AWS Certified Machine Learning – Specialty — Question 14

A company is setting up an Amazon SageMaker environment. The corporate data security policy does not allow communication over the internet.
How can the company enable the Amazon SageMaker service without enabling direct internet access to Amazon SageMaker notebook instances?

Answer options

• A. Create a NAT gateway within the corporate VPC.
• B. Route Amazon SageMaker traffic through an on-premises network.
• C. Create Amazon SageMaker VPC interface endpoints within the corporate VPC.
• D. Create VPC peering with Amazon VPC hosting Amazon SageMaker.

Correct answer: C

Explanation

The correct answer is C, as creating Amazon SageMaker VPC interface endpoints allows secure communication between Amazon SageMaker and other AWS services without needing internet access. Option A is incorrect because a NAT gateway would allow internet access, which violates the security policy. Option B is not suitable since routing traffic through an on-premises network does not directly enable SageMaker without internet access. Option D is also incorrect because VPC peering does not eliminate the need for internet access.