AWS Certified Machine Learning – Specialty — Question 264

A machine learning (ML) specialist uploads a dataset to an Amazon S3 bucket that is protected by server-side encryption with AWS KMS keys (SSE-KMS). The ML specialist needs to ensure that an Amazon SageMaker notebook instance can read the dataset that is in Amazon S3.

Which solution will meet these requirements?

Answer options

• A. Define security groups to allow all HTTP inbound and outbound traffic. Assign the security groups to the SageMaker notebook instance.
• B. Configure the SageMaker notebook instance to have access to the VPC. Grant permission in the AWS Key Management Service (AWS KMS) key policy to the notebook’s VPC.
• C. Assign an IAM role that provides S3 read access for the dataset to the SageMaker notebook. Grant permission in the KMS key policy to the IAM role.
• D. Assign the same KMS key that encrypts the data in Amazon S3 to the SageMaker notebook instance.

Correct answer: C

Explanation

The correct answer is C because it ensures that the SageMaker notebook instance has the necessary IAM role for S3 read access and the KMS key policy is updated to allow this role to decrypt the data. Option A does not address the encryption requirement, B only grants VPC access without ensuring the SageMaker instance can read the data, and D does not provide the required IAM role permissions for S3 access.