AWS Certified Machine Learning Engineer – Associate (MLA-C01) — Question 148

A company runs an Amazon SageMaker AI domain in a public subnet of a newly created VPC. The network is configured properly, and ML engineers can access the SageMaker AI domain.

Recently, the company discovered suspicious traffic to the domain from a specific IP address. The company needs to block traffic from the specific IP address.

Which update to the network configuration will meet this requirement?

Answer options

• A. Create a security group inbound rule to deny traffic from the specific IP address. Assign the security group to the domain.
• B. Create a network ACL inbound rule to deny traffic from the specific IP address. Assign the rule to the default network ACL for the subnet where the domain is located.
• C. Create a shadow variant for the domain. Configure SageMaker Inference Recommender to send traffic from the specific IP address to the shadow endpoint.
• D. Create a VPC route table to deny inbound traffic from the specific IP address. Assign the route table to the domain.

Correct answer: B

Explanation

The correct answer is B because network ACLs are designed to control traffic at the subnet level and can effectively deny access from specific IP addresses. Option A is incorrect as security groups are stateful and do not have a deny rule; they only allow specific traffic. Option C does not address the requirement of blocking traffic, and option D incorrectly suggests using a route table to manage inbound traffic, which is not its function.