AWS Certified Generative AI Developer - Professional: Build end-to-end architecture diagrams

End

to end architecture diagrams. This is

the final day and this is where AWS

checks one thing above all else. Can you

see the entire system at once and

explain it clearly enough that someone

can trust it? This is not about pretty

boxes. This is about flow, safety, and

responsibility all in one picture.

Imagine this. An AI system helps

coordinate air traffic operations. It

answers internal questions. It uses

official manuals. It runs an agent that

can trigger actions. It must be private,

observable, safe, and cost controlled.

AWS does not ask which service does

embeddings. AWS asks, "Draw the system

so I can trust it." That's what day 25

is really testing. Here's the golden

rule. If a diagram does not show flow,

boundaries, and who is responsible for

what, it is not a real architecture

diagram. AWS diagrams are not art. They

are explanations.

Start with the core skeleton. A user or

client sends a request. That request

enters through API gateway. It reaches

an application or orchestrator, usually

Lambda or ECS. That orchestrator invokes

bedrock. A response comes back. That's

the minimum shape. Now we add meaning.

The first major addition is retrieval.

In a real JI system, the model does not

answer from memory. So the diagram must

show the application calls a retrieval

layer. Embeddings are generated. A

vector store is queried. Relevant chunks

are returned. Only then does the model

generate an answer. The key idea is

simple. Retrieval happens before

generation. If your diagram shows the

LLM reading S3 directly, it's wrong. Now

we add agents. This is where diagrams

separate juniors from seniors. An agent

is not a box. It is a loop. The diagram

must show that the LLM plans, retrieval

provides facts, Lambda tools execute

actions, observations come back, memory

is updated, and the loop repeats until

the task is done. If you can explain

that loop in your diagram, you pass

every agent question. Next comes

security boundaries. AWS wants to see

that you know where trust stops. Your

diagram should clearly show the

application and tools running in private

subnets. VPC endpoints for S3 and

service APIs. No uncontrolled public

internet access in regulated systems. IM

boundaries must be visible too. Separate

roles for the application runtime, the

tools and administrative setup. Lease

privilege is not a sentence. It's a

shape in the diagram. Then comes data

protection. Show encrypted S3 buckets.

Show KMS keys. Show secrets stored in

secrets manager. AWS wants to see that

sensitive data is protected by design,

not by hope.

Finally, observability. This is the most

commonly forgotten piece. Your diagram

should always include Cloudatch logs for

events, Cloudatch metrics for health,

X-ray for endto-end traces. This shows

that the system can be owned after

launch. A system you cannot observe is a

system you do not control. When

everything is combined, your mental

diagram includes client API gateway,

application or orchestrator, rag

retrieval, bedrock model, agent loop,

lambda tools, IM roles, VPC endpoints,

encrypted storage, logging, metrics, and

tracing. Not every box needs detail, but

every responsibility must be placed.

There are classic mistakes AWS penalizes

hard. letting the LLM call databases

directly, skipping the retrieval layer,

putting everything in one giant box,

ignoring network boundaries, forgetting

observability, sprinkling public

internet everywhere. Those diagrams look

simple and fail exams. If you're asked

to describe your diagram, say something

like this. Requests enter through API

gateway are orchestrated by a Lambda

service, which performs retrieval using

embeddings from a vector store before

invoking Bedrock. Agents use this

knowledge to plan actions executed via

Lambda tools with full observability

through Cloudatch and X-Ray, all running

in private subnets with lease privilege

IM and KMS encryption. That single

explanation hits architecture, security,

rag, agents, and operations. Here's the

final sentence to lock the entire course

into memory. A good architecture diagram

shows flow, trust boundaries, and

responsibility, not just services. If

you can do that, you don't just pass the

exam. You think like an owner. Final

self test. AWS asks for a secure

observable genai system with rag and

agents. What must your diagram include?

Data flow, retrieval before generation,

the agent loop, IM roles, VPC

boundaries, and observability. You're

done.