AWS · MLS-C01

Security And Governance Boundary — AWS Machine Learning (MLS-C01)

4%of exam questions (8 of 200)

Detection and enforcement are not the same control.

GuardDuty detects. Security Hub aggregates. IAM enforces. IAM Identity Center governs federated access at scale. MLS-C01 security questions often conflate these categories by pairing a detection service with a scenario that requires enforcement, or vice versa. The exam wording signals which category applies: 'identify,' 'alert,' and 'audit' point toward detection; 'prevent,' 'restrict,' and 'control access' require enforcement. Matching the control type to the requirement language is the first step before evaluating specific services.

What This Pattern Tests

The exam describes a security requirement and tests which access control layer applies. IAM policies attach to principals (users, roles). Resource policies attach to resources (S3 bucket policies, KMS key policies). SCPs restrict what an entire AWS account can do. Permission boundaries cap what an IAM entity can be granted. The trap is applying EC2-level security group thinking to Lambda (which uses IAM execution roles), or writing an IAM policy when an SCP is needed for account-wide restriction. S3 Block Public Access, VPC endpoint policies, and Organizations tag policies each add another control plane the exam expects you to distinguish.

Decision Axis

Control scope determines the mechanism: principal-level (IAM), resource-level (resource policies), account-level (SCPs), or network-level (security groups, NACLs).

Associated Traps

Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Compliance Misconception (4)S3 encryption + HTTPS does not make you HIPAA-compliant — you still need a BAA and eligible services only.

More Top Traps on This Exam

Over-Engineering · 34%CloudFront + Lambda@Edge + API Gateway + DynamoDB + SES — for a static site with a contact form.

Decision Rules

Enforce the data-access boundary with an S3 bucket policy containing an explicit Deny on all principals except the SageMaker execution role ARN, because only identity-layer controls can restrict which IAM principals call S3 APIs regardless of network path; a VPC endpoint policy alone cannot satisfy the 'only this role' constraint.

Amazon SageMakerAmazon S3AWS Identity and Access Management (IAM)

Whether to enable CloudTrail S3 data events on the PHI bucket to produce the object-level, per-request access audit trail HIPAA requires, versus relying on encryption-at-rest or operational metrics that do not record who accessed which object and when.

Amazon SageMakerAmazon S3AWS CloudTrail

Domain Coverage

Machine Learning Implementation and Operations

Difficulty Breakdown

Hard: 8

Build recognition speed →

See all MLS-C01 patterns →