Exam AWS Certified Machine Learning - Specialty topic 1 question 190 discussion

I think the answer is CD.

A and C seems fine

CD is right

AD is the answer While creating Sagemaker notebook instances we have to decide on the access (via VPC and/or direct internet). Here we will select access only from VPC. The same VPC should become a requirement to access S3 bucket via S3 bucket policy. C would have been fine but fails to mention creation of S3 access points and those access points can be restricted to VPC.

A&C as explained in this blog as well - https://aws.amazon.com/blogs/machine-learning/secure-amazon-s3-access-for-isolated-amazon-sagemaker-notebook-instances/

A. NO - Notebook must run in a VPC (SageMaker will provision an instance), but with a private subnet there is no need to disable internet traffic B. NO - VPN tunnel is to encrypt traffic with the Internet C. YES - Endpoint will prevent S3 traffic to flow over the internet D. YES - Create an S3 bucket policy that allows traffic from the VPC and denies traffic from the internet. E. NO - AWS Transit Gateway is for multiple VPCs

By configuring the SageMaker notebook instance to be launched with a VPC attached and internet access disabled, the data scientists can access the resources within the VPC, such as Amazon EFS or Amazon EC2 instances, without exposing them to the internet1. This also prevents the notebook instance from accessing any resources outside the VPC, such as Amazon S3, unless a VPC endpoint is configured2. By creating and configuring an S3 VPC endpoint and attaching it to the VPC, the data scientists can access the datasets stored in Amazon S3 from the notebook instance using private IP addresses. The S3 VPC endpoint is a gateway endpoint that routes the traffic between the VPC and Amazon S3 within the AWS network, without requiring an internet gateway or a NAT device3. This also enhances the security and performance of the data access1.

CD : Question is about make S3 Data not accessible from Internet & VPC Endpoint Only.

the requirements are about providing secure access from notebooks to S3, nothing else.

the answer is C,D. Firstly, the VPC need to connect with S3 through gateway endpoint, check "https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html" secondly, after connection is created, we need to define the policy from s3 side. restrict access to s3 only from specified VPC or VPC endpoint. "https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#bucket-policies-s3" the confusion about A is tricky. Ideally, you need to create sagemaker in private subnet with no internet access. But I assume the question "access to the data from instances and services" only requires the process from obtaining data from s3, you don't need to specify the requirement about data egress from training service(even though disable internet connection from sagemaker is crucial)

A and C are correct. To disable direct internet access, you can specify a VPC for your notebook instance. By doing so, you prevent SageMaker from providing internet access to your notebook instance. As a result, the notebook instance can't train or host models unless your VPC has an interface endpoint (AWS PrivateLink) or a NAT gateway and your security groups allow outbound connections. https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-notebook-and-internet-access.html https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-interface-endpoint.html D is wrong. Bucket policy cant be used to deny internet access. It can only enforce access from VPC or VPC endpoint

You can use Amazon S3 bucket policies to control access to buckets from specific virtual private cloud (VPC) endpoints, or specific VPCs. This section contains example bucket policies that can be used to control Amazon S3 bucket access from VPC endpoints. Notebook doesn’t need to be created within Vpc