Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

5.2.1. Network Isolation and Access Control

💡 First Principle: Network isolation for GenAI applications means building a perimeter where FM API traffic, vector store queries, and document storage access all flow through private AWS network paths — no public internet traversal, even for encrypted traffic.

VPC endpoint architecture for Bedrock:
IAM least-privilege for FM invocations — the exam-critical patterns:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["bedrock:InvokeModel"],
      "Resource": [
        "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-haiku-20240307-v1:0"
      ]
    },
    {
      "Effect": "Allow",
      "Action": ["bedrock-agent-runtime:Retrieve"],
      "Resource": [
        "arn:aws:bedrock:us-east-1:123456789:knowledge-base/KBID12345"
      ]
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::my-kb-documents/*"],
      "Condition": {
        "StringEquals": {"s3:ExistingObjectTag/classification": "internal"}
      }
    }
  ]
}

AWS Lake Formation for fine-grained data access in RAG pipelines: When your FM application queries structured data (Glue Data Catalog tables, Athena queries), Lake Formation enforces column-level and row-level access controls — preventing an FM application from accessing data columns it has no business reason to read:

# Lake Formation column-level security example
# The FM application's role can only see name, department, hire_date
# SSN, salary, and performance_rating are invisible to this role
# Athena query on the same table returns different columns per role
query = "SELECT * FROM employee_directory WHERE department = 'Engineering'"
# Role with Lake Formation column filter: returns only name, department, hire_date
# Role without filter: returns all columns including SSN, salary

⚠️ Exam Trap: VPC endpoints for Bedrock prevent traffic from leaving the AWS network, but do not prevent lateral movement within the VPC. A compromised Lambda function with overly broad IAM permissions could still access other VPC resources. Least-privilege IAM policies are required independently of network isolation — the two controls operate at different layers.

Reflection Question: Your GenAI application processes employee HR queries. The Lambda function has an IAM role with bedrock:* and s3:* permissions for "simplicity." A security audit flags this. Describe the minimum IAM permissions the Lambda role should have, and what AWS service provides fine-grained access control at the data column level?

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications