MLS-C01 · Question #61
MLS-C01 Question #61: Real Exam Question with Answer & Explanation
The correct answer is C: Assign an IAM role to the Amazon SageMaker notebook with S3 read access to the dataset.. You don’t need to specify the AWS KMS key ID when you download an SSE-KMS-encrypted object from an S3 bucket. Instead, you need the permission to decrypt the AWS KMS key. When a user sends a GET request, Amazon S3 checks if the AWS Identity and Access Management (IAM) user or rol
Question
A Machine Learning Specialist uploads a dataset to an Amazon S3 bucket protected with server- side encryption using AWS KMS. How should the ML Specialist define the Amazon SageMaker notebook instance so it can read the same dataset from Amazon S3?
Options
- ADefine security group(s) to allow all HTTP inbound/outbound traffic and assign those security
- Bonfigure the Amazon SageMaker notebook instance to have access to the VPC. Grant permission
- CAssign an IAM role to the Amazon SageMaker notebook with S3 read access to the dataset.
- DAssign the same KMS key used to encrypt data in Amazon S3 to the Amazon SageMaker
Explanation
You don’t need to specify the AWS KMS key ID when you download an SSE-KMS-encrypted object from an S3 bucket. Instead, you need the permission to decrypt the AWS KMS key. When a user sends a GET request, Amazon S3 checks if the AWS Identity and Access Management (IAM) user or role that sent the request is authorized to decrypt the key associated with the object. If the IAM user or role belongs to the same AWS account as the key, then the permission to decrypt must be granted on the AWS KMS key’s policy. https://aws.amazon.com/premiumsupport/knowledge-center/decrypt-kms-encrypted-objects-
Topics
Community Discussion
No community discussion yet for this question.