AWS Certified Machine Learning Engineer – Associate (MLA-C01) — Question 175

A company deployed an Amazon SageMaker AI ML model to an endpoint by calling the CreateModel API operation. The network that was established with the API call includes two private subnets and one security group.

The model must download data from an Amazon S3 bucket and must upload data to the S3 bucket. The traffic to the S3 bucket must not travel across the internet.

Which solution will meet these requirements?

Answer options

• A. Create a NAT gateway. Configure the security group to allow outbound connections. Configure route tables to redirect any traffic to the S3 bucket through the NAT gateway.
• B. Create a gateway VPC endpoint. Configure an endpoint policy that restricts access to the S3 bucket. Configure route tables to redirect any traffic to the S3 bucket through the endpoint.
• C. Create an interface VPC endpoint. Verify that the security group allows only inbound connections. Configure route tables to redirect any traffic to the S3 bucket through the endpoint.
• D. Create a Gateway Load Balancer VPC endpoint. Configure an IAM policy that restricts access to the S3 bucket. Configure route tables to redirect any traffic to the S3 bucket through the endpoint.

Correct answer: B

Explanation

The correct answer is B because a gateway VPC endpoint allows private connections to Amazon S3 without routing traffic over the internet, fulfilling the requirement for secure access. Option A is incorrect as a NAT gateway would route traffic over the internet, which is against the requirement. Options C and D are also incorrect because they use interface endpoints and gateway load balancers, which are not necessary for connecting to S3 securely when a gateway VPC endpoint suffices.