AWS Certified Machine Learning – Specialty — Question 137

A company provisions Amazon SageMaker notebook instances for its data science team and creates Amazon VPC interface endpoints to ensure communication between the VPC and the notebook instances. All connections to the Amazon SageMaker API are contained entirely and securely using the AWS network.
However, the data science team realizes that individuals outside the VPC can still connect to the notebook instances across the internet.
Which set of actions should the data science team take to fix the issue?

Answer options

• A. Modify the notebook instances' security group to allow traffic only from the CIDR ranges of the VPC. Apply this security group to all of the notebook instances' VPC interfaces.
• B. Create an IAM policy that allows the sagemaker:CreatePresignedNotebooklnstanceUrl and sagemaker:DescribeNotebooklnstance actions from only the VPC endpoints. Apply this policy to all IAM users, groups, and roles used to access the notebook instances.
• C. Add a NAT gateway to the VPC. Convert all of the subnets where the Amazon SageMaker notebook instances are hosted to private subnets. Stop and start all of the notebook instances to reassign only private IP addresses.
• D. Change the network ACL of the subnet the notebook is hosted in to restrict access to anyone outside the VPC.

Correct answer: B

Explanation

The correct answer is B because creating an IAM policy that restricts certain actions to only VPC endpoints ensures that access is limited to users within the VPC, preventing external access. Option A, while it modifies the security group, doesn't fully address the IAM permissions necessary for access control. Option C involves changing subnet types and may disrupt operations without solving the access issue. Option D, changing the network ACL, could potentially impact legitimate traffic within the VPC.