AWS Certified Machine Learning Engineer – Associate (MLA-C01) — Question 105

A company uses Amazon SageMaker for its ML process. A compliance audit discovers that an Amazon S3 bucket for training data uses server-side encryption with S3 managed keys (SSE-S3).

The company requires customer managed keys. An ML engineer changes the S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). The ML engineer makes no other configuration changes.

After the change to the encryption settings, SageMaker training jobs start to fail with AccessDenied errors.

What should the ML engineer do to resolve this problem?

Answer options

• A. Update the IAM policy that is attached to the execution role for the training jobs. Include the s3:ListBucket and s3:GetObject permissions.
• B. Update the S3 bucket policy that is attached to the S3 bucket. Set the value of the aws:SecureTransport condition key to True.
• C. Update the IAM policy that is attached to the execution role for the training jobs. Include the kms:Encrypt and kms:Decrypt permissions.
• D. Update the IAM policy that is attached to the user that created the training jobs. Include the kms:CreateGrant permission.

Correct answer: C

Explanation

The correct answer is C because when switching to server-side encryption with AWS KMS keys, the execution role must have permissions to use the KMS keys, specifically kms:Encrypt and kms:Decrypt. Options A and B do not address the required permissions for KMS, while option D pertains to permissions for a user, not the execution role required by SageMaker training jobs.