ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Machine Learning Engineer - Associate MLA-C01 All Questions

View all questions & answers for the AWS Certified Machine Learning Engineer - Associate MLA-C01 exam
Go to Exam

Exam AWS Certified Machine Learning Engineer - Associate MLA-C01 topic 1 question 92 discussion

Exam question from Amazon's AWS Certified Machine Learning Engineer - Associate MLA-C01
Question #: 92
Topic #: 1
[All AWS Certified Machine Learning Engineer - Associate MLA-C01 Questions]

A company uses Amazon SageMaker for its ML process. A compliance audit discovers that an Amazon S3 bucket for training data uses server-side encryption with S3 managed keys (SSE-S3).

The company requires customer managed keys. An ML engineer changes the S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). The ML engineer makes no other configuration changes.

After the change to the encryption settings, SageMaker training jobs start to fail with AccessDenied errors.

What should the ML engineer do to resolve this problem?

  • A. Update the IAM policy that is attached to the execution role for the training jobs. Include the s3:ListBucket and s3:GetObject permissions.
  • B. Update the S3 bucket policy that is attached to the S3 bucket. Set the value of the aws:SecureTransport condition key to True.
  • C. Update the IAM policy that is attached to the execution role for the training jobs. Include the kms:Encrypt and kms:Decrypt permissions.
  • D. Update the IAM policy that is attached to the user that created the training jobs. Include the kms:CreateGrant permission.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by ygn4ei at March 20, 2025, 3:28 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AgboolaKun
2 weeks, 3 days ago
Selected Answer: C
The correct answer is C: When switching from SSE-S3 to SSE-KMS encryption for an S3 bucket used by SageMaker training jobs, the ML engineer should update the IAM policy that is attached to the execution role for the training jobs. The updated policy needs to include the kms:Encrypt and kms:Decrypt permissions to allow the training jobs to read and write encrypted data using the AWS KMS keys.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago