A data scientist is using an Amazon SageMaker notebook instance and needs to securely access data stored in a specific Amazon S3 bucket. How should the data scientist accomplish this?
A.
Add an S3 bucket policy allowing GetObject, PutObject, and ListBucket permissions to the Amazon SageMaker notebook ARN as principal.
B.
Encrypt the objects in the S3 bucket with a custom AWS Key Management Service (AWS KMS) key that only the notebook owner has access to.
C.
Attach the policy to the IAM role associated with the notebook that allows GetObject, PutObject, and ListBucket operations to the specific S3 bucket.
D.
Use a script in a lifecycle configuration to configure the AWS CLI on the instance with an access key ID and secret.
C. Attach policy to IAM role associated with the notebook: This is a standard and recommended approach in AWS. By attaching a policy to the IAM role that the SageMaker notebook instance assumes, you can precisely control the notebook's access to the specific S3 bucket. This method follows the AWS best practice of using IAM roles for managing permissions and also allows for easier management and scalability.
A. Add an S3 bucket policy: This approach involves modifying the S3 bucket policy to grant permissions directly to the SageMaker notebook instance's ARN. While this method can effectively grant access, it is less flexible and scalable compared to using IAM roles. It directly ties the bucket's access policy to a specific resource (the notebook instance), which might not be ideal for managing access in a larger environment.
The best way for the data scientist to securely access data stored in a specific Amazon S3 bucket from an Amazon SageMaker notebook instance is option C, attach the policy to the IAM role associated with the notebook that allows GetObject, PutObject, and ListBucket operations to the specific S3 bucket. By doing so, the data scientist can use IAM role-based access control to grant permissions to the notebook instance to access the S3 bucket without exposing any credentials or keys. The data scientist can also limit the scope of the permissions to only the necessary operations and resources, following the principle of least privilege.
Option A suggests adding an S3 bucket policy, but it is not the recommended way to grant permissions to specific IAM roles associated with SageMaker notebook instances. Bucket policies are generally used for granting cross-account access or public access, not for specifying access for specific IAM roles.
On the other hand, in C they state "specific S3 bucket" and in the A - only "an S3 bucket". Maybe in A they add global policy to allow access to all S3 buckets?
AC are both correct answer, but A is better than C, mostly due to the limitation of IAM policy.
IAM policies: The maximum size of an IAM policy document is 6,144 characters. You can attach up to 10 policies to an IAM user, role, or group.
Option C ensures that the notebook instance is granted permission to access the S3 bucket without the need to provide credentials.
Option A is incorrect because it suggests adding a bucket policy that grants permission to a specific IAM principal, which is less secure than granting permission to an IAM role.
I dont agree with this. Restrict bucket access only to limited principal is much secure than grant specific IAM prinicap. Restrict specific principal eliminate other visits, but grant specific IAM user permission does not exclude other visit.
Quoting the book "Data Science on AWS":
"Generally, we would use IAM identity-based policies if we need to define permissions for more than just S3, or if we have a number of S3 buckets, each with different permissions requirements. We might want to keep access control policies in the IAM environment.
We would use S3 bucket policies if we need a simple way to grant cross-account access to our S3 environment without using IAM roles, or if we reach the size limit for our IAM policy. We might want to keep access control policies in the S3 environment."
A would be the choice then.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
tgaos
Highly Voted 2 years, 5 months agosalads
Highly Voted 2 years, 2 months agorav009
Most Recent 5 months, 2 weeks agoCloudHandsOn
9 months, 3 weeks agoMickey321
1 year, 2 months agoccpmad
1 year, 3 months agotigercorp
1 year, 3 months agomirik
1 year, 3 months agomirik
1 year, 3 months agoZSun
1 year, 6 months agoAjoseO
1 year, 8 months agoZSun
1 year, 6 months agoShailendraa
2 years, 1 month ago[Removed]
2 years, 4 months agoedvardo
2 years, 5 months agoVinceCar
1 year, 11 months agodunhill
1 year, 12 months agocolin1919
2 years agoayatkhrisat
2 years, 5 months agoVinceCar
1 year, 11 months agobluer1
2 years, 6 months ago