MLS-C01 Question #296: Real Exam Question with Answer & Explanation

Question

A machine learning (ML) specialist uploads a dataset to an Amazon S3 bucket that is protected by server-side encryption with AWS KMS keys (SSE-KMS). The ML specialist needs to ensure that an Amazon SageMaker notebook instance can read the dataset that is in Amazon S3. Which solution will meet these requirements?

Options

• ADefine security groups to allow all HTTP inbound and outbound traffic. Assign the security groups
• BConfigure the SageMaker notebook instance to have access to the VPC. Grant permission in the
• CAssign an IAM role that provides S3 read access for the dataset to the SageMaker notebook.
• DAssign the same KMS key that encrypts the data in Amazon S3 to the SageMaker notebook

Explanation

To enable a SageMaker notebook instance to read data from an S3 bucket encrypted with SSE-KMS, an IAM role with both S3 read access and KMS decrypt permissions for the specific KMS key must be assigned to the notebook instance.

Common mistakes.

• A. Security groups control network access to and from an instance; they do not provide authorization to access AWS services like S3 or KMS.
• B. Configuring VPC access for a SageMaker notebook instance controls its network connectivity within a VPC but does not inherently grant permissions to access S3 or KMS. IAM permissions are still required regardless of networking configuration.
• D. AWS KMS keys cannot be directly 'assigned' to a SageMaker notebook instance. Instead, the IAM role assumed by the notebook instance must be granted explicit permissions to use the KMS key for decryption.

Concept tested. IAM permissions, S3 SSE-KMS access, SageMaker notebook roles

Reference. https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html

No community discussion yet for this question.