AWS Certified Machine Learning Engineer – Associate (MLA-C01) — Question 29

A company runs an Amazon SageMaker domain in a public subnet of a newly created VPC. The network is configured properly, and ML engineers can access the SageMaker domain.
Recently, the company discovered suspicious traffic to the domain from a specific IP address. The company needs to block traffic from the specific IP address.
Which update to the network configuration will meet this requirement?

Answer options

• A. Create a security group inbound rule to deny traffic from the specific IP address. Assign the security group to the domain.
• B. Create a network ACL inbound rule to deny traffic from the specific IP address. Assign the rule to the default network Ad for the subnet where the domain is located.
• C. Create a shadow variant for the domain. Configure SageMaker Inference Recommender to send traffic from the specific IP address to the shadow endpoint.
• D. Create a VPC route table to deny inbound traffic from the specific IP address. Assign the route table to the domain.

Correct answer: B

Explanation

The correct answer is B because using a network ACL allows you to deny traffic from a specific IP address at the subnet level, effectively blocking it before it reaches the SageMaker domain. Option A is incorrect as security group rules cannot explicitly deny traffic; they can only allow traffic. Option C does not address the need to block traffic from a harmful IP but rather reroutes traffic, and option D is invalid since VPC route tables don't control inbound traffic filtering in the same way network ACLs do.