AWS Certified Machine Learning – Specialty — Question 114

A machine learning (ML) specialist wants to secure calls to the Amazon SageMaker Service API. The specialist has configured Amazon VPC with a VPC interface endpoint for the Amazon SageMaker Service API and is attempting to secure traffic from specific sets of instances and IAM users. The VPC is configured with a single public subnet.
Which combination of steps should the ML specialist take to secure the traffic? (Choose two.)

Answer options

• A. Add a VPC endpoint policy to allow access to the IAM users.
• B. Modify the users' IAM policy to allow access to Amazon SageMaker Service API calls only.
• C. Modify the security group on the endpoint network interface to restrict access to the instances.
• D. Modify the ACL on the endpoint network interface to restrict access to the instances.
• E. Add a SageMaker Runtime VPC endpoint interface to the VPC.

Correct answer: A, C

Explanation

The correct steps involve adding a VPC endpoint policy to allow access to the IAM users (A) and modifying the security group to restrict access to the instances (C). Option B is incorrect because it does not secure the traffic at the VPC level, while options D and E do not address the necessary policy configurations for IAM users and instances, respectively.