ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 2.3: Security ControlsSecuritySageMakerVPC Endpoints

AWS SAP-C02 · Question 58 · Domain 2.3: Security Controls

A data science team uses Amazon SageMaker to train machine learning models. The training data is highly sensitive and stored in an Amazon S3 bucket. The security team requires that the SageMaker training instances do not have internet access and that all data transfer between SageMaker and S3 occurs over the private AWS network. How should the Architect configure the environment?

Answer options:

A.

Deploy the SageMaker training jobs in a private VPC subnet. Create a Gateway VPC Endpoint for S3 in the VPC.

B.

Enable AWS PrivateLink on the S3 bucket and configure SageMaker to use the PrivateLink endpoint.

C.

Configure the SageMaker training jobs to use an IAM role with a policy that denies the 's3:PutObject' action to the public internet.

D.

Deploy a NAT Gateway in a public subnet and route the SageMaker traffic through it to reach S3.

How to approach this question

Combine VPC isolation (private subnet) with private AWS service access (VPC Endpoints).

Full Answer

A.Deploy the SageMaker training jobs in a private VPC subnet. Create a Gateway VPC Endpoint for S3 in the VPC.✓ Correct
By default, Amazon SageMaker training jobs run in an AWS-managed VPC with internet access. To secure sensitive data, you can configure the training job to run within your own private VPC subnets. By not attaching a NAT Gateway or Internet Gateway, you ensure the instances have no internet access. To allow them to download training data from S3, you create a Gateway VPC Endpoint for S3, which routes the traffic securely over the AWS backbone.

Common mistakes

Assuming SageMaker always runs in an AWS-managed VPC and cannot be integrated into a customer VPC.
57All questions59

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →