AWS Certified Machine Learning – Specialty — Question 109

A financial services company wants to adopt Amazon SageMaker as its default data science environment. The company's data scientists run machine learning
(ML) models on confidential financial data. The company is worried about data egress and wants an ML engineer to secure the environment.
Which mechanisms can the ML engineer use to control data egress from SageMaker? (Choose three.)

Answer options

• A. Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink.
• B. Use SCPs to restrict access to SageMaker.
• C. Disable root access on the SageMaker notebook instances.
• D. Enable network isolation for training jobs and models.
• E. Restrict notebook presigned URLs to specific IPs used by the company.
• F. Protect data with encryption at rest and in transit. Use AWS Key Management Service (AWS KMS) to manage encryption keys.

Correct answer: A, D, E

Explanation

The correct answers A, D, and E are effective strategies for controlling data egress from SageMaker. A enables secure connections through AWS PrivateLink, D ensures training jobs and models are isolated from external networks, and E restricts data access based on specific IP addresses. Options B and C do not directly address data egress control, while F, while important for data protection, does not specifically manage data leaving the environment.