AWS Certified Machine Learning Engineer – Associate (MLA-C01) — Question 95

A company is using Amazon SageMaker to develop ML models. The company stores sensitive training data in an Amazon S3 bucket. The model training must have network isolation from the internet.

Which solution will meet this requirement?

Answer options

• A. Run the SageMaker training jobs in private subnets. Create a NAT gateway. Route traffic for training through the NAT gateway.
• B. Run the SageMaker training jobs in private subnets. Create an S3 gateway VPC endpoint. Route traffic for training through the S3 gateway VPC endpoint.
• C. Run the SageMaker training jobs in public subnets that have an attached security group. In the security group, use inbound rules to limit traffic from the internet. Encrypt SageMaker instance storage by using server-side encryption with AWS KMS keys (SSE-KMS).
• D. Encrypt traffic to Amazon S3 by using a bucket policy that includes a value of True for the aws:SecureTransport condition key. Use default at-rest encryption for Amazon S3. Encrypt SageMaker instance storage by using server-side encryption with AWS KMS keys (SSE-KMS).

Correct answer: B

Explanation

Option B is correct because using an S3 gateway VPC endpoint allows the SageMaker training jobs to securely access the S3 bucket without requiring internet access, ensuring complete network isolation. Option A incorrectly suggests using a NAT gateway, which would allow internet access. Options C and D do not provide the necessary network isolation as they either use public subnets or do not adequately restrict internet access.