Securing AI Systems

The AWS security toolkit applied to AI: IAM, KMS, PrivateLink, S3 protection, and the shared responsibility model.

9 min read

AI workloads are secured with the same AWS primitives as everything else — the exam tests whether you can map them onto AI scenarios. The shared responsibility model still applies: AWS secures the service infrastructure; you secure your data, access policies, and application behavior.

The security building blocks for AI

AWS IAM

Least-privilege access to models, training data, and endpoints. Roles for applications; no hardcoded keys. Controls who may invoke which Bedrock models or SageMaker endpoints.

AWS KMS

Encryption at rest for training data, model artifacts, and vector stores; TLS covers encryption in transit.

AWS PrivateLink / VPC endpoints

Reach Bedrock/SageMaker privately from your VPC so prompts and data never cross the public internet.

Amazon S3 security

Block Public Access, bucket policies, and encryption protect the training data and documents feeding your models.

Amazon Macie

Finds PII in S3 — audit your training/RAG corpora before models consume them.

AWS CloudTrail & CloudWatch

Audit every API call (who invoked which model, when) and monitor usage patterns for anomalies.

Exam tip

Bedrock privacy facts worth repeating: customer data is encrypted in transit and at rest, is not used to train base models, can stay off the public internet via PrivateLink, and fine-tuning creates a private copy of the model. These appear in multiple questions.

AI-specific threats to recognize

  • Prompt injection / jailbreaking — malicious inputs steering the model (mitigate: input validation, Guardrails).
  • Data poisoning — corrupting training data to change model behavior (mitigate: data provenance and validation).
  • Model inversion / extraction — attackers reconstructing training data or stealing model behavior via queries (mitigate: throttling, access control).
  • Data leakage — sensitive data exposed via model outputs (mitigate: PII filtering, output guardrails).
  • Exposure through logs — prompts containing secrets landing in logs (mitigate: log hygiene and masking).
Think of it like this

Treat the model like a talented new hire with a photographic memory: give them a badge that opens only the doors they need (IAM), talk to them in private rooms rather than shouting across the street (PrivateLink), and never tell them secrets you wouldn't want repeated (data governance).

Knowledge check
Question 1 of 4

A company requires that prompts sent to Amazon Bedrock never traverse the public internet. Which AWS capability meets this?