AWS Certified Machine Learning – Specialty — Question 170

A data scientist is using an Amazon SageMaker notebook instance and needs to securely access data stored in a specific Amazon S3 bucket.
How should the data scientist accomplish this?

Answer options

• A. Add an S3 bucket policy allowing GetObject, PutObject, and ListBucket permissions to the Amazon SageMaker notebook ARN as principal.
• B. Encrypt the objects in the S3 bucket with a custom AWS Key Management Service (AWS KMS) key that only the notebook owner has access to.
• C. Attach the policy to the IAM role associated with the notebook that allows GetObject, PutObject, and ListBucket operations to the specific S3 bucket.
• D. Use a script in a lifecycle configuration to configure the AWS CLI on the instance with an access key ID and secret.

Correct answer: C

Explanation

The correct answer is C because attaching a policy to the IAM role associated with the notebook instance grants the necessary permissions for accessing the S3 bucket securely. Option A is incorrect as it involves modifying the bucket policy instead of the IAM role, which may not be the best practice. Option B focuses on encryption but does not address the access permissions needed. Option D uses access keys, which are less secure than using IAM roles for authentication.