Exam AWS Certified Machine Learning - Specialty topic 1 question 15 discussion

Important things to note here is that 1. "The Data in S3 Needs to be Accessible from VPC" 2. "Traffic should not Traverse internet" To fulfill Requirement #2 we need a VPC endpoint To RESTRICT the access to S3/Bucket - Access allowed only from VPC via VPC Endpoint Even though Sagemaker uses EC2 - we are NOT asked to secure the EC2 :) So the answer is A

Between A & B, the answer should be A. From here: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html#vpc-endpoints-s3-bucket-policies We can see that we restrict access using DENY if sourceVpce (vpc endpoint), or sourceVpc (vpc) is not equal to our VPCe/VPC. So we are using a DENY (choice A) and not an ALLOW policy (choice B). Choices C, D we eliminate because they don't address S3 access at all.

Create a VPC endpoint and apply a bucket access policy that restricts access to the given VPC endpoint and the VPC. Why is this correct? VPC endpoint for S3 allows private connectivity between Amazon S3 and the VPC without using the public internet. Bucket access policy can be written to allow access only from this VPC endpoint. This ensures maximum security by: Preventing access from outside the VPC. Blocking public access.

In Option A, the Machine Learning Specialist would create a VPC endpoint for Amazon S3, which would allow traffic to flow directly between the VPC and Amazon S3 without traversing the public internet. Access to the S3 bucket containing PII can then be restricted to the VPC endpoint and the VPC using a bucket access policy. This would ensure that only instances within the VPC can access the data, and that the data does not traverse the public internet. Option B and D, allowing access from an Amazon EC2 instance, would not meet the requirement of not traversing the public internet, as the EC2 instance would be accessible from the internet. Option C, using Network Access Control Lists (NACLs) to allow traffic between only the VPC endpoint and an EC2 instance, would also not meet the requirement of not traversing the public internet, as the EC2 instance would still be accessible from the internet.

A. YES - We first create a S3 endpoint in the VPC subnet so traffic does not flow through the Internet, then on the S3 bucket create an access policy that restricts access to the given VPC based on its ID B. NO - we don't want to be specific to an instance C. NO - the S3 bucket is on AWS network, you cannot change the NACL for it D. NO - not all instances in a VPC will necessarily have the same principal that can be specified in the policy

Definetly A

Well, but removing methodology, only A remains: The question never cited EC2

Per https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html it's A

The question do not mention EC2 at all, so should be A

I think it should be B. Traning instance is a EC2 instance and need to be set an endpoint to load the data from S3.

AWS security is a conservative security model, which implies that access are denied by default rather than granted by default. We have to explicitly allow access to a AWS resource. Additionally, B talks about allowing access FROM the VPC to S3 while A talks about allowing access from S3 to VPC (which is not what we need). So, B.

Will go with B

Betting on B here, we should control access from VPC, not to VPC.

A! Restricting access to a specific VPC endpoint The following is an example of an Amazon S3 bucket policy that restricts access to a specific bucket, awsexamplebucket1, only from the VPC endpoint with the ID vpce-1a2b3c4d. The policy denies all access to the bucket if the specified endpoint is not being used. The aws:SourceVpce condition is used to specify the endpoint. https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html

Can't be B. You simple cannot enable access to an endpoint to some selected instance. So A.

I also vote A.

A found here "You can control which VPCs or VPC endpoints have access to your buckets by using Amazon S3 bucket policies. For examples of this type of bucket policy access control, see the following topics on restricting access." https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html