logoCloud Edventures
Advanced65 min

AI Gateway Security Layer

As organizations deploy LLM-powered features, they face a new category of security challenges: prompt injection attacks, sensitive data leakage in prompts, uncontrolled token costs, and the need for audit trails of all AI interactions. In this challenge, you will design an AI gateway that sits between applications and LLM providers (Amazon Bedrock, third-party APIs), enforcing security policies, content filtering, rate limiting, and comprehensive auditing. The gateway uses API Gateway as the entry point with Lambda authorizers that validate API keys, check quota allocations per team, and inject tenant context. Before any prompt reaches the LLM, a pre-processing Lambda pipeline runs content classifiers: Amazon Comprehend detects PII (names, SSNs, credit card numbers) and either redacts or blocks the request, a custom classifier detects prompt injection patterns (role-playing attacks, ignore-previous-instructions patterns), and Amazon Bedrock Guardrails enforce topic-level restrictions. The response path runs a symmetric post-processing pipeline: PII scanning on the LLM output, toxicity detection, factual grounding checks against the source documents (for RAG responses), and custom business rule validation. Token usage tracking stores per-request metrics in DynamoDB with GSIs for per-team, per-model, and per-endpoint aggregation, feeding into a cost allocation dashboard. Rate limiting operates at multiple levels — per-API-key requests per minute, per-team tokens per day, and per-model concurrency limits — using ElastiCache for Redis with atomic Lua scripts. The audit trail captures every request/response pair in Kinesis Data Firehose, delivering to S3 in Parquet format for compliance queries via Athena. The architecture supports graceful degradation: when the primary LLM is throttled, the gateway falls back to a secondary model with appropriate quality warnings. This challenge teaches AI security architecture, content safety systems, and the governance patterns required for enterprise AI deployment.

Start ChallengeBack to AI/ML Infrastructure

AWS Services You'll Use

API GatewayLambdaBedrockComprehendDynamoDBElastiCacheKinesis Data FirehoseS3Athena

Challenge Details

Path
AI/ML Infrastructure
Difficulty
Advanced
Duration
65 min
Plan
Pro

Architecture Patterns You'll Learn

gateway patternpre/post processing pipelinePII redactionrate limitinggraceful degradation

Why This Challenge?

Unlike whiteboard exercises or multiple-choice quizzes, this challenge requires you to design a real architecture with actual AWS services, evaluate trade-offs, and defend your decisions. Our automated validators check your design against production-grade criteria. Complete it and it shows up in your verified portfolio with your architecture diagram and design rationale.

More from AI/ML Infrastructure

RAG Pipeline Architecture

Design a Retrieval-Augmented Generation pipeline that grounds LLM responses in enterprise knowledge bases.

Advanced · 70 min

Multi-Agent Orchestration

Design a multi-agent system where specialized AI agents collaborate to solve complex tasks.

Advanced · 75 min

ML Model Serving Platform

Design a model serving platform that delivers low-latency predictions with A/B testing and canary deployment.

Advanced · 70 min

Ready to design this for real?

Get the full scenario, design your architecture using real AWS services, and validate against production-grade criteria. Your completed challenge shows up in your verified portfolio.

Start Challenge