Compliance Misconception — AWS AI Practitioner (AIF-C01)
You assumed a compliance or governance model that doesn't match the service's actual capabilities.
Encrypted Data Can Still Violate Residency Requirements
Scenarios involving data sovereignty describe encryption at rest and in transit, then ask which control satisfies the requirement. Candidates stop at encrypted—it reads as compliant. The exam is testing residency, not confidentiality. Encryption protects data wherever it sits; residency controls enforce where it sits. Watch for phrasing like "must remain within" or "cannot leave the region"—those cues demand a data-boundary enforcement answer, not an encryption answer.
The Scenario
A healthcare company needs to store patient data in AWS in a HIPAA-compliant manner. You recommend S3 with SSE-KMS encryption and HTTPS-only bucket policies. Both are necessary but not sufficient. HIPAA compliance on AWS requires: (1) a signed Business Associate Agreement with AWS, (2) using only BAA-eligible services (S3, RDS, DynamoDB, Lambda, and ~160 others — but not all services), (3) enabling CloudTrail for audit logging, (4) VPC configuration to prevent data exfiltration. The question tests whether you know the full compliance chain — encryption is one layer, not the whole answer.
How to Spot It
- •HIPAA, PCI-DSS, and FedRAMP each require specific contractual agreements on top of technical controls. The BAA for HIPAA, the AOC for PCI-DSS, and FedRAMP authorization for government workloads. The exam tests whether you know these agreements exist and are prerequisites.
- •Not all AWS services are eligible for every compliance framework. AWS Artifact lists which services are in scope for which certifications. The exam may offer an answer using a service that is technically capable but not in the compliance scope — that answer is wrong.
- •Compliance requires continuous controls: audit logging (CloudTrail), configuration monitoring (Config), access reviews (IAM Access Analyzer), and encryption verification. A one-time configuration does not maintain compliance. The exam tests whether your answer includes ongoing controls, not just initial setup.
Decision Rules
Which AWS service enforces the encryption key ownership and audit boundary for patient data at rest, as required by a HIPAA customer-managed key control mandate on a Bedrock-hosted application?
Whether to apply a human-in-the-loop governance control (Amazon A2I) versus an operational monitoring or logging tool (Amazon CloudWatch) to satisfy a regulatory requirement for per-output human auditability of GenAI decisions.
Whether customer-managed KMS keys (BYOK) satisfy a data-encryption sovereignty mandate versus services that detect or log compliance signals without controlling the cryptographic boundary of Bedrock invocation payloads.
Domain Coverage
Difficulty Breakdown
Related Patterns