AWS Certified Machine Learning – Specialty — Question 316

A company decides to use Amazon SageMaker to develop machine learning (ML) models. The company will host SageMaker notebook instances in a VPC. The company stores training data in an Amazon S3 bucket. Company security policy states that SageMaker notebook instances must not have internet connectivity.

Which solution will meet the company’s security requirements?

Answer options

• A. Connect the SageMaker notebook instances that are in the VPC by using AWS Site-to-Site VPN to encrypt all internet-bound traffic. Configure VPC flow logs. Monitor all network traffic to detect and prevent any malicious activity.
• B. Configure the VPC that contains the SageMaker notebook instances to use VPC interface endpoints to establish connections for training and hosting. Modify any existing security groups that are associated with the VPC interface endpoint to allow only outbound connections for training and hosting.
• C. Create an IAM policy that prevents access the internet. Apply the IAM policy to an IAM role. Assign the IAM role to the SageMaker notebook instances in addition to any IAM roles that are already assigned to the instances.
• D. Create VPC security groups to prevent all incoming and outgoing traffic. Assign the security groups to the SageMaker notebook instances.

Correct answer: B

Explanation

VPC interface endpoints (powered by AWS PrivateLink) allow SageMaker notebook instances to connect securely to the SageMaker API, training, and hosting services without passing through the public internet. Restricting the security groups associated with these endpoints ensures traffic is confined and secure. Options A and C do not prevent internet access at the network level, while Option D completely isolates the instances, rendering them unable to connect to the SageMaker service itself.