reports, rather than to detect resource configuration drift.

AWS Audit ManagerAWS Config

Choose AWS Audit Manager over AWS Config when the requirement is to produce continuously collected, framework-mapped audit evidence for regulatory attestation — not to evaluate whether individual resource configurations conform to rules.

AWS Audit ManagerAWS Config

Choose AWS Audit Manager over AWS Config when the requirement is to produce framework-mapped, regulator-ready audit evidence reports rather than to detect resource configuration drift against individual rules.

AWS Audit ManagerAWS Config

Domain Coverage

Applications of Foundation ModelsSecurity, Compliance, and Governance for AI Solutions

Difficulty Breakdown

Easy: 7Medium: 2Hard: 2

Build recognition speed →

See all AIF-C01 patterns →