Exam AWS Certified Machine Learning - Specialty topic 1 question 229 discussion

A - Running the training jobs in a private VPC will ensure that the data is transmitted over an encrypted channel. Enabling inter-container traffic encryption will encrypt data that is transmitted between containers. This will help protect the data during the distributed training. C - Creating an S3 VPC endpoint will provide a secure and private connection between the VPC and the S3 bucket. Network routes, endpoint policies, and S3 bucket policies can be configured to further secure the data during the distributed training. D - Granting read-only access to SageMaker resources by using an IAM role will ensure that the data is only accessed by the necessary resources during the distributed training. This will help prevent unauthorized access to the data.

I'm not agree with E because assigns read-only access to Sagemaker

SageMaker doesn't support resource-based policies. https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies

A,C,D I am not sure but F says allow inbound rule for training instance's security group? Which security group's inbound rule, s3? It is distraction, I think F says s3 inbound rule, nonsense.

A and C are final, I think E is the third option where inbound traffic cannot access VPC resources.

Changing my options to ACD

Will go for A,C & F. Please check the keyword "Distributed" in question. In case of a distributed training, instances within a same security group are required to communicate with each other which is configured by allowing inbound traffic through security group. Check this section (Configure the VPC Security Group) in this document - https://docs.aws.amazon.com/sagemaker/latest/dg/train-vpc.html

A -->This ensures that the data is not exposed to the public internet and that all traffic between containers is encrypted C--> This ensures that all traffic between the Amazon SageMaker instances and the S3 bucket is kept within the VPC and is not exposed to the public internet. The endpoint policies and S3 bucket policies can be used to control access to the data D--> This ensures that only authorized users can access the SageMaker resources (option B) is not necessary as running jobs in a private VPC provides sufficient security creating a NAT gateway and assigning an Elastic IP address for the NAT gateway (option E) is not necessary as it does not provide any additional security benefits configuring an inbound rule to allow traffic from a security group that is associated with the training instances (option F) is not necessary as it does not provide any additional security benefits especially in the Prescence of the private endpoint

Reference is https://docs.aws.amazon.com/sagemaker/latest/dg/train-vpc.html A. YES - need a private VPC, inter-container traffic encryption optionnal but ok B. NO - no need for multple VPC C. YES - S3 VPC endpoint will prevent the traffic to flow through the internet D. YES - SageMaker resources (instances here) need to read the S3 files E. NO - NAT gateway is allow outbound traffic from a private subnet to Internet; not needed F. NO - The training instances does not need to receive inbound connections

ACD Is what I am going with ---------------- It was a tough choice between D and F but when I look at Protecting the Data as the main point of the question I went with D (read only to S3)

think the best combination of steps for you are A, C, and D

Letra B está errada, pois torna o processo muito complexo. Letra A - C - D estão corretas. Letra F está errada, pois Inbound Rules não são relevantes para S3. Finalmente, Letra E é desnecessária.

Based on the context the inbound should be added to the data, which is stored in S3. Inbound rules are not relevant to S3. D should be correct instead of F.

A C and F look correct

A,B pretty sure; D best guess. https://docs.aws.amazon.com/sagemaker/latest/dg/train-encrypt.html https://docs.aws.amazon.com/sagemaker/latest/dg/train-vpc.html