Exam AWS Certified Machine Learning - Specialty topic 1 question 142 discussion

B appears to be correct according to the official source. https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-interface-endpoint.html#notebook-private-link-restrict

https://docs.aws.amazon.com/sagemaker/latest/dg/security.html Security group is suffice

https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-interface-endpoint.html describes this scenario -To restrict access to only connections made from within your VPC, create an AWS Identity and Access Management policy that restricts access to only calls that come from within your VPC. Then add that policy to every AWS Identity and Access Management user, group, or role used to access the notebook instance.

Its A. This solutions works for all users, no more configurations needed.

Going with B because - underlying notebook instances are managed by aws and can’t apply security groups - updating IAM policy only restricts connection only from VPC endpoints

The issue is that the notebook instances' security group allows inbound traffic from any source IP address, which means that anyone with the authorized URL can access the notebook instances over the internet. To fix this issue, the data science team should modify the security group to allow traffic only from the CIDR ranges of the VPC, which are the IP addresses assigned to the resources within the VPC. This way, only the VPC interface endpoints and the resources within the VPC can communicate with the notebook instances. The data science team should apply this security group to all of the notebook instances' VPC interfaces, which are the network interfaces that connect the notebook instances to the VPC.

B. notebook instances are controlled by AWS service accounts and hence no access to those instances

A. Modify the notebook instances' security group: This approach involves adjusting the security group settings to only allow traffic from the VPC's CIDR ranges. By applying this security group to all of the notebook instances' VPC interfaces, it ensures that only traffic originating from within the VPC can access the notebook instances. This is a viable solution because it directly restricts access based on the source of the traffic. B. Create an IAM policy for VPC endpoint access: This solution involves crafting an IAM policy that restricts certain SageMaker actions to only the VPC endpoints. However, this approach might not fully address the issue of external access to the notebook instances themselves. It's more about controlling who can create or describe notebook instances, rather than restricting network access.

B is talking about a policy to allow. It doesn't ban anything, it's only about allow.... So the answer can't be B. A

A. NO - it is not possible the security group of the instances, they are managed by SageMaker and will not appear in the console B. YES - https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-interface-endpoint.html#notebook-private-link-restrict C. NO - subnets cannot be converted from public to private D. NO - ACL are for the notebooks, not the network

Based on my search, the answer is A. Modifying the notebook instances’ security group to allow traffic only from the CIDR ranges of the VPC is a way to restrict access to anyone outside the VPC1. Amazon VPC interface endpoints enable you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection2. However, they do not prevent users from accessing the notebook instances using presigned URLs3. Therefore, options B, C and D are not correct.

This question may be old based on this https://aws.amazon.com/blogs/machine-learning/customize-your-amazon-sagemaker-notebook-instances-with-lifecycle-configurations-and-the-option-to-disable-internet-access/ but you can still remove all other allowed access and just add the VPC ciders to the SGs as there is an explicit Deny for anything not explicitly allowed.

Option B creates an IAM policy that allows the sagemaker:CreatePresignedNotebookInstanceUrl and sagemaker:DescribeNotebookInstance actions from only the VPC endpoints. These actions are required to access the notebook instances through the Amazon SageMaker console or the AWS CLI1. By applying this policy to all IAM users, groups, and roles used to access the notebook instances, the data science team can ensure that only authorized users within the VPC can connect to the notebook instances across the internet.

Modifying the notebook instances' security group to allow traffic only from the CIDR ranges of the VPC ensures that only connections from within the VPC are permitted. This restricts access to the notebook instances from individuals outside the VPC, effectively securing the communication and preventing unauthorized access. On the other hand, Option B, creating an IAM policy for sagemaker:CreatePresignedNotebookInstanceUrl and sagemaker:DescribeNotebookInstance actions from VPC endpoints, does not address the issue of restricting direct internet access to the notebook instances. IAM policies manage permissions for AWS service actions and resources, but they do not control network-level access.

"...the data science team realizes that individuals outside the VPC can still connect to the notebook instances across the internet.." B states - "Create an IAM policy that allows the sagemaker:CreatePresignedNotebooklnstanceUrl and sagemaker:DescribeNotebooklnstance actions from only the VPC endpoints" Ok, so now the individuals outside the VPC can't create a CreatePresignedNotebooklnstanceUrl or DescribeNotebooklnstance, but does that stop them from StopNotebookInstance or DeleteNotebookInstance operations? For option A, we only allow traffic from the VPC

The problem about a is that "You can specify allow rules, but not deny rules." https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-rule-characteristics Therefore, you cannot restrict the unauthorized access

Should be security group thing