Zero trust access model is correct. The zero trust access model describes making access decisions per resource and per request by combining a user role with contextual risk factors instead of relying solely on network location or static permissions.

Zero trust access model evaluates signals such as device posture, location, time, authentication strength and user behavior to apply least privilege and to adapt access in real time.

Discretionary access control is incorrect because that model lets resource owners set permissions and it does not inherently perform dynamic, context based risk evaluations for each access attempt.

Need to know principle is incorrect because it is a general information sharing constraint that limits access to those who require information but it does not describe continuous risk based access decisions per request.

Role based access control is incorrect because RBAC assigns permissions based on static roles and it does not by itself factor in additional contextual risk signals unless combined with other controls.

Full AWS Practitioner Certification Question