AWS Certified Machine Learning – Specialty — Question 64

A Machine Learning Specialist uploads a dataset to an Amazon S3 bucket protected with server-side encryption using AWS KMS.
How should the ML Specialist define the Amazon SageMaker notebook instance so it can read the same dataset from Amazon S3?

Answer options

• A. Define security group(s) to allow all HTTP inbound/outbound traffic and assign those security group(s) to the Amazon SageMaker notebook instance.
• B. ׀¡onfigure the Amazon SageMaker notebook instance to have access to the VPC. Grant permission in the KMS key policy to the notebook's KMS role.
• C. Assign an IAM role to the Amazon SageMaker notebook with S3 read access to the dataset. Grant permission in the KMS key policy to that role.
• D. Assign the same KMS key used to encrypt data in Amazon S3 to the Amazon SageMaker notebook instance.

Correct answer: C

Explanation

The correct answer is C because the Amazon SageMaker notebook must have an IAM role that provides it with S3 read access to the dataset while also having the necessary permissions in the KMS key policy. Option A does not address the need for specific permissions to access S3 or KMS. Option B focuses on VPC access, which is not required for this scenario. Option D incorrectly suggests linking the KMS key to the notebook instance without ensuring the appropriate IAM role permissions.